Hello community, here is the log from the commit of package perl-DBD-mysql for openSUSE:Factory checked in at 2016-11-29 12:50:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/perl-DBD-mysql (Old) and /work/SRC/openSUSE:Factory/.perl-DBD-mysql.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-DBD-mysql" Changes: -------- --- /work/SRC/openSUSE:Factory/perl-DBD-mysql/perl-DBD-mysql.changes 2016-11-22 18:59:00.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.perl-DBD-mysql.new/perl-DBD-mysql.changes 2016-11-29 12:50:09.000000000 +0100 @@ -1,0 +2,27 @@ +Tue Nov 29 06:18:42 UTC 2016 - [email protected] + +- updated to 4.041 + see /usr/share/doc/packages/perl-DBD-mysql/Changes + + 2016-11-28 Patrick Galbraith, Michiel Beijen, DBI/DBD community (4.041) + * Fix use-after-free for repeated fetchrow_arrayref calls when + mysql_server_prepare=1 + + Function dbd_st_fetch() via Renew() can reallocate output buffer for + mysql_stmt_fetch() call. But it does not update pointer to that buffer in + imp_sth->stmt structure initialized by mysql_stmt_bind_result() function. + That leads to use-after-free in any mysql function which access + imp_sth->stmt structure (e.g. mysql_stmt_fetch()). + + This patch fix this problem and properly updates pointer in imp_sth->stmt + structure after Renew() call. + This is a medium level security issue to which the Debian security team + assigned identifier CVE-2016-1251. Discovered and fixed by Pali Rohár. + + * auto_reconnect now also matches CR_SERVER_LOST, previously this only + matched CR_SERVER_GONE. + Fixes http://bugs.mysql.com/bug.php?id=27613 + Fix suggested by Wouter de Jong. + * Fix compilation fixes (Pali Rohár). + +------------------------------------------------------------------- Old: ---- DBD-mysql-4.040.tar.gz New: ---- DBD-mysql-4.041.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ perl-DBD-mysql.spec ++++++ --- /var/tmp/diff_new_pack.E0WUXb/_old 2016-11-29 12:50:10.000000000 +0100 +++ /var/tmp/diff_new_pack.E0WUXb/_new 2016-11-29 12:50:10.000000000 +0100 @@ -17,7 +17,7 @@ Name: perl-DBD-mysql -Version: 4.040 +Version: 4.041 Release: 0 %define cpan_name DBD-mysql Summary: MySQL driver for the Perl5 Database Interface (DBI) ++++++ DBD-mysql-4.040.tar.gz -> DBD-mysql-4.041.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/DBD-mysql-4.040/Changes new/DBD-mysql-4.041/Changes --- old/DBD-mysql-4.040/Changes 2016-11-19 20:55:08.000000000 +0100 +++ new/DBD-mysql-4.041/Changes 2016-11-28 21:19:51.000000000 +0100 @@ -1,3 +1,24 @@ +2016-11-28 Patrick Galbraith, Michiel Beijen, DBI/DBD community (4.041) +* Fix use-after-free for repeated fetchrow_arrayref calls when + mysql_server_prepare=1 + + Function dbd_st_fetch() via Renew() can reallocate output buffer for + mysql_stmt_fetch() call. But it does not update pointer to that buffer in + imp_sth->stmt structure initialized by mysql_stmt_bind_result() function. + That leads to use-after-free in any mysql function which access + imp_sth->stmt structure (e.g. mysql_stmt_fetch()). + + This patch fix this problem and properly updates pointer in imp_sth->stmt + structure after Renew() call. + This is a medium level security issue to which the Debian security team + assigned identifier CVE-2016-1251. Discovered and fixed by Pali Rohár. + +* auto_reconnect now also matches CR_SERVER_LOST, previously this only + matched CR_SERVER_GONE. + Fixes http://bugs.mysql.com/bug.php?id=27613 + Fix suggested by Wouter de Jong. +* Fix compilation fixes (Pali Rohár). + 2016-11-19 Patrick Galbraith, Michiel Beijen, DBI/DBD community (4.040) * Since 4.038 we had problems compiling on big-endian architectures, such as