Bug #80974 Export my_make_scrambled_password() in libmysqlclient
Submitted: 6 Apr 2016 10:36 Modified: 21 Apr 2016 18:03
Reporter: Norvald Ryeng Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: C API (client library) Severity:S3 (Non-critical)
Version:5.7.11 OS:Any
Assigned to: CPU Architecture:Any

[6 Apr 2016 10:36] Norvald Ryeng 
Description:
MySQL 5.7 has restricted the list of exported symbols to the symbols in the public API. However, a small list of extra symbols have also been exported in order to provide backwards compatibility with applications that for legacy reasons use undocumented symbols.

This is a request to add one more symbol to the list of exported undocumented symbols: make_scrambled_password.

How to repeat:
Compile pure-ftpd with libmysqlclient.so.20.

Suggested fix:
There are two functions in the client library that provides the necessary functionality:

void my_make_scrambled_password(char *to, const char *password, size_t pass_len)

and

void make_scrambled_password(char *to, const char *password)

The latter is just a wrapper that calls the former with strlen(password) as the third parameter.

my_make_scrambled_password() is safer since it doesn't use strlen(), but make_scrambled_password is already declared in the client header files (mysql_com.h, included by mysql.h).

Both can be used out of the box by pure-ftpd. One of these symbols should be exported in 5.7 to give pure-ftpd time to rewrite the code to not use this function.
[21 Apr 2016 18:03] Paul DuBois 
Posted by developer:
 
Noted in 5.7.13 changelog.

The make_scrambled_password() function in the C client library was
restricted earlier in MySQL 5.7 (not exported to client programs).
The function has once again been made visible to client programs.
[22 Apr 2016 10:30] Norvald Ryeng 
Posted by developer:
 
Correction: The exported symbol is "my_make_scrambled_password", not "make_scrambled_password".
[22 Apr 2016 10:33] Norvald Ryeng 
Posted by developer:
 
Pure-FTPd bug report: https://github.com/jedisct1/pure-ftpd/issues/37
[22 Apr 2016 13:52] Paul DuBois 
Posted by developer:
 
Corrected changelog entry:

The my_make_scrambled_password() function in the C client library was
restricted earlier in MySQL 5.7 (not exported to client programs).
The function has once again been made visible to client programs.
[15 May 2017 14:50] Andreas Hasenack 
I fear there is some confusion here given the functions have very similar names.

make_scrambled_password() is currently a wrapper to my_make_scrambled_password_sha1(), *not* my_make_scrambled_password(). Note the "_sha1" suffix!

In other words, current code has:
make_scrambled_password -> my_make_scrambled_password_sha1
my_make_scrambled_password -> something different

If you have code that uses make_scrambled_password(), replacing that with my_make_scrambled_password() will lead to buffer overflows.

For example, in pam_mysql.c:
                                /* PASSWORD */
                                case 2: {
                                        char buf[42];
...
                                        my_make_scrambled_password(buf, passwd, strlen(passwd));

That will oveflow *buf.
[18 May 2017 8:36] Norvald Ryeng 
Hi Andreas,

I see you also filed bug#86357 about this issue. Let's continue the discussion there.