[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#27805] [PATCH] gnu: perl-dbd-mysql: Fix CVE-2017-10788.

From: Kei Kebreau
Subject: [bug#27805] [PATCH] gnu: perl-dbd-mysql: Fix CVE-2017-10788.
Date: Mon, 24 Jul 2017 18:07:25 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)

Leo Famulari <address@hidden> writes:

> On Mon, Jul 24, 2017 at 02:31:44PM -0400, Kei Kebreau wrote:
>> * gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch: New file.
>> * gnu/ (dist_patch_DATA): Add it.
>> * gnu/packages/databases.scm (perl-dbd-mysql)[source]: Use it.
> Thanks!
>> diff --git
>> a/gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch
>> b/gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch
>> new file mode 100644
>> index 000000000..344f2d803
>> --- /dev/null
>> +++ b/gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch
>> @@ -0,0 +1,51 @@
>> +From 9ce10cfae7138c37c3a0cb2ba2a1d682482943d0 Mon Sep 17 00:00:00 2001
>> +From: Pali <address@hidden>
>> +Date: Sun, 25 Jun 2017 10:07:39 +0200
>> +Subject: [PATCH] Fix use-after-free after calling mysql_stmt_close()
>> +
>> +Ignore return value from mysql_stmt_close() and also its error message
>> +because it points to freed memory after mysql_stmt_close() was called.
> Can you add a link to the MITRE page for this CVE (and any other pages
> you think are relevant) and to the source of this patch?

Done! FYI, this patch is tentative (i.e. not merged upstream as of
yet). It seems to do the right thing, but I'm not quite sure, as I'm not
an experienced C programmer, nor am I a user of this package.

> Check 'gnu/packages/patches/wget-CVE-2017-6508.patch' for an example if
> you are unsure.
> There is also CVE-2017-10789. I'm not sure if there is a fix merged
> upstream yet:

There was a fix that was merged and later reverted in the latest
version, 4.043.

How does the attached patch look?

Attachment: 0001-gnu-perl-dbd-mysql-Fix-CVE-2017-10788.patch
Description: Text document

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]