MIPS, s390 and Sparc. Thanks to Salvatore Bonaccorso @ Debian project diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/DBD-mysql-4.040/META.json new/DBD-mysql-4.041/META.json --- old/DBD-mysql-4.040/META.json 2016-11-19 20:55:49.000000000 +0100 +++ new/DBD-mysql-4.041/META.json 2016-11-28 21:39:20.000000000 +0100 @@ -57,7 +57,7 @@ "x_IRC" : "irc://irc.perl.org/#dbi", "x_MailingList" : "mailto:[email protected]"; }, - "version" : "4.040", + "version" : "4.041", "x_contributors" : [ "Alexandr Ciornii <[email protected]>", "Alexey Molchanov <[email protected]>", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/DBD-mysql-4.040/META.yml new/DBD-mysql-4.041/META.yml --- old/DBD-mysql-4.040/META.yml 2016-11-19 20:55:49.000000000 +0100 +++ new/DBD-mysql-4.041/META.yml 2016-11-28 21:39:20.000000000 +0100 @@ -30,7 +30,7 @@ homepage: http://dbi.perl.org/ license: http://dev.perl.org/licenses/ repository: https://github.com/perl5-dbi/DBD-mysql -version: '4.040' +version: '4.041' x_contributors: - 'Alexandr Ciornii <[email protected]>' - 'Alexey Molchanov <[email protected]>' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/DBD-mysql-4.040/dbdimp.c new/DBD-mysql-4.041/dbdimp.c --- old/DBD-mysql-4.040/dbdimp.c 2016-11-19 20:55:08.000000000 +0100 +++ new/DBD-mysql-4.041/dbdimp.c 2016-11-28 21:16:27.000000000 +0100 @@ -1426,6 +1426,7 @@ { dTHX; DBISTATE_INIT; + PERL_UNUSED_ARG(dbistate); } @@ -1448,7 +1449,6 @@ { dTHX; D_imp_xxh(h); - STRLEN lna; SV *errstr; SV *errstate; @@ -1469,7 +1469,7 @@ /* NO EFFECT DBIh_EVENT2(h, ERROR_event, DBIc_ERR(imp_xxh), errstr); */ if (DBIc_TRACE_LEVEL(imp_xxh) >= 2) PerlIO_printf(DBIc_LOGPIO(imp_xxh), "%s error %d recorded: %s\n", - what, rc, SvPV(errstr,lna)); + what, rc, SvPV_nolen(errstr)); if (DBIc_TRACE_LEVEL(imp_xxh) >= 2) PerlIO_printf(DBIc_LOGPIO(imp_xxh), "\t\t<-- do_error\n"); } @@ -1481,7 +1481,6 @@ { dTHX; D_imp_xxh(h); - STRLEN lna; SV *errstr = DBIc_ERRSTR(imp_xxh); sv_setiv(DBIc_ERR(imp_xxh), (IV)rc); /* set err early */ @@ -1489,7 +1488,7 @@ /* NO EFFECT DBIh_EVENT2(h, WARN_event, DBIc_ERR(imp_xxh), errstr);*/ if (DBIc_TRACE_LEVEL(imp_xxh) >= 2) PerlIO_printf(DBIc_LOGPIO(imp_xxh), "%s warning %d recorded: %s\n", - what, rc, SvPV(errstr,lna)); + what, rc, SvPV_nolen(errstr)); warn("%s", what); } @@ -2302,7 +2301,11 @@ dTHR; #endif dTHX; +#if defined(DBD_MYSQL_EMBEDDED) D_imp_xxh(drh); +#else + PERL_UNUSED_ARG(drh); +#endif #if defined(DBD_MYSQL_EMBEDDED) if (imp_drh->embedded.state) @@ -4047,6 +4050,8 @@ Renew(fbh->data, fbh->length, char); buffer->buffer_length= fbh->length; buffer->buffer= (char *) fbh->data; + imp_sth->stmt->bind[i].buffer_length = fbh->length; + imp_sth->stmt->bind[i].buffer = (char *)fbh->data; if (DBIc_TRACE_LEVEL(imp_xxh) >= 2) { int j; @@ -4907,7 +4912,7 @@ char *buffer= NULL; int buffer_is_null= 0; int buffer_is_unsigned= 0; - int buffer_length= slen; + int buffer_length= 0; unsigned int buffer_type= 0; #endif @@ -5123,7 +5128,8 @@ else imp_dbh= (imp_dbh_t*) imp_xxh; - if (mysql_errno(imp_dbh->pmysql) != CR_SERVER_GONE_ERROR) + if (mysql_errno(imp_dbh->pmysql) != CR_SERVER_GONE_ERROR && + mysql_errno(imp_dbh->pmysql) != CR_SERVER_LOST) /* Other error */ return FALSE; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/DBD-mysql-4.040/lib/Bundle/DBD/mysql.pm new/DBD-mysql-4.041/lib/Bundle/DBD/mysql.pm --- old/DBD-mysql-4.040/lib/Bundle/DBD/mysql.pm 2016-11-19 20:55:08.000000000 +0100 +++ new/DBD-mysql-4.041/lib/Bundle/DBD/mysql.pm 2016-11-28 21:20:44.000000000 +0100 @@ -3,7 +3,7 @@ use strict; use warnings; -our $VERSION = '4.040'; +our $VERSION = '4.041'; 1; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/DBD-mysql-4.040/lib/DBD/mysql.pm