From d067457fcc87a0353dfdf6c8bfbe4f2bbdb90bb9 Mon Sep 17 00:00:00 2001 From: Kei Kebreau Date: Mon, 24 Jul 2017 13:51:50 -0400 Subject: [PATCH] gnu: perl-dbd-mysql: Fix CVE-2017-10788. * gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/databases.scm (perl-dbd-mysql)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/databases.scm | 3 +- .../patches/perl-dbd-mysql-CVE-2017-10788.patch | 62 ++++++++++++++++++++++ 3 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch diff --git a/gnu/local.mk b/gnu/local.mk index 3eccc879b..4292d705c 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -902,6 +902,7 @@ dist_patch_DATA = \ %D%/packages/patches/pcre2-CVE-2017-8786.patch \ %D%/packages/patches/perl-file-path-CVE-2017-6512.patch \ %D%/packages/patches/perl-autosplit-default-time.patch \ + %D%/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch \ %D%/packages/patches/perl-deterministic-ordering.patch \ %D%/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \ %D%/packages/patches/perl-gd-options-passthrough-and-fontconfig.patch \ diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm index ee340505e..7e62452ea 100644 --- a/gnu/packages/databases.scm +++ b/gnu/packages/databases.scm @@ -1015,7 +1015,8 @@ columns, primary keys, unique constraints and relationships.") "DBD-mysql-" version ".tar.gz")) (sha256 (base32 - "16bg7l28n65ngi1abjxvwk906a80i2vd5vzjn812dx8phdg8d7v2")))) + "16bg7l28n65ngi1abjxvwk906a80i2vd5vzjn812dx8phdg8d7v2")) + (patches (search-patches "perl-dbd-mysql-CVE-2017-10788.patch")))) (build-system perl-build-system) ;; Tests require running MySQL server (arguments `(#:tests? #f)) diff --git a/gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch b/gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch new file mode 100644 index 000000000..74613cb63 --- /dev/null +++ b/gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch @@ -0,0 +1,62 @@ +Fix CVE-2017-10788: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10788 + +Patch written to match corrected documentation specifications: + +Old: http://web.archive.org/web/20161220021610/https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-close.html +New: https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-close.html + +The patch itself is from https://github.com/perl5-dbi/DBD-mysql/issues/120#issuecomment-312420660. + +From 9ce10cfae7138c37c3a0cb2ba2a1d682482943d0 Mon Sep 17 00:00:00 2001 +From: Pali +Date: Sun, 25 Jun 2017 10:07:39 +0200 +Subject: [PATCH] Fix use-after-free after calling mysql_stmt_close() + +Ignore return value from mysql_stmt_close() and also its error message +because it points to freed memory after mysql_stmt_close() was called. +--- + dbdimp.c | 8 ++------ + mysql.xs | 7 ++----- + 2 files changed, 4 insertions(+), 11 deletions(-) + +diff --git a/dbdimp.c b/dbdimp.c +index c60a5f6..a6410e5 100644 +--- a/dbdimp.c ++++ b/dbdimp.c +@@ -4894,12 +4894,8 @@ void dbd_st_destroy(SV *sth, imp_sth_t *imp_sth) { + + if (imp_sth->stmt) + { +- if (mysql_stmt_close(imp_sth->stmt)) +- { +- do_error(DBIc_PARENT_H(imp_sth), mysql_stmt_errno(imp_sth->stmt), +- mysql_stmt_error(imp_sth->stmt), +- mysql_stmt_sqlstate(imp_sth->stmt)); +- } ++ mysql_stmt_close(imp_sth->stmt); ++ imp_sth->stmt= NULL; + } + #endif + +diff --git a/mysql.xs b/mysql.xs +index 55376e1..affde59 100644 +--- a/mysql.xs ++++ b/mysql.xs +@@ -434,11 +434,8 @@ do(dbh, statement, attr=Nullsv, ...) + if (bind) + Safefree(bind); + +- if(mysql_stmt_close(stmt)) +- { +- fprintf(stderr, "\n failed while closing the statement"); +- fprintf(stderr, "\n %s", mysql_stmt_error(stmt)); +- } ++ mysql_stmt_close(stmt); ++ stmt= NULL; + + if (retval == -2) /* -2 means error */ + { +-- +1.7.9.5 -- 2.13.3