Bug #80974 | Export my_make_scrambled_password() in libmysqlclient | ||
---|---|---|---|
Submitted: | 6 Apr 2016 10:36 | Modified: | 21 Apr 2016 18:03 |
Reporter: | Norvald Ryeng | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: C API (client library) | Severity: | S3 (Non-critical) |
Version: | 5.7.11 | OS: | Any |
Assigned to: | CPU Architecture: | Any |
[6 Apr 2016 10:36]
Norvald Ryeng
[21 Apr 2016 18:03]
Paul DuBois
Posted by developer: Noted in 5.7.13 changelog. The make_scrambled_password() function in the C client library was restricted earlier in MySQL 5.7 (not exported to client programs). The function has once again been made visible to client programs.
[22 Apr 2016 10:30]
Norvald Ryeng
Posted by developer: Correction: The exported symbol is "my_make_scrambled_password", not "make_scrambled_password".
[22 Apr 2016 10:33]
Norvald Ryeng
Posted by developer: Pure-FTPd bug report: https://github.com/jedisct1/pure-ftpd/issues/37
[22 Apr 2016 13:52]
Paul DuBois
Posted by developer: Corrected changelog entry: The my_make_scrambled_password() function in the C client library was restricted earlier in MySQL 5.7 (not exported to client programs). The function has once again been made visible to client programs.
[15 May 2017 14:50]
Andreas Hasenack
I fear there is some confusion here given the functions have very similar names. make_scrambled_password() is currently a wrapper to my_make_scrambled_password_sha1(), *not* my_make_scrambled_password(). Note the "_sha1" suffix! In other words, current code has: make_scrambled_password -> my_make_scrambled_password_sha1 my_make_scrambled_password -> something different If you have code that uses make_scrambled_password(), replacing that with my_make_scrambled_password() will lead to buffer overflows. For example, in pam_mysql.c: /* PASSWORD */ case 2: { char buf[42]; ... my_make_scrambled_password(buf, passwd, strlen(passwd)); That will oveflow *buf.
[18 May 2017 8:36]
Norvald Ryeng
Hi Andreas, I see you also filed bug#86357 about this issue. Let's continue the discussion there.