From f9abbc81ab5fd9d8160218d12cd3a20770a90aec Mon Sep 17 00:00:00 2001 From: Jitka Plesnikova Date: Mon, 4 Dec 2017 16:37:35 +0100 Subject: [PATCH] Fixed CVE-2017-10789 (bug #1467600) --- ...nection-attribute-mysql_ssl_optional.patch | 125 +++++++ ...se-handle-attribute-mysql_ssl_cipher.patch | 124 +++++++ ...be-all-SSL-related-attributes-in-POD.patch | 78 +++++ DBD-mysql-4.043-Enforce-SSL-encryption.patch | 324 ++++++++++++++++++ perl-DBD-MySQL.spec | 15 +- 5 files changed, 665 insertions(+), 1 deletion(-) create mode 100644 DBD-mysql-4.043-Add-new-connection-attribute-mysql_ssl_optional.patch create mode 100644 DBD-mysql-4.043-Add-new-database-handle-attribute-mysql_ssl_cipher.patch create mode 100644 DBD-mysql-4.043-Describe-all-SSL-related-attributes-in-POD.patch create mode 100644 DBD-mysql-4.043-Enforce-SSL-encryption.patch diff --git a/DBD-mysql-4.043-Add-new-connection-attribute-mysql_ssl_optional.patch b/DBD-mysql-4.043-Add-new-connection-attribute-mysql_ssl_optional.patch new file mode 100644 index 0000000..46d2641 --- /dev/null +++ b/DBD-mysql-4.043-Add-new-connection-attribute-mysql_ssl_optional.patch @@ -0,0 +1,125 @@ +diff --git a/MANIFEST b/MANIFEST +index 577b029..fba58e0 100644 +--- a/MANIFEST ++++ b/MANIFEST +@@ -70,6 +70,7 @@ t/88async-multi-stmts.t + t/89async-method-check.t + t/90no-async.t + t/91errcheck.t ++t/92ssl_optional.t + t/92ssl_backronym_vulnerability.t + t/92ssl_riddle_vulnerability.t + t/99_bug_server_prepare_blob_null.t +diff --git a/dbdimp.c b/dbdimp.c +index 7a71677..4c510ca 100644 +--- a/dbdimp.c ++++ b/dbdimp.c +@@ -1930,6 +1930,9 @@ MYSQL *mysql_dr_connect( + #endif + } + ++ if ((svp = hv_fetch(hv, "mysql_ssl_optional", 18, FALSE)) && *svp) ++ ssl_enforce = !SvTRUE(*svp); ++ + if ((svp = hv_fetch(hv, "mysql_ssl_client_key", 20, FALSE)) && *svp) + client_key = SvPV(*svp, lna); + +@@ -1959,7 +1962,9 @@ MYSQL *mysql_dr_connect( + + #ifdef HAVE_SSL_MODE + +- if (ssl_verify) ++ if (!ssl_enforce) ++ ssl_mode = SSL_MODE_PREFERRED; ++ else if (ssl_verify) + ssl_mode = SSL_MODE_VERIFY_IDENTITY; + else if (ca_file || ca_path) + ssl_mode = SSL_MODE_VERIFY_CA; +@@ -1972,6 +1977,7 @@ MYSQL *mysql_dr_connect( + + #else + ++ if (ssl_enforce) { + #if defined(HAVE_SSL_MODE_ONLY_REQUIRED) + ssl_mode = SSL_MODE_REQUIRED; + if (mysql_options(sock, MYSQL_OPT_SSL_MODE, &ssl_mode) != 0) { +@@ -1997,9 +2003,17 @@ MYSQL *mysql_dr_connect( + set_ssl_error(sock, "Enforcing SSL encryption is not supported"); + return NULL; + #endif ++ } ++ ++ #ifdef HAVE_SSL_VERIFY ++ if (!ssl_enforce && ssl_verify && ssl_verify_also_enforce_ssl()) { ++ set_ssl_error(sock, "mysql_ssl_optional=1 with mysql_ssl_verify_server_cert=1 is not supported"); ++ return NULL; ++ } ++ #endif + + if (ssl_verify) { +- if (!ssl_verify_usable() && ssl_verify_set) { ++ if (!ssl_verify_usable() && ssl_enforce && ssl_verify_set) { + set_ssl_error(sock, "mysql_ssl_verify_server_cert=1 is broken by current version of MySQL client"); + return NULL; + } +diff --git a/lib/DBD/mysql.pm b/lib/DBD/mysql.pm +index 572c229..f49d408 100644 +--- a/lib/DBD/mysql.pm ++++ b/lib/DBD/mysql.pm +@@ -1223,6 +1223,22 @@ cipher in the list is supported, encrypted connections will not work. + mysql_ssl_cipher=AES128-SHA + mysql_ssl_cipher=DHE-RSA-AES256-SHA:AES128-SHA + ++=item mysql_ssl_optional ++ ++Setting C to true disables strict SSL enforcement ++and makes SSL