libdbd-mysql-perl: CVE-2017-10789

Debian Bug report logs - #866821
libdbd-mysql-perl: CVE-2017-10789

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libdbd-mysql-perl: CVE-2017-10789

Date: Sun, 02 Jul 2017 09:26:07 +0200

Source: libdbd-mysql-perl
Version: 4.028-2
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for libdbd-mysql-perl.

CVE-2017-10789[0]:
| The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1
| setting to mean that SSL is optional (even though this setting's
| documentation has a "your communication with the server will be
| encrypted" statement), which allows man-in-the-middle attackers to
| spoof servers via a cleartext-downgrade attack, a related issue to
| CVE-2015-3152.

Related upstream report handling this as a subtask at [1] and
respective pull request with fixes for the issues discussed in [1] at
[2].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-10789
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10789
[1] https://github.com/perl5-dbi/DBD-mysql/issues/110
[2] https://github.com/perl5-dbi/DBD-mysql/pull/114

Regards,
Salvatore

Message #10 received at 866821@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 866821@bugs.debian.org

Subject: Re: Bug#866821: libdbd-mysql-perl: CVE-2017-10789

Date: Mon, 28 Aug 2017 14:53:12 +0200

Hi,
On Sun, Jul 02, 2017 at 09:26:07AM +0200, Salvatore Bonaccorso wrote:
> Source: libdbd-mysql-perl
> Version: 4.028-2
> Severity: important
> Tags: security upstream
> 
> Hi,
> 
> the following vulnerability was published for libdbd-mysql-perl.
> 
> CVE-2017-10789[0]:
> | The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1
> | setting to mean that SSL is optional (even though this setting's
> | documentation has a "your communication with the server will be
> | encrypted" statement), which allows man-in-the-middle attackers to
> | spoof servers via a cleartext-downgrade attack, a related issue to
> | CVE-2015-3152.
> 
> Related upstream report handling this as a subtask at [1] and
> respective pull request with fixes for the issues discussed in [1] at
> [2].
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2017-10789
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10789
> [1] https://github.com/perl5-dbi/DBD-mysql/issues/110
> [2] https://github.com/perl5-dbi/DBD-mysql/pull/114

While a patch for this was upstream in 4.042 (around
b6be72f321e920419bdc5c86998d9b9cb26c6791) upstream reverted _all_
changes of back to 4.041.

Message #17 received at 866821@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupre <anarcat@orangeseeds.org>

To: Guido Günther <agx@sigxcpu.org>, 866821@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#866821: libdbd-mysql-perl: CVE-2017-10789

Date: Wed, 30 Aug 2017 15:29:10 -0400

[Message part 1 (text/plain, inline)]

On Mon, Aug 28, 2017 at 02:53:12PM +0200, Guido Günther wrote:
> While a patch for this was upstream in 4.042 (around
> b6be72f321e920419bdc5c86998d9b9cb26c6791) upstream reverted _all_
> changes of back to 4.041.

That's right, like #866818...

I've backported the patch to wheezy, but this is horribly mined
territory. MySQL SSL support is catastrophic at best, which makes this
very hard to test. The patch I'm uploading to wheezy features a test
suite which requires a running MySQL configured (or not!) with SSL
(depending on the test!!). The best result I could achieve, with SSL
configured, is:

t/92ssl_backronym_vulnerability.t .. skipped: Server supports SSL connections, cannot test false-positive enforcement
t/92ssl_connection.t ............... 1/4 
#   Failed test 'SSL connection was established'
#   at t/92ssl_connection.t line 21.