new/DBD-mysql-4.041/lib/DBD/mysql.pm --- old/DBD-mysql-4.040/lib/DBD/mysql.pm 2016-11-19 20:55:08.000000000 +0100 +++ new/DBD-mysql-4.041/lib/DBD/mysql.pm 2016-11-28 21:20:44.000000000 +0100 @@ -15,7 +15,7 @@ # SQL_DRIVER_VER is formatted as dd.dd.dddd # for version 5.x please switch to 5.00(_00) version numbering # keep $VERSION in Bundle/DBD/mysql.pm in sync -our $VERSION = '4.040'; +our $VERSION = '4.041'; bootstrap DBD::mysql $VERSION; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/DBD-mysql-4.040/t/40server_prepare_crash.t new/DBD-mysql-4.041/t/40server_prepare_crash.t --- old/DBD-mysql-4.040/t/40server_prepare_crash.t 2016-11-19 20:55:08.000000000 +0100 +++ new/DBD-mysql-4.041/t/40server_prepare_crash.t 2016-11-28 21:16:27.000000000 +0100 @@ -10,11 +10,22 @@ my $dbh = eval { DBI->connect($test_dsn, $test_user, $test_password, { PrintError => 1, RaiseError => 1, AutoCommit => 0, mysql_server_prepare => 1, mysql_server_prepare_disable_fallback => 1 }) }; plan skip_all => "no database connection" if $@ or not $dbh; -plan tests => 17; +plan tests => 39; -ok $dbh->do("CREATE TEMPORARY TABLE t (i INTEGER NOT NULL, n TEXT)"); +my $sth; -ok my $sth = $dbh->prepare("SELECT * FROM t WHERE i=? AND n=?"); +ok $dbh->do("CREATE TEMPORARY TABLE t (i INTEGER NOT NULL, n LONGBLOB)"); + +ok $sth = $dbh->prepare("INSERT INTO t(i, n) VALUES(?, ?)"); +ok $sth->execute(1, "x" x 10); +ok $sth->execute(2, "x" x 100); +ok $sth->execute(3, "x" x 1000); +ok $sth->execute(4, "x" x 10000); +ok $sth->execute(5, "x" x 100000); +ok $sth->execute(6, "x" x 1000000); +ok $sth->finish(); + +ok $sth = $dbh->prepare("SELECT * FROM t WHERE i=? AND n=?"); ok $sth->bind_param(2, "x" x 1000000); ok $sth->bind_param(1, "abcx", 12); @@ -34,6 +45,34 @@ ok $sth->execute((1) x (10001)); ok $sth->finish(); +my $test; +ok $sth = $dbh->prepare("SELECT i,n FROM t WHERE i = ?"); + +ok $sth->execute(1); +ok $sth->fetchrow_arrayref(); + +ok $sth->execute(2); +$test = map { $_ } 'a'; +ok $sth->fetchrow_arrayref(); + +ok $sth->execute(3); +$test = map { $_ } 'b' x 10000000; # try to reuse released memory +ok $sth->fetchrow_arrayref(); + +ok $sth->execute(4); +$test = map { $_ } 'cd' x 10000000; # try to reuse of released memory +ok $sth->fetchrow_arrayref(); + +ok $sth->execute(5); +$test = map { $_ } 'efg' x 10000000; # try to reuse of released memory +ok $sth->fetchrow_arrayref(); + +ok $sth->execute(6); +$test = map { $_ } 'hijk' x 10000000; # try to reuse of released memory +ok $sth->fetchrow_arrayref(); + +ok $sth->finish(); + ok $dbh->do("SELECT 1 FROM t WHERE i = ?" . (" OR i = ?" x 10000), {}, (1) x (10001)); ok $dbh->disconnect(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/DBD-mysql-4.040/t/rt85919-fetch-lost-connection.t new/DBD-mysql-4.041/t/rt85919-fetch-lost-connection.t --- old/DBD-mysql-4.040/t/rt85919-fetch-lost-connection.t 2016-08-01 08:26:44.000000000 +0200 +++ new/DBD-mysql-4.041/t/rt85919-fetch-lost-connection.t 2016-11-28 21:16:21.000000000 +0100 @@ -36,8 +36,16 @@ 1; }; if (not $ok) { - is ( $DBI::err, 2006, 'Received error 2006' ); - is ( $DBI::errstr, 'MySQL server has gone away', 'Received MySQL server has gone away'); + # if we're connected via a local socket we receive error 2006 + # (CR_SERVER_GONE_ERROR) but if we're connected using TCP/IP we get + # 2013 (CR_SERVER_LOST) + if ($DBI::err == 2006) { + pass("received error 2006 (CR_SERVER_GONE_ERROR)"); + } elsif ($DBI::err == 2013) { + pass("received error 2013 (CR_SERVER_LOST)"); + } else { + fail('Should return error 2006 or 2013'); + } eval { $sth->finish(); } if defined $sth; eval { $dbh->disconnect(); } if defined $dbh; }