connection optional. This option opens security hole ++for man-in-the-middle attacks. Default value is false which means ++that C set to true enforce SSL encryption. ++ ++This option was introduced in 4.043 version of DBD::mysql. Due to ++L and L ++vulnerabilities in libmysqlclient library, enforcement of SSL ++encryption was not possbile and therefore C ++was effectively set for all DBD::mysql versions prior to 4.043. ++Starting with 4.043, DBD::mysql with C could refuse ++connection to MySQL server if underlaying libmysqlclient library is ++vulnerable. Option C can be used to make SSL ++connection vulnerable. + + =item mysql_local_infile + +diff --git a/t/92ssl_optional.t b/t/92ssl_optional.t +new file mode 100644 +index 0000000..54790a3 +--- /dev/null ++++ b/t/92ssl_optional.t +@@ -0,0 +1,28 @@ ++use strict; ++use warnings; ++ ++use Test::More; ++use DBI; ++ ++use vars qw($test_dsn $test_user $test_password); ++use lib 't', '.'; ++require "lib.pl"; ++ ++my $dbh; ++eval {$dbh= DBI->connect($test_dsn, $test_user, $test_password, ++ { PrintError => 0, RaiseError => 1 });}; ++if (!$dbh) { ++ plan skip_all => "no database connection"; ++} ++ ++my $have_ssl = eval { $dbh->selectrow_hashref("SHOW VARIABLES WHERE Variable_name = 'have_ssl'") }; ++$dbh->disconnect(); ++plan skip_all => 'Server supports SSL connections, cannot test fallback to plain text' if $have_ssl and $have_ssl->{Value} eq 'YES'; ++ ++plan tests => 2; ++ ++$dbh = DBI->connect($test_dsn, $test_user, $test_password, { PrintError => 1, RaiseError => 0, mysql_ssl => 1, mysql_ssl_optional => 1 }); ++ok(defined $dbh, 'DBD::mysql supports mysql_ssl_optional=1 and connect via plain text protocol when SSL is not supported by server') or diag('Error code: ' . ($DBI::err || 'none') . "\n" . 'Error message: ' . ($DBI::errstr || 'unknown')); ++ ++$dbh = DBI->connect($test_dsn, $test_user, $test_password, { PrintError => 1, RaiseError => 0, mysql_ssl => 1, mysql_ssl_optional => 1, mysql_ssl_ca_file => "" }); ++ok(defined $dbh, 'DBD::mysql supports mysql_ssl_optional=1 and connect via plain text protocol when SSL is not supported by server even with mysql_ssl_ca_file') or diag('Error code: ' . ($DBI::err || 'none') . "\n" . 'Error message: ' . ($DBI::errstr || 'unknown')); diff --git a/DBD-mysql-4.043-Add-new-database-handle-attribute-mysql_ssl_cipher.patch b/DBD-mysql-4.043-Add-new-database-handle-attribute-mysql_ssl_cipher.patch new file mode 100644 index 0000000..36a9e07 --- /dev/null +++ b/DBD-mysql-4.043-Add-new-database-handle-attribute-mysql_ssl_cipher.patch @@ -0,0 +1,124 @@ +diff --git a/MANIFEST b/MANIFEST +index fba58e0..7d625f8 100644 +--- a/MANIFEST ++++ b/MANIFEST +@@ -70,6 +70,7 @@ t/88async-multi-stmts.t + t/89async-method-check.t + t/90no-async.t + t/91errcheck.t ++t/92ssl_connection.t + t/92ssl_optional.t + t/92ssl_backronym_vulnerability.t + t/92ssl_riddle_vulnerability.t +diff --git a/dbdimp.c b/dbdimp.c +index 4c510ca..608a433 100644 +--- a/dbdimp.c ++++ b/dbdimp.c +@@ -2785,6 +2785,14 @@ SV* dbd_db_FETCH_attrib(SV *dbh, imp_dbh_t *imp_dbh, SV *keysv) + result= serverinfo ? + sv_2mortal(newSVpvn(serverinfo, strlen(serverinfo))) : &PL_sv_undef; + } ++#if ((MYSQL_VERSION_ID >= 50023 && MYSQL_VERSION_ID < 50100) || MYSQL_VERSION_ID >= 50111) ++ else if (kl == 10 && strEQ(key, "ssl_cipher")) ++ { ++ const char* ssl_cipher = mysql_get_ssl_cipher(imp_dbh->pmysql); ++ result= ssl_cipher ? ++ sv_2mortal(newSVpvn(ssl_cipher, strlen(ssl_cipher))) : &PL_sv_undef; ++ } ++#endif + else if (kl == 13 && strEQ(key, "serverversion")) + result= sv_2mortal(my_ulonglong2str(aTHX_ mysql_get_server_version(imp_dbh->pmysql))); + else if (strEQ(key, "sock")) +diff --git a/lib/DBD/mysql.pm b/lib/DBD/mysql.pm +index f49d408..26d8c53 100644 +--- a/lib/DBD/mysql.pm ++++ b/lib/DBD/mysql.pm +@@ -1437,18 +1437,19 @@ handles (read only): + + $errno = $dbh->{'mysql_errno'}; + $error = $dbh->{'mysql_error'}; +- $info = $dbh->{'mysql_hostinfo'}; ++ $hostinfo = $dbh->{'mysql_hostinfo'}; + $info = $dbh->{'mysql_info'}; + $insertid = $dbh->{'mysql_insertid'}; +- $info = $dbh->{'mysql_protoinfo'}; +- $info = $dbh->{'mysql_serverinfo'}; +- $info = $dbh->{'mysql_stat'}; +- $threadId = $dbh->{'mysql_thread_id'}; ++ $protoinfo = $dbh->{'mysql_protoinfo'}; ++ $serverinfo = $dbh->{'mysql_serverinfo'}; ++ $ssl_cipher = $dbh->{'mysql_ssl_cipher'}; ++ $stat = $dbh->{'mysql_stat'}; ++ $thread_id = $dbh->{'mysql_thread_id'}; + + These correspond to mysql_errno(), mysql_error(), mysql_get_host_info(), + mysql_info(), mysql_insert_id(), mysql_get_proto_info(), +-mysql_get_server_info(), mysql_stat() and mysql_thread_id(), +-respectively. ++mysql_get_server_info(), mysql_stat(), mysql_get_ssl_cipher() ++and mysql_thread_id() respectively. + + =over 2 + +@@ -1473,6 +1474,19 @@ against: + + 50200 + ++=item mysql_ssl_cipher ++ ++Returns the SSL encryption cipher used for the given connection to ++the server. In case SSL encryption was not enabled with C ++or was not established returns undef. ++ ++ my $ssl_cipher = $dbh->{mysql_ssl_cipher}; ++ if (defined $ssl_cipher) { ++ print "Connection with server is encrypted with cipher: $ssl_cipher\n"; ++ } else { ++ print "Connection with server is not encrypted\n"; ++ } ++ + =item mysql_dbd_stats + + $info_hashref = $dhb->{mysql_dbd_stats}; +diff --git a/t/92ssl_connection.t b/t/92ssl_connection.t +new file mode 100644 +index 0000000..9819b3b +--- /dev/null ++++ b/t/92ssl_connection.t +@@ -0,0 +1,36 @@ ++use strict; ++use warnings; ++ ++use Test::More; ++use DBI; ++ ++use vars qw($test_dsn $test_user $test_password); ++use lib 't', '.'; ++require "lib.pl"; ++ ++my $dbh; ++eval {$dbh= DBI->connect($test_dsn, $test_user, $test_password, ++ { PrintError => 0, RaiseError => 1 });}; ++if (!$dbh) { ++ plan skip_all => "no database connection"; ++} ++ ++my $have_ssl = eval { $dbh->selectrow_hashref("SHOW VARIABLES WHERE Variable_name = 'have_ssl'") }; ++$dbh->disconnect(); ++plan skip_all => 'Server does not support SSL connections' unless $have_ssl and $have_ssl->{Value} eq 'YES'; ++ ++plan tests => 4; ++ ++$dbh = DBI->connect($test_dsn, $test_user, $test_password, { PrintError => 0, RaiseError => 0, mysql_ssl => 1, mysql_ssl_optional => 1 }); ++ok(defined $dbh, 'DBD::mysql supports mysql_ssl=1 with mysql_ssl_optional=1 and connect to server') or diag('Error code: ' . ($DBI::err || 'none') . "\n" . 'Error message: ' . ($DBI::errstr || 'unknown')); ++ ++ok(defined $dbh && defined $dbh->{mysql_ssl_cipher}, 'SSL connection was established') and diag("mysql_ssl_cipher is: ". $dbh->{mysql_ssl_cipher}); ++ ++$dbh = DBI->connect($test_dsn, $test_user, $test_password, { PrintError => 0, RaiseError => 0, mysql_ssl => 1 }); ++if (defined $dbh) { ++ pass('DBD::mysql supports mysql_ssl=1 without mysql_ssl_optional=1 and connect to server'); ++ ok(defined $dbh->{mysql_ssl_cipher}, 'SSL connection was established'); ++} else { ++ is($DBI::errstr, 'SSL connection error: Enforcing SSL encryption is not supported', 'DBD::mysql supports mysql_ssl=1 without mysql_ssl_optional=1 and fail because cannot enforce SSL encryption') or diag('Error message: ' . ($DBI::errstr || 'unknown')); ++ is($DBI::err, 2026, 'DBD::mysql error code is SSL related') or diag('Error code: ' . ($DBI::err || 'unknown')); ++} diff --git a/DBD-mysql-4.043-Describe-all-SSL-related-attributes-in-POD.patch b/DBD-mysql-4.043-Describe-all-SSL-related-attributes-in-POD.patch new file mode 100644 index 0000000..685d16f --- /dev/null +++ b/DBD-mysql-4.043-Describe-all-SSL-related-attributes-in-POD.patch @@ -0,0 +1,78 @@ +diff --git a/lib/DBD/mysql.pm b/lib/DBD/mysql.pm +index ec107a6..dc5eb06 100644 +--- a/lib/DBD/mysql.pm ++++ b/lib/DBD/mysql.pm +@@ -1162,7 +1162,10 @@ location for the socket than that built into the client. + A true value turns on the CLIENT_SSL flag when connecting to the MySQL + database: + +- mysql_ssl=1 ++When enabling SSL encryption you should set also other SSL options, ++at least mysql_ssl_ca_file or mysql_ssl_ca_path. ++ ++ mysql_ssl=1 mysql_ssl_verify_server_cert=1 mysql_ssl_ca_file=/path/to/ca_cert.pem + + This means that your communication with the server will be encrypted. + +@@ -1170,21 +1173,54 @@ Please note that this can only work if you enabled SSL when compiling + DBD::mysql; this is the default starting version 4.034. + See L for more details. + +-If you turn mysql_ssl on, you might also wish to use the following +-flags: ++=item mysql_ssl_ca_file ++ ++The path to a file in PEM format that contains a list of trusted SSL ++certificate authorities. ++ ++When set MySQL server certificate is checked that it is signed by some ++CA certificate in the list. Common Name value is not verified unless ++C is enabled. ++ ++=item mysql_ssl_ca_path ++ ++The path to a directory that contains trusted SSL certificate authority ++certificates in PEM format. ++ ++When set MySQL server certificate is checked that it is signed by some ++CA certificate in the list. Common Name value is not verified unless ++C is enabled. ++ ++Please note that this option is supported only if your MySQL client was ++compiled with OpenSSL library, and not with default yaSSL library. ++ ++=item mysql_ssl_verify_server_cert ++ ++Checks the server's Common Name value in the certificate that the server ++sends to the client. The client verifies that name against the host name ++the client uses for connecting to the server, and the connection fails if ++there is a mismatch. For encrypted connections, this option helps prevent ++man-in-the-middle attacks. ++ ++Verification of the host name is disabled by default. + + =item mysql_ssl_client_key + +-=item mysql_ssl_client_cert ++The name of the SSL key file in PEM format to use for establishing ++a secure connection. + +-=item mysql_ssl_ca_file ++=item mysql_ssl_client_cert + +-=item mysql_ssl_ca_path ++The name of the SSL certificate file in PEM format to use for ++establishing a secure connection. + + =item mysql_ssl_cipher + +-These are used to specify the respective parameters of a call +-to mysql_ssl_set, if mysql_ssl is turned on. ++A list of permissible ciphers to use for connection encryption. If no ++cipher in the