CVE-2016-1249: Out-of-bounds read by DBD::mysql >= version 2.9003

[Patrick Galbraith <patg () patg net>]

======

SECURITY ADVISORY - Out-of-bounds read by DBD::mysql

Out-of-bounds read by DBD::mysql

A vulnerability was discovered that can lead to an out-of-bounds read
when using server side prepared statements with an unaligned number of
placeholders in WHERE condition and output fields in SELECT expression.

Project name and URL — DBD::mysql Perl MySQL client driver, http://search.cpan.org/~capttofu/DBD-mysql/lib/DBD/mysql.pm 
<http://search.cpan.org/~capttofu/DBD-mysql/lib/DBD/mysql.pm>
Versions known to be affected — 2.9004 and later (2005 and later)
Versions known to be not affected — 2.9003 and earlier (before 2005)
Version containing Fix — 4.039 and later (current)
Link to fix: https://github.com/perl5-dbi/DBD-mysql/commit/793b72b1a0baa5070adacaac0e12fd995a6fbabe 
<https://github.com/perl5-dbi/DBD-mysql/commit/793b72b1a0baa5070adacaac0e12fd995a6fbabe>

Type of vulnerability and its impact — could lead to out-of-bounds read when using server-side prepared statement 
support in the driver

CVE identifier — CVE-2016-1249

Planned release — availability: immediately

Mitigating factors — This problem is only exposed when the user uses server-side prepared statement support, which is 
NOT default behavior and was turned off back for all drivers per MySQL AB decision in 2006 due to issues with 
server-side prepared statements in the server. The behavior of the driver is normally emulated.

Work-arounds — Use the default driver setting which is using emulated prepared statements

Credit — Many thanks to Pali Rohár for discovering and fixing the vulnerability.

======

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail