GNU bug report logs - #27805
[PATCH] gnu: perl-dbd-mysql: Fix CVE-2017-10788.

Previous Next

Package: guix-patches;

Reported by: Kei Kebreau <kei <at> openmailbox.org>

Date: Mon, 24 Jul 2017 18:33:01 UTC

Severity: normal

Tags: patch

Done: Kei Kebreau <kei <at> openmailbox.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Kei Kebreau <kei <at> openmailbox.org>
To: Leo Famulari <leo <at> famulari.name>
Cc: 27805 <at> debbugs.gnu.org
Subject: [bug#27805] [PATCH] gnu: perl-dbd-mysql: Fix CVE-2017-10788.
Date: Mon, 24 Jul 2017 18:07:25 -0400

[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:

> On Mon, Jul 24, 2017 at 02:31:44PM -0400, Kei Kebreau wrote:
>> * gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Add it.
>> * gnu/packages/databases.scm (perl-dbd-mysql)[source]: Use it.
>
> Thanks!
>
>> diff --git
>> a/gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch
>> b/gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch
>> new file mode 100644
>> index 000000000..344f2d803
>> --- /dev/null
>> +++ b/gnu/packages/patches/perl-dbd-mysql-CVE-2017-10788.patch
>> @@ -0,0 +1,51 @@
>> +From 9ce10cfae7138c37c3a0cb2ba2a1d682482943d0 Mon Sep 17 00:00:00 2001
>> +From: Pali <pali <at> cpan.org>
>> +Date: Sun, 25 Jun 2017 10:07:39 +0200
>> +Subject: [PATCH] Fix use-after-free after calling mysql_stmt_close()
>> +
>> +Ignore return value from mysql_stmt_close() and also its error message
>> +because it points to freed memory after mysql_stmt_close() was called.
>
> Can you add a link to the MITRE page for this CVE (and any other pages
> you think are relevant) and to the source of this patch?
>

Done! FYI, this patch is tentative (i.e. not merged upstream as of
yet). It seems to do the right thing, but I'm not quite sure, as I'm not
an experienced C programmer, nor am I a user of this package.

> Check 'gnu/packages/patches/wget-CVE-2017-6508.patch' for an example if
> you are unsure.
>
> There is also CVE-2017-10789. I'm not sure if there is a fix merged
> upstream yet:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-10789

There was a fix that was merged and later reverted in the latest
version, 4.043.

How does the attached patch look?

[0001-gnu-perl-dbd-mysql-Fix-CVE-2017-10788.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 7 years and 359 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.