list is supported, encrypted connections will not work. ++ ++ mysql_ssl_cipher=AES128-SHA ++ mysql_ssl_cipher=DHE-RSA-AES256-SHA:AES128-SHA + + + =item mysql_local_infile diff --git a/DBD-mysql-4.043-Enforce-SSL-encryption.patch b/DBD-mysql-4.043-Enforce-SSL-encryption.patch new file mode 100644 index 0000000..52db1d6 --- /dev/null +++ b/DBD-mysql-4.043-Enforce-SSL-encryption.patch @@ -0,0 +1,324 @@ +diff --git a/MANIFEST b/MANIFEST +index c4e16cc..577b029 100644 +--- a/MANIFEST ++++ b/MANIFEST +@@ -70,6 +70,8 @@ t/88async-multi-stmts.t + t/89async-method-check.t + t/90no-async.t + t/91errcheck.t ++t/92ssl_backronym_vulnerability.t ++t/92ssl_riddle_vulnerability.t + t/99_bug_server_prepare_blob_null.t + t/lib.pl + t/manifest.t +diff --git a/dbdimp.c b/dbdimp.c +index 97fa9c4..7a71677 100644 +--- a/dbdimp.c ++++ b/dbdimp.c +@@ -1506,6 +1506,12 @@ void do_warn(SV* h, int rc, char* what) + } \ + } + ++static void set_ssl_error(MYSQL *sock, const char *error) ++{ ++ sock->net.last_errno = CR_SSL_CONNECTION_ERROR; ++ strcpy(sock->net.sqlstate, "HY000"); ++ my_snprintf(sock->net.last_error, sizeof(sock->net.last_error)-1, "SSL connection error: %-.100s", error); ++} + + /*************************************************************************** + * +@@ -1898,28 +1904,32 @@ MYSQL *mysql_dr_connect( + } + #endif + ++ if ((svp = hv_fetch(hv, "mysql_ssl", 9, FALSE)) && *svp && SvTRUE(*svp)) ++ { + #if defined(DBD_MYSQL_WITH_SSL) && !defined(DBD_MYSQL_EMBEDDED) && \ + (defined(CLIENT_SSL) || (MYSQL_VERSION_ID >= 40000)) +- if ((svp = hv_fetch(hv, "mysql_ssl", 9, FALSE)) && *svp) +- { +- if (SvTRUE(*svp)) +- { + char *client_key = NULL; + char *client_cert = NULL; + char *ca_file = NULL; + char *ca_path = NULL; + char *cipher = NULL; + STRLEN lna; +-#if MYSQL_VERSION_ID >= SSL_VERIFY_VERSION && MYSQL_VERSION_ID <= SSL_LAST_VERIFY_VERSION +- /* +- New code to utilise MySQLs new feature that verifies that the +- server's hostname that the client connects to matches that of +- the certificate +- */ +- my_bool ssl_verify_true = 0; +- if ((svp = hv_fetch(hv, "mysql_ssl_verify_server_cert", 28, FALSE)) && *svp) +- ssl_verify_true = SvTRUE(*svp); +-#endif ++ unsigned int ssl_mode; ++ my_bool ssl_enforce = 1; ++ my_bool ssl_verify = 0; ++ my_bool ssl_verify_set = 0; ++ ++ /* Verify if the hostname we connect to matches the hostname in the certificate */ ++ if ((svp = hv_fetch(hv, "mysql_ssl_verify_server_cert", 28, FALSE)) && *svp) { ++ #if defined(HAVE_SSL_VERIFY) || defined(HAVE_SSL_MODE) ++ ssl_verify = SvTRUE(*svp); ++ ssl_verify_set = 1; ++ #else ++ set_ssl_error(sock, "mysql_ssl_verify_server_cert=1 is not supported"); ++ return NULL; ++ #endif ++ } ++ + if ((svp = hv_fetch(hv, "mysql_ssl_client_key", 20, FALSE)) && *svp) + client_key = SvPV(*svp, lna); + +@@ -1941,13 +1951,84 @@ MYSQL *mysql_dr_connect( + + mysql_ssl_set(sock, client_key, client_cert, ca_file, + ca_path, cipher); +-#if MYSQL_VERSION_ID >= SSL_VERIFY_VERSION && MYSQL_VERSION_ID <= SSL_LAST_VERIFY_VERSION +- mysql_options(sock, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &ssl_verify_true); +-#endif ++ ++ if (ssl_verify && !