#   Failed test 'DBD::mysql supports mysql_ssl=1 without mysql_ssl_optional=1 and fail because cannot enforce SSL encryption'
#   at t/92ssl_connection.t line 28.
#          got: 'SSL connection error: Client is not configured to use SSL'
#     expected: 'SSL connection error: Enforcing SSL encryption is not supported'
# Error message: SSL connection error: Client is not configured to use SSL
# Looks like you failed 2 tests of 4.
t/92ssl_connection.t ............... Dubious, test returned 2 (wstat 512, 0x200)
Failed 2/4 subtests 
t/92ssl_optional.t ................. skipped: Server supports SSL connections, cannot test fallback to plain text
t/92ssl_riddle_vulnerability.t ..... skipped: Server supports SSL connections, cannot test false-positive enforcement

I could not figure out how to fix that error: I suspect it's because the
test suite assumes the server has a real certificate anchored in the
system trust chain. I create a self-signed test certificate (and not the
snakeoil one, that fails to load completely for obscure MySQL-ish
reasons) which failed to pass that test. I comforted mysql in thinking
this worked by using the commandline (which uses libdbd-mysql-perl!):

# mysql --ssl-mode=REQUIRED --ssl-ca=/var/lib/mysql/newcerts/ca.pem 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 37
Server version: 5.5.57-0+deb7u1 (Debian)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> \s
--------------
mysql  Ver 14.14 Distrib 5.5.57, for debian-linux-gnu (x86_64) using readline 6.2

Connection id:		37
Current database:	
Current user:		root@localhost
SSL:			Cipher in use is DHE-RSA-AES256-SHA
Current pager:		stdout
Using outfile:		''
Using delimiter:	;
Server version:		5.5.57-0+deb7u1 (Debian)
Protocol version:	10
Connection:		Localhost via UNIX socket
Server characterset:	latin1
Db     characterset:	latin1
Client characterset:	utf8
Conn.  characterset:	utf8
UNIX socket:		/var/run/mysqld/mysqld.sock
Uptime:			5 sec

Threads: 1  Questions: 111  Slow queries: 0  Opens: 48  Flush tables: 1  Open tables: 41  Queries per second avg: 22.200
--------------

With SSL *not* configured, the backronym and riddle tests pass, but then
the other is skipped, obviously:

t/92ssl_backronym_vulnerability.t .. ok   
t/92ssl_connection.t ............... skipped: Server does not support SSL connections
t/92ssl_optional.t ................. ok   
t/92ssl_riddle_vulnerability.t ..... ok   
All tests successful.
Files=44, Tests=900,  3 wallclock secs ( 0.22 usr  0.06 sys +  1.54 cusr  0.25 csys =  2.07 CPU)
Result: PASS

Make sure you run the test suite in a built tree, or at least by passing
"--ssl" to the makefile otherwise you will be in a world of hurt.

Otherwise this should be fixed shortly in a LTS upload.

A.
-- 
Premature optimization is the root of all evil
                        - Donald Knuth

[signature.asc (application/pgp-signature, inline)]

Message #24 received at 866821-close@bugs.debian.org (full text, mbox, reply):

