Bug#866821: libdbd-mysql-perl: CVE-2017-10789

Antoine Beaupre anarcat at orangeseeds.org
Wed Aug 30 19:29:10 UTC 2017 

On Mon, Aug 28, 2017 at 02:53:12PM +0200, Guido Günther wrote:
> While a patch for this was upstream in 4.042 (around
> b6be72f321e920419bdc5c86998d9b9cb26c6791) upstream reverted _all_
> changes of back to 4.041.

That's right, like #866818...

I've backported the patch to wheezy, but this is horribly mined
territory. MySQL SSL support is catastrophic at best, which makes this
very hard to test. The patch I'm uploading to wheezy features a test
suite which requires a running MySQL configured (or not!) with SSL
(depending on the test!!). The best result I could achieve, with SSL
configured, is:

t/92ssl_backronym_vulnerability.t .. skipped: Server supports SSL connections, cannot test false-positive enforcement
t/92ssl_connection.t ............... 1/4 
#   Failed test 'SSL connection was established'
#   at t/92ssl_connection.t line 21.

#   Failed test 'DBD::mysql supports mysql_ssl=1 without mysql_ssl_optional=1 and fail because cannot enforce SSL encryption'
#   at t/92ssl_connection.t line 28.
#          got: 'SSL connection error: Client is not configured to use SSL'
#     expected: 'SSL connection error: Enforcing SSL encryption is not supported'
# Error message: SSL connection error: Client is not configured to use SSL
# Looks like you failed 2 tests of 4.
t/92ssl_connection.t ............... Dubious, test returned 2 (wstat 512, 0x200)
Failed 2/4 subtests 
t/92ssl_optional.t ................. skipped: Server supports SSL connections, cannot test fallback to plain text
t/92ssl_riddle_vulnerability.t ..... skipped: Server supports SSL connections, cannot test false-positive enforcement

I could not figure out how to fix that error: I suspect it's because the
test suite assumes the server has a real certificate anchored in the
system trust chain. I create a self-signed test certificate (and not the
snakeoil one, that fails to load completely for obscure MySQL-ish
reasons) which failed to pass that test. I comforted mysql in thinking
this worked by using the commandline (which uses libdbd-mysql-perl!):

# mysql --ssl-mode=REQUIRED --ssl-ca=/var/lib/mysql/newcerts/ca.pem 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 37
Server version: 5.5.57-0+deb7u1 (Debian)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> \s
--------------
mysql  Ver 14.14 Distrib 5.5.57, for debian-linux-gnu (x86_64) using readline 6.2

Connection id:		37
Current database:	
Current user:		root at localhost
SSL:			Cipher in use is DHE-RSA-AES256-SHA
Current pager:		stdout
Using outfile:		''
Using delimiter:	;
Server version:		5.5.57-0+deb7u1 (Debian)
Protocol version:	10
Connection:		Localhost via UNIX socket
Server characterset:	latin1
Db     characterset:	latin1
Client characterset:	utf8
Conn.  characterset:	utf8
UNIX socket:		/var/run/mysqld/mysqld.sock
Uptime:			5 sec

Threads: 1  Questions: 111  Slow queries: 0  Opens: 48  Flush tables: 1  Open tables: 41  Queries per second avg: 22.200
--------------

With SSL *not* configured, the backronym and riddle tests pass, but then
the other is skipped, obviously:

t/92ssl_backronym_vulnerability.t .. ok   
t/92ssl_connection.t ............... skipped: Server does not support SSL connections
t/92ssl_optional.t ................. ok   
t/92ssl_riddle_vulnerability.t ..... ok   
All tests successful.
Files=44, Tests=900,  3 wallclock secs ( 0.22 usr  0.06 sys +  1.54 cusr  0.25 csys =  2.07 CPU)
Result: PASS

Make sure you run the test suite in a built tree, or at least by passing
"--ssl" to the makefile otherwise you will be in a world of hurt.

Otherwise this should be fixed shortly in a LTS upload.

A.
-- 
Premature optimization is the root of all evil
                        - Donald Knuth
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20170830/88b87fa0/attachment.sig>

More information about the pkg-perl-maintainers mailing list