(ca_file || ca_path)) { ++ set_ssl_error(sock, "mysql_ssl_verify_server_cert=1 is not supported without mysql_ssl_ca_file or mysql_ssl_ca_path"); ++ return NULL; ++ } ++ ++ #ifdef HAVE_SSL_MODE ++ ++ if (ssl_verify) ++ ssl_mode = SSL_MODE_VERIFY_IDENTITY; ++ else if (ca_file || ca_path) ++ ssl_mode = SSL_MODE_VERIFY_CA; ++ else ++ ssl_mode = SSL_MODE_REQUIRED; ++ if (mysql_options(sock, MYSQL_OPT_SSL_MODE, &ssl_mode) != 0) { ++ set_ssl_error(sock, "Enforcing SSL encryption is not supported"); ++ return NULL; ++ } ++ ++ #else ++ ++ #if defined(HAVE_SSL_MODE_ONLY_REQUIRED) ++ ssl_mode = SSL_MODE_REQUIRED; ++ if (mysql_options(sock, MYSQL_OPT_SSL_MODE, &ssl_mode) != 0) { ++ set_ssl_error(sock, "Enforcing SSL encryption is not supported"); ++ return NULL; ++ } ++ #elif defined(HAVE_SSL_ENFORCE) ++ if (mysql_options(sock, MYSQL_OPT_SSL_ENFORCE, &ssl_enforce) != 0) { ++ set_ssl_error(sock, "Enforcing SSL encryption is not supported"); ++ return NULL; ++ } ++ #elif defined(HAVE_SSL_VERIFY) ++ if (!ssl_verify_also_enforce_ssl()) { ++ set_ssl_error(sock, "Enforcing SSL encryption is not supported"); ++ return NULL; ++ } ++ if (ssl_verify_set && !ssl_verify) { ++ set_ssl_error(sock, "Enforcing SSL encryption is not supported without mysql_ssl_verify_server_cert=1"); ++ return NULL; ++ } ++ ssl_verify = 1; ++ #else ++ set_ssl_error(sock, "Enforcing SSL encryption is not supported"); ++ return NULL; ++ #endif ++ ++ if (ssl_verify) { ++ if (!ssl_verify_usable() && ssl_verify_set) { ++ set_ssl_error(sock, "mysql_ssl_verify_server_cert=1 is broken by current version of MySQL client"); ++ return NULL; ++ } ++ #ifdef HAVE_SSL_VERIFY ++ if (mysql_options(sock, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &ssl_verify) != 0) { ++ set_ssl_error(sock, "mysql_ssl_verify_server_cert=1 is not supported"); ++ return NULL; ++ } ++ #else ++ set_ssl_error(sock, "mysql_ssl_verify_server_cert=1 is not supported"); ++ return NULL; ++ #endif ++ } ++ ++ #endif ++ + client_flag |= CLIENT_SSL; ++#else ++ set_ssl_error(sock, "mysql_ssl=1 is not supported"); ++ return NULL; ++#endif + } +- } ++ else ++ { ++#ifdef HAVE_SSL_MODE ++ unsigned int ssl_mode = SSL_MODE_DISABLED; ++ mysql_options(sock, MYSQL_OPT_SSL_MODE, &ssl_mode); + #endif ++ } + #if (MYSQL_VERSION_ID >= 32349) + /* + * MySQL 3.23.49 disables LOAD DATA LOCAL by default. Use +diff --git a/dbdimp.h b/dbdimp.h +index 545beda..8aed561 100644 +--- a/dbdimp.h ++++ b/dbdimp.h +@@ -48,8 +48,6 @@ + #define LIMIT_PLACEHOLDER_VERSION 50007 + #define GEO_DATATYPE_VERSION 50007 + #define NEW_DATATYPE_VERSION 50003 +-#define SSL_VERIFY_VERSION 50023 +-#define SSL_LAST_VERIFY_VERSION 50799 + #define MYSQL_VERSION_5_0 50001 + /* This is to avoid the ugly #ifdef mess in dbdimp.c */ + #if MYSQL_VERSION_ID < SQL_STATE_VERSION +@@ -79,6 +77,58 @@ + #define true 1 + #define false 0 + ++#if defined(MARIADB_BASE_VERSION) || defined(MARIADB_VERSION_ID) ++#define MARIADB_CLIENT ++#endif ++ ++/* ++ * Check which SSL settings are supported by API at compile time ++ */ ++ ++/* Use mysql_options with MYSQL_OPT_SSL_VERIFY_SERVER_CERT */ ++#if ((MYSQL_VERSION_ID >= 50023 && MYSQL_VERSION_ID < 50100) || MYSQL_VERSION_ID >= 50111) && (MYSQL_VERSION_ID < 80000 || defined(MARIADB_CLIENT)) ++#define HAVE_SSL_VERIFY ++#endif ++ ++/* Use mysql_options with MYSQL_OPT_SSL_ENFORCE */ ++#if !defined(MARIADB_CLIENT) && MYSQL_VERSION_ID >= 50703 && MYSQL_VERSION_ID < 80000 && MYSQL_VERSION_ID != 60000 ++#define HAVE_SSL_ENFORCE ++#endif ++ ++/* Use mysql_options with MYSQL_OPT_SSL_MODE */ ++#if !defined(MARIADB_CLIENT) && MYSQL_VERSION_ID >= 50711 && MYSQL_VERSION_ID != 