Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-8006

[FG-VD-15-029] MariaDB PCRE Handling Multiple Remote Denial of Service Vulnerabilities

Details

    • Bug
    • Status: Closed (View Workflow)
    • Critical
    • Resolution: Fixed
    • 10.0.17, 10.1.4
    • 10.0.18, 10.1.5
    • OTHER
    • None
    • windows 7 x64

    Description

      The following information pertains to information discovered by Fortinet's FortiGuard Labs. It has been determined that two vulnerabilities exist in MariaDB.

      Proof of Concept/How to Reproduce:
      To reproduce the first issue, you can use mysql to access remote MariaDB server (for example, "mysql -uroot -p") and do the following database operation: 

         	 SELECT REGEXP_SUBSTR('ABC','(?i)((?2){0,1999}?(())|A)*');

      To reproduce the second issue, do the following database operation:

       	   SELECT REGEXP_SUBSTR('ABC','((?+1)()){222,}+');

      It causes the MariaDB Server down. And some screenshots are attached.

      Note: The repro of these two issues may be unstable, sometimes you need to try it many times.

      Analysis:
      The root cause of these issues exists in the underlying pcre lib. They had been reported to pcre lib developer and fixed in the latest pcre lib version 8.37.
      http://bugs.exim.org/show_bug.cgi?id=1592
      http://bugs.exim.org/show_bug.cgi?id=1591
      http://vcs.pcre.org/viewvc/code/trunk/ChangeLog?view=markup

      Type of Vulnerability & Repercussions:
      Remote Denial of Service

      Affected Products:
      MariaDB 10.0.17
      Other versions may be affected too

      Testing Platforms:
      Windows 7 x64(en)

      Upcoming Advisory Reference:
      http://www.fortiguard.com/advisory/UpcomingAdvisories.html

      Credits:
      These vulnerabilities were discovered by Kai Lu of Fortinet's FortiGuard Labs.

      Attachments

        Issue Links

          is part of

          Task - A task that needs to be done. MDEV-8071 10.0.18 merge

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            secresearch secresearch added a comment -

            Anyone track this issue?

            secresearch secresearch added a comment - Anyone track this issue?
            danblack Daniel Black added a comment -

            Anyone track this issue?

            its a critical priority assigned to the next release.

            It also shoudn't be much effort to fix.

            According to bug fixing policy https://mariadb.com/kb/en/mariadb/mariadb-bug-fixing-policy/ this is still a yellow threat level as it requires an authenticated user. I'm not saying its a perfect policy, but it certainly will be addressed. There are a number of other bugs in the same category.

            The next 10.0 and 10.1 releases aren't too far away https://mariadb.atlassian.net/projects/MDEV?selectedItem=com.atlassian.jira.jira-projects-plugin:release-page and the release team will make sure this is included along with any other high importance bug fixes.

            danblack Daniel Black added a comment - Anyone track this issue? its a critical priority assigned to the next release. It also shoudn't be much effort to fix. According to bug fixing policy https://mariadb.com/kb/en/mariadb/mariadb-bug-fixing-policy/ this is still a yellow threat level as it requires an authenticated user. I'm not saying its a perfect policy, but it certainly will be addressed. There are a number of other bugs in the same category. The next 10.0 and 10.1 releases aren't too far away https://mariadb.atlassian.net/projects/MDEV?selectedItem=com.atlassian.jira.jira-projects-plugin:release-page and the release team will make sure this is included along with any other high importance bug fixes.
            danblack Daniel Black added a comment -

            https://github.com/MariaDB/server/pull/60

            thanks for the test case secresearch

            danblack Daniel Black added a comment - https://github.com/MariaDB/server/pull/60 thanks for the test case secresearch
            serg Sergei Golubchik added a comment -

            I've merged pcre 8.37, but this only fixes packages where we build with bundled pcre. Normally we prefer to use system libraries, when possible. So for packages where we link with system pcre, this issue needs to be fixed by distributions. Hopefully it already is.

            serg Sergei Golubchik added a comment - I've merged pcre 8.37, but this only fixes packages where we build with bundled pcre. Normally we prefer to use system libraries, when possible. So for packages where we link with system pcre, this issue needs to be fixed by distributions. Hopefully it already is.

            People

              serg Sergei Golubchik
              secresearch secresearch
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.