GNU bug report logs -
#27805
[PATCH] gnu: perl-dbd-mysql: Fix CVE-2017-10788.
Previous Next
Reported by: Kei Kebreau <kei <at> openmailbox.org>
Date: Mon, 24 Jul 2017 18:33:01 UTC
Severity: normal
Tags: patch
Done: Kei Kebreau <kei <at> openmailbox.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 27805 in the body.
You can then email your comments to 27805 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#27805; Package
guix-patches.
(Mon, 24 Jul 2017 18:33:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Kei Kebreau <kei <at> openmailbox.org>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Mon, 24 Jul 2017 18:33:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/databases.scm (perl-dbd-mysql)[source]: Use it.
---
gnu/local.mk | 1 +
gnu/packages/databases.scm | 3 +-
.../patches/perl-dbd-mysql-CVE-2017-10788.patch | 51 ++++++++++++++++++++++
3 files changed, 54 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 3eccc879b..4292d705c 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -902,6 +902,7 @@ dist_patch_DATA = \
%D%/packages/patches/pcre2-CVE-2017-8786.patch \
%D%/packages/patches/perl-file-path-CVE-2017-6512.patch \
%D%/packages/patches/perl-autosplit-default-time.patch \
+ %D%/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch \
%D%/packages/patches/perl-deterministic-ordering.patch \
%D%/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \
%D%/packages/patches/perl-gd-options-passthrough-and-fontconfig.patch \
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index ee340505e..7e62452ea 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -1015,7 +1015,8 @@ columns, primary keys, unique constraints and relationships.")
"DBD-mysql-" version ".tar.gz"))
(sha256
(base32
- "16bg7l28n65ngi1abjxvwk906a80i2vd5vzjn812dx8phdg8d7v2"))))
+ "16bg7l28n65ngi1abjxvwk906a80i2vd5vzjn812dx8phdg8d7v2"))
+ (patches (search-patches "perl-dbd-mysql-CVE-2017-10788.patch"))))
(build-system perl-build-system)
;; Tests require running MySQL server
(arguments `(#:tests? #f))
diff --git a/gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch b/gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch
new file mode 100644
index 000000000..344f2d803
--- /dev/null
+++ b/gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch
@@ -0,0 +1,51 @@
+From 9ce10cfae7138c37c3a0cb2ba2a1d682482943d0 Mon Sep 17 00:00:00 2001
+From: Pali <pali <at> cpan.org>
+Date: Sun, 25 Jun 2017 10:07:39 +0200
+Subject: [PATCH] Fix use-after-free after calling mysql_stmt_close()
+
+Ignore return value from mysql_stmt_close() and also its error message
+because it points to freed memory after mysql_stmt_close() was called.
+---
+ dbdimp.c | 8 ++------
+ mysql.xs | 7 ++-----
+ 2 files changed, 4 insertions(+), 11 deletions(-)
+
+diff --git a/dbdimp.c b/dbdimp.c
+index c60a5f6..a6410e5 100644
+--- a/dbdimp.c
++++ b/dbdimp.c
+@@ -4894,12 +4894,8 @@ void dbd_st_destroy(SV *sth, imp_sth_t *imp_sth) {
+
+ if (imp_sth->stmt)
+ {
+- if (mysql_stmt_close(imp_sth->stmt))
+- {
+- do_error(DBIc_PARENT_H(imp_sth), mysql_stmt_errno(imp_sth->stmt),
+- mysql_stmt_error(imp_sth->stmt),
+- mysql_stmt_sqlstate(imp_sth->stmt));
+- }
++ mysql_stmt_close(imp_sth->stmt);
++ imp_sth->stmt= NULL;
+ }
+ #endif
+
+diff --git a/mysql.xs b/mysql.xs
+index 55376e1..affde59 100644
+--- a/mysql.xs
++++ b/mysql.xs
+@@ -434,11 +434,8 @@ do(dbh, statement, attr=Nullsv, ...)
+ if (bind)
+ Safefree(bind);
+
+- if(mysql_stmt_close(stmt))
+- {
+- fprintf(stderr, "\n failed while closing the statement");
+- fprintf(stderr, "\n %s", mysql_stmt_error(stmt));
+- }
++ mysql_stmt_close(stmt);
++ stmt= NULL;
+
+ if (retval == -2) /* -2 means error */
+ {
+--
+1.7.9.5
--
2.13.3
Information forwarded
to
guix-patches <at> gnu.org:
bug#27805; Package
guix-patches.
(Mon, 24 Jul 2017 19:19:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 27805 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Mon, Jul 24, 2017 at 02:31:44PM -0400, Kei Kebreau wrote:
> * gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/databases.scm (perl-dbd-mysql)[source]: Use it.
Thanks!
> diff --git a/gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch b/gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch
> new file mode 100644
> index 000000000..344f2d803
> --- /dev/null
> +++ b/gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch
> @@ -0,0 +1,51 @@
> +From 9ce10cfae7138c37c3a0cb2ba2a1d682482943d0 Mon Sep 17 00:00:00 2001
> +From: Pali <pali <at> cpan.org>
> +Date: Sun, 25 Jun 2017 10:07:39 +0200
> +Subject: [PATCH] Fix use-after-free after calling mysql_stmt_close()
> +
> +Ignore return value from mysql_stmt_close() and also its error message
> +because it points to freed memory after mysql_stmt_close() was called.