60000 ++#define HAVE_SSL_MODE ++#endif ++ ++/* Use mysql_options with MYSQL_OPT_SSL_MODE, but only SSL_MODE_REQUIRED is supported */ ++#if !defined(MARIADB_CLIENT) && ((MYSQL_VERSION_ID >= 50636 && MYSQL_VERSION_ID < 50700) || (MYSQL_VERSION_ID >= 50555 && MYSQL_VERSION_ID < 50600)) ++#define HAVE_SSL_MODE_ONLY_REQUIRED ++#endif ++ ++/* ++ * Check which SSL settings are supported by API at runtime ++ */ ++ ++/* MYSQL_OPT_SSL_VERIFY_SERVER_CERT automatically enforce SSL mode */ ++PERL_STATIC_INLINE bool ssl_verify_also_enforce_ssl(void) { ++#ifdef MARIADB_CLIENT ++ my_ulonglong version = mysql_get_client_version(); ++ return ((version >= 50544 && version < 50600) || (version >= 100020 && version < 100100) || version >= 100106); ++#else ++ return false; ++#endif ++} ++ ++/* MYSQL_OPT_SSL_VERIFY_SERVER_CERT is not vulnerable (CVE-2016-2047) and can be used */ ++PERL_STATIC_INLINE bool ssl_verify_usable(void) { ++ my_ulonglong version = mysql_get_client_version(); ++#ifdef MARIADB_CLIENT ++ return ((version >= 50547 && version < 50600) || (version >= 100023 && version < 100100) || version >= 100110); ++#else ++ return ((version >= 50549 && version < 50600) || (version >= 50630 && version < 50700) || version >= 50712); ++#endif ++} ++ + /* + * The following are return codes passed in $h->err in case of + * errors by DBD::mysql. +diff --git a/lib/DBD/mysql.pm b/lib/DBD/mysql.pm +index dc5eb06..572c229 100644 +--- a/lib/DBD/mysql.pm ++++ b/lib/DBD/mysql.pm +@@ -1160,7 +1160,8 @@ location for the socket than that built into the client. + =item mysql_ssl + + A true value turns on the CLIENT_SSL flag when connecting to the MySQL +-database: ++server and enforce SSL encryption. A false value (which is default) ++disable SSL encryption with the MySQL server. + + When enabling SSL encryption you should set also other SSL options, + at least mysql_ssl_ca_file or mysql_ssl_ca_path. +diff --git a/t/92ssl_backronym_vulnerability.t b/t/92ssl_backronym_vulnerability.t +new file mode 100644 +index 0000000..5237c6d +--- /dev/null ++++ b/t/92ssl_backronym_vulnerability.t +@@ -0,0 +1,30 @@ ++use strict; ++use warnings; ++ ++use Test::More; ++use DBI; ++ ++use vars qw($test_dsn $test_user $test_password); ++use lib 't', '.'; ++require "lib.pl"; ++ ++my $dbh; ++eval {$dbh= DBI->connect($test_dsn, $test_user, $test_password, ++ { PrintError => 0, RaiseError => 1 });}; ++if (!$dbh) { ++ plan skip_all => "no database connection"; ++} ++ ++my $have_ssl = eval { $dbh->selectrow_hashref("SHOW VARIABLES WHERE Variable_name = 'have_ssl'") }; ++$dbh->disconnect(); ++plan skip_all => 'Server supports SSL connections, cannot test false-positive enforcement' if $have_ssl and $have_ssl->{Value} eq 'YES'; ++ ++plan tests => 4; ++ ++$dbh = DBI->connect($test_dsn, $test_user, $test_password, { PrintError => 0, RaiseError => 0, mysql_ssl => 1 }); ++ok(!defined $dbh, 'DBD::mysql refused connection to non-SSL server with mysql_ssl=1 and correct user and password'); ++is($DBI::err, 2026, 'DBD::mysql error message is SSL related') or diag('Error message: ' . ($DBI::errstr || 'unknown')); ++ ++$dbh = DBI->connect($test_dsn, $test_user, $test_password, { PrintError => 0, RaiseError => 0, mysql_ssl => 1, mysql_ssl_verify_server_cert => 1, mysql_ssl_ca_file => "" }); ++ok(!defined $dbh, 'DBD::mysql refused connection to non-SSL server with mysql_ssl=1, mysql_ssl_verify_server_cert=1 