From: gregor herrmann <gregoa@debian.org>

To: 866821-close@bugs.debian.org

Subject: Bug#866821: fixed in libdbd-mysql-perl 4.046-1

Date: Sat, 17 Feb 2018 23:04:51 +0000

Source: libdbd-mysql-perl
Source-Version: 4.046-1

We believe that the bug you reported is fixed in the latest version of
libdbd-mysql-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 866821@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann <gregoa@debian.org> (supplier of updated libdbd-mysql-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 17 Feb 2018 23:38:47 +0100
Source: libdbd-mysql-perl
Binary: libdbd-mysql-perl
Architecture: source
Version: 4.046-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: gregor herrmann <gregoa@debian.org>
Closes: 856250 866818 866821
Description: 
 libdbd-mysql-perl - Perl5 database interface to the MariaDB/MySQL database
Changes:
 libdbd-mysql-perl (4.046-1) unstable; urgency=medium
 .
   [ Alex Muntada ]
   * Remove inactive pkg-perl members from Uploaders.
 .
   [ Xavier Guimard ]
   * New upstream version
     Fixes:
     - "Regression for zerofill columns" (Closes: #856250)
     - "CVE-2017-10788: Use-after-free when calling mysql_stmt_error() after
       mysql_stmt_close()" (Closes: #866818)
     - "CVE-2017-10789: possible MITM attack when mysql_ssl=1" (Closes: #866821)
   * Bump Standards-Version to 4.1.3
   * Update regression-fix-float_type_conversion.patch
 .
   [ gregor herrmann ]
   * Update debian/upstream/metadata.
   * Bump debhelper compatibility level to 10.
   * Rename debian/source.lintian-overrides to debian/source/lintian-
     overrides. Thanks to lintian.
   * debian/control: drop "Testsuite: autopkgtest" as we have a
     debian/tests/control file. Thanks to lintian.
Checksums-Sha1: 
 4a63fe3a72c657a7186b7480427e57d33e96fb26 2456 libdbd-mysql-perl_4.046-1.dsc
 cf9dad5cee866fb2d48ce11ce9814f4af993736d 155294 libdbd-mysql-perl_4.046.orig.tar.gz
 468db57b2973e5dd009adb0062476d86745b8d4f 11628 libdbd-mysql-perl_4.046-1.debian.tar.xz
Checksums-Sha256: 
 f668154a9eda676c01b8f0b8495a0339d49d4aab3b75151e811d7f5e4786ef15 2456 libdbd-mysql-perl_4.046-1.dsc
 6165652ec959d05b97f5413fa3dff014b78a44cf6de21ae87283b28378daf1f7 155294 libdbd-mysql-perl_4.046.orig.tar.gz
 86031de7c2dc99050e403f4dcdf63ff87efc1f9259289f5b71d376b5c0f131d7 11628 libdbd-mysql-perl_4.046-1.debian.tar.xz
Files: 
 28b8646e82bdd20edd09da984fa8cafd 2456 perl optional libdbd-mysql-perl_4.046-1.dsc
 bdf4f4d899b8af29ebd8ebfb7438d05f 155294 perl optional libdbd-mysql-perl_4.046.orig.tar.gz
 2aecc20eec024b458c3c70b7ad90800f 11628 perl optional libdbd-mysql-perl_4.046-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAlqIsDBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgbTnA//VlYG0/jBBicNgcBBt2xyDidNiWRp6O02vByEWVIJK7qaVicFddvONtZX
T2gj3SKLCWqlGP+JyE649POBWHQ3pekm8CjB1Wj7JWCB6PTR6h4v12m0/KMYHNwc
FWwtnpOTHQlfFL7YVBiyfRtR7lfbaVIx8yuyKcLyXmcws/mHvnD0f8iecIfnkDfs
M+IU90ubJJKXL4LJSAdYn90odXb2ur1YfF1e8hkTxBALEmcH+n7dVt+UyBmLDosI
V6SoiYCyh5y5vl1cV4QWgQTfsUnTvTYMDLe2DhZfpZ1+UtwzChjsk17xQ/6kRxdK
AtuHddoe+CzIm839nFASS5N8wyWK04r0vTxP05xSLrJ5HEYyZhWBCOj8w9LiwBzn
lz404uYU4MylQOJffSog0hjd/uGEHcYUo42tksNEBlXVjNhbk1ZYYvsXMdyiTD5T
+8jMK9I09smIMYn7pk7ihrvTlRz+2fvmnElCm4+/bofWAwUqBVpfTiOaLj5tn1z1
3f8PjL5et1k7fidnoEI3GXojvK+tCqUl3CC5T04PPvk4G5HGhyAhC+W5KxtBQWmB
R7rFkqiUubTyzMTsUyeRRaveuLl1Y8RF8nM/pUKaQ+dv63nUUoVoAd5QBBZHRFrw
AnCKrIBWJmzOmRxy3NOmJnI+NT838pzMZx6xhSAJPcJzoqJfAHc=
=8C/H
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.