Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
10.0.17, 10.1.4
-
None
-
windows 7 x64
Description
The following information pertains to information discovered by Fortinet's FortiGuard Labs. It has been determined that two vulnerabilities exist in MariaDB.
Proof of Concept/How to Reproduce:
To reproduce the first issue, you can use mysql to access remote MariaDB server (for example, "mysql -uroot -p") and do the following database operation:
SELECT REGEXP_SUBSTR('ABC','(?i)((?2){0,1999}?(())|A)*'); |
To reproduce the second issue, do the following database operation:
SELECT REGEXP_SUBSTR('ABC','((?+1)()){222,}+'); |
It causes the MariaDB Server down. And some screenshots are attached.
Note: The repro of these two issues may be unstable, sometimes you need to try it many times.
Analysis:
The root cause of these issues exists in the underlying pcre lib. They had been reported to pcre lib developer and fixed in the latest pcre lib version 8.37.
http://bugs.exim.org/show_bug.cgi?id=1592
http://bugs.exim.org/show_bug.cgi?id=1591
http://vcs.pcre.org/viewvc/code/trunk/ChangeLog?view=markup
Type of Vulnerability & Repercussions:
Remote Denial of Service
Affected Products:
MariaDB 10.0.17
Other versions may be affected too
Testing Platforms:
Windows 7 x64(en)
Upcoming Advisory Reference:
http://www.fortiguard.com/advisory/UpcomingAdvisories.html
Credits:
These vulnerabilities were discovered by Kai Lu of Fortinet's FortiGuard Labs.
Attachments
Issue Links
- is part of
-
MDEV-8071 10.0.18 merge
-
- Closed
-
Activity
| Field | Original Value | New Value |
|---|---|---|
| Fix Version/s | 10.1 [ 16100 ] | |
| Fix Version/s | 10.0 [ 16000 ] |
| Assignee | Sergei Golubchik [ serg ] |
| Affects Version/s | 10.1.4 [ 18400 ] |
| Description |
The following information pertains to information discovered by Fortinet's FortiGuard Labs. It has been determined that two vulnerabilities exist in MariaDB. Proof of Concept/How to Reproduce: To reproduce the first issue, you can use mysql to access remote MariaDB server (for example, "mysql -uroot -p") and do the following database operation: SELECT REGEXP_SUBSTR('ABC','(?i)((?2){0,1999}?(())|A)*'); To reproduce the second issue, do the following database operation: SELECT REGEXP_SUBSTR('ABC','((?+1)()){222,}+'); It causes the MariaDB Server down. And some screenshots are attached. Note: The repro of these two issues may be unstable, sometimes you need to try it many times. Analysis: The root cause of these issues exists in the underlying pcre lib. They had been reported to pcre lib developer and fixed in the latest pcre lib version 8.37. http://bugs.exim.org/show_bug.cgi?id=1592 http://bugs.exim.org/show_bug.cgi?id=1591 http://vcs.pcre.org/viewvc/code/trunk/ChangeLog?view=markup Type of Vulnerability & Repercussions: Remote Denial of Service Affected Products: MariaDB 10.0.17 Other versions may be affected too Testing Platforms: Windows 7 x64(en) Upcoming Advisory Reference: http://www.fortiguard.com/advisory/UpcomingAdvisories.html Credits: These vulnerabilities were discovered by Kai Lu of Fortinet's FortiGuard Labs. |
The following information pertains to information discovered by Fortinet's FortiGuard Labs. It has been determined that two vulnerabilities exist in MariaDB. *Proof of Concept/How to Reproduce:* To reproduce the first issue, you can use mysql to access remote MariaDB server (for example, "mysql -uroot -p") and do the following database operation: {code:sql} SELECT REGEXP_SUBSTR('ABC','(?i)((?2){0,1999}?(())|A)*'); {code} To reproduce the second issue, do the following database operation: {code:sql} SELECT REGEXP_SUBSTR('ABC','((?+1)()){222,}+'); {code} It causes the MariaDB Server down. And some screenshots are attached. Note: The repro of these two issues may be unstable, sometimes you need to try it many times. *Analysis:* The root cause of these issues exists in the underlying pcre lib. They had been reported to pcre lib developer and fixed in the latest pcre lib version 8.37. http://bugs.exim.org/show_bug.cgi?id=1592 http://bugs.exim.org/show_bug.cgi?id=1591 http://vcs.pcre.org/viewvc/code/trunk/ChangeLog?view=markup *Type of Vulnerability & Repercussions:* Remote Denial of Service *Affected Products:* MariaDB 10.0.17 Other versions may be affected too *Testing Platforms:* Windows 7 x64(en) *Upcoming Advisory Reference:* http://www.fortiguard.com/advisory/UpcomingAdvisories.html *Credits:* These vulnerabilities were discovered by Kai Lu of Fortinet's FortiGuard Labs. |
Anyone track this issue?
its a critical priority assigned to the next release.
It also shoudn't be much effort to fix.
According to bug fixing policy https://mariadb.com/kb/en/mariadb/mariadb-bug-fixing-policy/ this is still a yellow threat level as it requires an authenticated user. I'm not saying its a perfect policy, but it certainly will be addressed. There are a number of other bugs in the same category.
The next 10.0 and 10.1 releases aren't too far away https://mariadb.atlassian.net/projects/MDEV?selectedItem=com.atlassian.jira.jira-projects-plugin:release-page and the release team will make sure this is included along with any other high importance bug fixes.
https://github.com/MariaDB/server/pull/60
thanks for the test case secresearch
I've merged pcre 8.37, but this only fixes packages where we build with bundled pcre. Normally we prefer to use system libraries, when possible. So for packages where we link with system pcre, this issue needs to be fixed by distributions. Hopefully it already is.
| Component/s | OTHER [ 10125 ] | |
| Fix Version/s | 10.0.18 [ 18702 ] | |
| Fix Version/s | 10.1.5 [ 18813 ] | |
| Fix Version/s | 10.0 [ 16000 ] | |
| Fix Version/s | 10.1 [ 16100 ] | |
| Resolution | Fixed [ 1 ] | |
| Status | Open [ 1 ] | Closed [ 6 ] |
| Workflow | MariaDB v2 [ 60568 ] | MariaDB v3 [ 64585 ] |
| Workflow | MariaDB v3 [ 64585 ] | MariaDB v4 [ 149060 ] |
Anyone track this issue?