and correct user and password'); ++is($DBI::err, 2026, 'DBD::mysql error message is SSL related') or diag('Error message: ' . ($DBI::errstr || 'unknown')); +diff --git a/t/92ssl_riddle_vulnerability.t b/t/92ssl_riddle_vulnerability.t +new file mode 100644 +index 0000000..2354a73 +--- /dev/null ++++ b/t/92ssl_riddle_vulnerability.t +@@ -0,0 +1,30 @@ ++use strict; ++use warnings; ++ ++use Test::More; ++use DBI; ++ ++use vars qw($test_dsn $test_user $test_password); ++use lib 't', '.'; ++require "lib.pl"; ++ ++my $dbh; ++eval {$dbh= DBI->connect($test_dsn, $test_user, $test_password, ++ { PrintError => 0, RaiseError => 1 });}; ++if (!$dbh) { ++ plan skip_all => "no database connection"; ++} ++ ++my $have_ssl = eval { $dbh->selectrow_hashref("SHOW VARIABLES WHERE Variable_name = 'have_ssl'") }; ++$dbh->disconnect(); ++plan skip_all => 'Server supports SSL connections, cannot test false-positive enforcement' if $have_ssl and $have_ssl->{Value} eq 'YES'; ++ ++plan tests => 4; ++ ++$dbh = DBI->connect($test_dsn, '4yZ73s9qeECdWi', '64heUGwAsVoNqo', { PrintError => 0, RaiseError => 0, mysql_ssl => 1 }); ++ok(!defined $dbh, 'DBD::mysql refused connection to non-SSL server with mysql_ssl=1 and incorrect user and password'); ++is($DBI::err, 2026, 'DBD::mysql error message is SSL related') or diag('Error message: ' . ($DBI::errstr || 'unknown')); ++ ++$dbh = DBI->connect($test_dsn, '4yZ73s9qeECdWi', '64heUGwAsVoNqo', { PrintError => 0, RaiseError => 0, mysql_ssl => 1, mysql_ssl_verify_server_cert => 1, mysql_ssl_ca_file => "" }); ++ok(!defined $dbh, 'DBD::mysql refused connection to non-SSL server with mysql_ssl=1, mysql_ssl_verify_server_cert=1 and incorrect user and password'); ++is($DBI::err, 2026, 'DBD::mysql error message is SSL related') or diag('Error message: ' . ($DBI::errstr || 'unknown')); diff --git a/perl-DBD-MySQL.spec b/perl-DBD-MySQL.spec index fbe8b22..336b42e 100644 --- a/perl-DBD-MySQL.spec +++ b/perl-DBD-MySQL.spec @@ -1,6 +1,6 @@ Name: perl-DBD-MySQL Version: 4.043 -Release: 5%{?dist} +Release: 6%{?dist} Summary: A MySQL interface for Perl Group: Development/Libraries License: GPL+ or Artistic @@ -10,6 +10,12 @@ Source0: http://www.cpan.org/authors/id/M/MI/MICHIELB/DBD-mysql-%{version Patch0: DBD-mysql-4.043-Fix-use-after-free-after-calling-mysql_stmt_close.patch.txt # Fix for new version of MariaDB 10.2 Patch1: DBD-mysql-4.043-Fix-build-failures-for-MariaDB-10.2.patch +# Fix for CVE-2017-10789 +# Backport https://github.com/perl5-dbi/DBD-mysql/pull/114 +Patch2: DBD-mysql-4.043-Describe-all-SSL-related-attributes-in-POD.patch +Patch3: DBD-mysql-4.043-Enforce-SSL-encryption.patch +Patch4: DBD-mysql-4.043-Add-new-connection-attribute-mysql_ssl_optional.patch +Patch5: DBD-mysql-4.043-Add-new-database-handle-attribute-mysql_ssl_cipher.patch BuildRequires: coreutils BuildRequires: findutils BuildRequires: mariadb-connector-c @@ -49,6 +55,10 @@ management system. %setup -q -n DBD-mysql-%{version} %patch0 -p1 %patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 # Correct file permissions find . -type f | xargs chmod -x @@ -76,6 +86,9 @@ find %{buildroot} -type f -name '*.bs' -empty -delete %{_mandir}/man3/*.3* %changelog +* Mon Dec 04 2017 Jitka Plesnikova - 4.043-6 +- Fixed CVE-2017-10789 (bug #1467600) + * Tue Sep 05 2017 Jitka Plesnikova - 4.043-5 - Replace mariadb/-devel by mariadb-connector-c/-devel