Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
10.0.17, 10.1.4
-
None
-
windows 7 x64
Description
The following information pertains to information discovered by Fortinet's FortiGuard Labs. It has been determined that two vulnerabilities exist in MariaDB.
Proof of Concept/How to Reproduce:
To reproduce the first issue, you can use mysql to access remote MariaDB server (for example, "mysql -uroot -p") and do the following database operation:
SELECT REGEXP_SUBSTR('ABC','(?i)((?2){0,1999}?(())|A)*'); |
To reproduce the second issue, do the following database operation:
SELECT REGEXP_SUBSTR('ABC','((?+1)()){222,}+'); |
It causes the MariaDB Server down. And some screenshots are attached.
Note: The repro of these two issues may be unstable, sometimes you need to try it many times.
Analysis:
The root cause of these issues exists in the underlying pcre lib. They had been reported to pcre lib developer and fixed in the latest pcre lib version 8.37.
http://bugs.exim.org/show_bug.cgi?id=1592
http://bugs.exim.org/show_bug.cgi?id=1591
http://vcs.pcre.org/viewvc/code/trunk/ChangeLog?view=markup
Type of Vulnerability & Repercussions:
Remote Denial of Service
Affected Products:
MariaDB 10.0.17
Other versions may be affected too
Testing Platforms:
Windows 7 x64(en)
Upcoming Advisory Reference:
http://www.fortiguard.com/advisory/UpcomingAdvisories.html
Credits:
These vulnerabilities were discovered by Kai Lu of Fortinet's FortiGuard Labs.
Attachments
Issue Links
- is part of
-
MDEV-8071 10.0.18 merge
-
- Closed
-