Can you add a link to the MITRE page for this CVE (and any other pages
you think are relevant) and to the source of this patch?
Check 'gnu/packages/patches/wget-CVE-2017-6508.patch' for an example if
you are unsure.
There is also CVE-2017-10789. I'm not sure if there is a fix merged
upstream yet:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-10789
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#27805; Package
guix-patches.
(Mon, 24 Jul 2017 22:09:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 27805 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:
> On Mon, Jul 24, 2017 at 02:31:44PM -0400, Kei Kebreau wrote:
>> * gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Add it.
>> * gnu/packages/databases.scm (perl-dbd-mysql)[source]: Use it.
>
> Thanks!
>
>> diff --git
>> a/gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch
>> b/gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch
>> new file mode 100644
>> index 000000000..344f2d803
>> --- /dev/null
>> +++ b/gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch
>> @@ -0,0 +1,51 @@
>> +From 9ce10cfae7138c37c3a0cb2ba2a1d682482943d0 Mon Sep 17 00:00:00 2001
>> +From: Pali <pali <at> cpan.org>
>> +Date: Sun, 25 Jun 2017 10:07:39 +0200
>> +Subject: [PATCH] Fix use-after-free after calling mysql_stmt_close()
>> +
>> +Ignore return value from mysql_stmt_close() and also its error message
>> +because it points to freed memory after mysql_stmt_close() was called.
>
> Can you add a link to the MITRE page for this CVE (and any other pages
> you think are relevant) and to the source of this patch?
>
Done! FYI, this patch is tentative (i.e. not merged upstream as of
yet). It seems to do the right thing, but I'm not quite sure, as I'm not
an experienced C programmer, nor am I a user of this package.
> Check 'gnu/packages/patches/wget-CVE-2017-6508.patch' for an example if
> you are unsure.
>
> There is also CVE-2017-10789. I'm not sure if there is a fix merged
> upstream yet:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-10789
There was a fix that was merged and later reverted in the latest
version, 4.043.
How does the attached patch look?
[0001-gnu-perl-dbd-mysql-Fix-CVE-2017-10788.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#27805; Package
guix-patches.
(Tue, 25 Jul 2017 18:01:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 27805 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Mon, Jul 24, 2017 at 06:07:25PM -0400, Kei Kebreau wrote:
> Done! FYI, this patch is tentative (i.e. not merged upstream as of
> yet). It seems to do the right thing, but I'm not quite sure, as I'm not
> an experienced C programmer, nor am I a user of this package.
I'm not an expert but, I agree, it seems to do the right thing.
> > Check 'gnu/packages/patches/wget-CVE-2017-6508.patch' for an example if
> > you are unsure.
> >
> > There is also CVE-2017-10789. I'm not sure if there is a fix merged
> > upstream yet:
> >
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-10789
Okay, let's wait on that one. Can you try to keep track of it?
> How does the attached patch look?
> From d067457fcc87a0353dfdf6c8bfbe4f2bbdb90bb9 Mon Sep 17 00:00:00 2001
> From: Kei Kebreau <kei <at> openmailbox.org>
> Date: Mon, 24 Jul 2017 13:51:50 -0400
> Subject: [PATCH] gnu: perl-dbd-mysql: Fix CVE-2017-10788.
>
> * gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/databases.scm (perl-dbd-mysql)[source]: Use it.
Please push!
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Kei Kebreau <kei <at> openmailbox.org>:
You have taken responsibility.
(Tue, 25 Jul 2017 18:14:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Kei Kebreau <kei <at> openmailbox.org>:
bug acknowledged by developer.
(Tue, 25 Jul 2017 18:14:02 GMT)
Full text and
rfc822 format available.
Message #19 received at 27805-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:
> On Mon, Jul 24, 2017 at 06:07:25PM -0400, Kei Kebreau wrote:
>> Done! FYI, this patch is tentative (i.e. not merged upstream as of
>> yet). It seems to do the right thing, but I'm not quite sure, as I'm not
>> an experienced C programmer, nor am I a user of this package.
>
> I'm not an expert but, I agree, it seems to do the right thing.
>
>> > Check 'gnu/packages/patches/wget-CVE-2017-6508.patch' for an example if
>> > you are unsure.
>> >
>> > There is also CVE-2017-10789. I'm not sure if there is a fix merged
>> > upstream yet:
>> >
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-10789
>
> Okay, let's wait on that one. Can you try to keep track of it?
>
Will do!
>> How does the attached patch look?
>
>> From d067457fcc87a0353dfdf6c8bfbe4f2bbdb90bb9 Mon Sep 17 00:00:00 2001
>> From: Kei Kebreau <kei <at> openmailbox.org>
>> Date: Mon, 24 Jul 2017 13:51:50 -0400
>> Subject: [PATCH] gnu: perl-dbd-mysql: Fix CVE-2017-10788.
>>
>> * gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Add it.
>> * gnu/packages/databases.scm (perl-dbd-mysql)[source]: Use it.
>
> Please push!
Pushed to master! Thank you for reviewing.
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 23 Aug 2017 11:24:03 GMT)
Full text and
rfc822 format available.
This bug report was last modified 6 years and 248 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.