Bug #75379 invalid memory access
Submitted: 1 Jan 2015 11:30 Modified: 2 Aug 2015 1:40
Reporter: Joshua Rogers Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S2 (Serious)
Version:5.6.23 OS:Any
Assigned to: CPU Architecture:Any

[1 Jan 2015 11:30] Joshua Rogers 
Description:
/client/mysql_config_editor.cc:

1224    if ((my_write(g_fd, (const uchar *)cipher, enc_len + MAX_CIPHER_STORE_LEN,
1225                  MYF(MY_WME))) != (enc_len + MAX_CIPHER_STORE_LEN))

if 'enc_len' is 4096(which it is allowd to be), it will be accessed at offset 4099, due to 
'Count' = enc_len + MAX_CIPHER_STORE_LEN.
 61    writtenbytes= write(Filedes, Buffer, Count);

How to repeat:
.

Suggested fix:
.
[1 Jan 2015 13:33] MySQL Verification Team 
Verifying based on code review. The 'cipher' buffer is too small.
The important parts...

#define MY_LINE_MAX 4096

char cipher[MY_LINE_MAX], *tmp= NULL;

   if (enc_len > MY_LINE_MAX)
      goto error;

    /* Store cipher length first. */
    int4store(cipher, enc_len);

    if ((my_write(g_fd, (const uchar *)cipher, enc_len + MAX_CIPHER_STORE_LEN,
                  MYF(MY_WME))) != (enc_len + MAX_CIPHER_STORE_LEN))
      goto error;
  }
[29 Apr 2015 13:23] Paul DuBois 
Noted in 5.6.25, 5.7.8, 5.8.0 changelogs.

mysql_config_editor could exit abnormally while encrypting passwords.
[30 Apr 2015 5:24] Joshua Rogers 
Could a CVE-ID be assigned to this, and it be opened to the public?

Thanks
[1 Aug 2015 17:49] Joshua Rogers 
Any updates?

Thanks
[1 Aug 2015 18:23] MySQL Verification Team 
fixed since 5.6.25, 5.7.8, 5.8.0...
[2 Aug 2015 1:40] Joshua Rogers 
Right. But can this bug be opened to world-view?

Thanks