[MDEV-28838] password_reuse_check plugin mixes username and password Created: 2022-06-14  Updated: 2023-11-27  Resolved: 2022-07-06

Status: Closed
Project: MariaDB Server
Component/s: Plugins
Affects Version/s: 10.7, 10.8, 10.9
Fix Version/s: 10.7.5, 10.8.4, 10.9.2

Type: Bug Priority: Blocker
Reporter: Sergei Golubchik Assignee: Oleksandr Byelkin
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Problem/Incident
is caused by MDEV-9245 password "reuse prevention" validatio... Closed
Relates
relates to MDEV-28234 Change maturity of plugins for July 2... Closed

 Description   

password_reuse_check plugin cannot distinguish between username "foo" and password "bar" and username "foob" and password "ar".

To fix that, the string length can be added to the buffer first. Like:

  int4store(buff, hostname->length);
 
  memcpy(buff+4, hostname->str, hostname->length);



 Comments   
Comment by Oleksandr Byelkin [ 2022-06-29 ]

test:

 
 
--source include/not_embedded.inc
 
 
 
if (!$PASSWORD_REUSE_CHECK_SO) {
 
  skip No PASSWORD_REUSE_CHECK plugin;
 
}
 
 
 
install soname "password_reuse_check";
 
 
 
set global password_reuse_check_interval= 0;
 
 
 
 
 
grant select on *.* to user_name@localhost identified by 'test_pwd';
 
 
 
grant select on *.* to user_nam@localhost identified by 'etest_pwd';
 
show warnings;
 
 
 
drop user user_name@localhost;
 
drop user user_nam@localhost;
 
 
 
grant select on *.* to user_name@localhost identified by 'test_pwd';
 
 
 
grant select on *.* to tuser_name@localhos identified by 'test_pwd';
 
show warnings;
 
 
 
drop user user_name@localhost;
 
drop user tuser_name@localhos;

Comment by Oleksandr Byelkin [ 2022-06-29 ] 

commit 9ec0b36ee8b58ef659ccc718c64724665c387298 (HEAD -> bb-10.7-MDEV-28838, origin/bb-10.7-MDEV-28838)
 
Author: Oleksandr Byelkin <sanja@mariadb.com>
 
Date:   Wed Jun 29 14:56:10 2022 +0200
 
 
 
    MDEV-28838 password_reuse_check plugin mixes username and password
 
    
    To prevent the problem of mixing user name and password and
 
    host name and user name we add length of the hostname and user name
 
    to the hash.

Comment by Oleksandr Byelkin [ 2022-07-05 ] 

commit 124de673a6a4a1205908eea420f24c8297576924 (HEAD -> bb-10.7-MDEV-28838, origin/bb-10.7-MDEV-28838)
 
Author: Oleksandr Byelkin <sanja@mariadb.com>
 
Date:   Wed Jun 29 14:56:10 2022 +0200
 
 
 
    MDEV-28838 password_reuse_check plugin mixes username and password
 
    
    To prevent the problem of mixing user name and password and
 
    host name and user name we add length of the hostname and user name
 
    to the hash.

Comment by Sergei Golubchik [ 2022-07-05 ]

124de673a6a4a1205908eea420f24c8297576924 is ok to push

Generated at Thu Feb 08 10:03:51 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.