Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-8006

[FG-VD-15-029] MariaDB PCRE Handling Multiple Remote Denial of Service Vulnerabilities

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Critical
    • Resolution: Fixed
    • 10.0.17, 10.1.4
    • 10.0.18, 10.1.5
    • OTHER
    • None
    • windows 7 x64

    Description

      The following information pertains to information discovered by Fortinet's FortiGuard Labs. It has been determined that two vulnerabilities exist in MariaDB.

      Proof of Concept/How to Reproduce:
      To reproduce the first issue, you can use mysql to access remote MariaDB server (for example, "mysql -uroot -p") and do the following database operation:

         	 SELECT REGEXP_SUBSTR('ABC','(?i)((?2){0,1999}?(())|A)*');

      To reproduce the second issue, do the following database operation:

       	   SELECT REGEXP_SUBSTR('ABC','((?+1)()){222,}+');

      It causes the MariaDB Server down. And some screenshots are attached.

      Note: The repro of these two issues may be unstable, sometimes you need to try it many times.

      Analysis:
      The root cause of these issues exists in the underlying pcre lib. They had been reported to pcre lib developer and fixed in the latest pcre lib version 8.37.
      http://bugs.exim.org/show_bug.cgi?id=1592
      http://bugs.exim.org/show_bug.cgi?id=1591
      http://vcs.pcre.org/viewvc/code/trunk/ChangeLog?view=markup

      Type of Vulnerability & Repercussions:
      Remote Denial of Service

      Affected Products:
      MariaDB 10.0.17
      Other versions may be affected too

      Testing Platforms:
      Windows 7 x64(en)

      Upcoming Advisory Reference:
      http://www.fortiguard.com/advisory/UpcomingAdvisories.html

      Credits:
      These vulnerabilities were discovered by Kai Lu of Fortinet's FortiGuard Labs.

      Attachments

        Issue Links

          Activity

            People

              serg Sergei Golubchik
              secresearch secresearch
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.