Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-8006

[FG-VD-15-029] MariaDB PCRE Handling Multiple Remote Denial of Service Vulnerabilities

        Details

        • Type: Bug
        • Status: Closed
        • Priority: Critical
        • Resolution: Fixed
        • Affects Version/s: 10.0.17, 10.1.4
        • Fix Version/s: 10.0.18, 10.1.5
        • Component/s: OTHER
        • Labels:
          None
        • Environment:
          windows 7 x64

          Description

          The following information pertains to information discovered by Fortinet's FortiGuard Labs. It has been determined that two vulnerabilities exist in MariaDB.

          Proof of Concept/How to Reproduce:
          To reproduce the first issue, you can use mysql to access remote MariaDB server (for example, "mysql -uroot -p") and do the following database operation: 

             	 SELECT REGEXP_SUBSTR('ABC','(?i)((?2){0,1999}?(())|A)*');

          To reproduce the second issue, do the following database operation:

           	   SELECT REGEXP_SUBSTR('ABC','((?+1)()){222,}+');

          It causes the MariaDB Server down. And some screenshots are attached.

          Note: The repro of these two issues may be unstable, sometimes you need to try it many times.

          Analysis:
          The root cause of these issues exists in the underlying pcre lib. They had been reported to pcre lib developer and fixed in the latest pcre lib version 8.37.
          http://bugs.exim.org/show_bug.cgi?id=1592
          http://bugs.exim.org/show_bug.cgi?id=1591
          http://vcs.pcre.org/viewvc/code/trunk/ChangeLog?view=markup

          Type of Vulnerability & Repercussions:
          Remote Denial of Service

          Affected Products:
          MariaDB 10.0.17
          Other versions may be affected too

          Testing Platforms:
          Windows 7 x64(en)

          Upcoming Advisory Reference:
          http://www.fortiguard.com/advisory/UpcomingAdvisories.html

          Credits:
          These vulnerabilities were discovered by Kai Lu of Fortinet's FortiGuard Labs.

            Gliffy Diagrams

              Attachments

                Issue Links

                is part of

                Task - A task that needs to be done. MDEV-8071 10.0.18 merge

                • Blocker - Blocks development and/or testing work, production could not run.
                • Closed

                  Activity

                  Ascending order - Click to sort in descending order
                  Hide
                  Permalink
                  secresearch secresearch added a comment -

                  Anyone track this issue?

                  Show
                  secresearch secresearch added a comment - Anyone track this issue?
                  Hide
                  Permalink
                  danblack Daniel Black added a comment -

                  Anyone track this issue?

                  its a critical priority assigned to the next release.

                  It also shoudn't be much effort to fix.

                  According to bug fixing policy https://mariadb.com/kb/en/mariadb/mariadb-bug-fixing-policy/ this is still a yellow threat level as it requires an authenticated user. I'm not saying its a perfect policy, but it certainly will be addressed. There are a number of other bugs in the same category.

                  The next 10.0 and 10.1 releases aren't too far away https://mariadb.atlassian.net/projects/MDEV?selectedItem=com.atlassian.jira.jira-projects-plugin:release-page and the release team will make sure this is included along with any other high importance bug fixes.

                  Show
                  danblack Daniel Black added a comment - Anyone track this issue? its a critical priority assigned to the next release. It also shoudn't be much effort to fix. According to bug fixing policy https://mariadb.com/kb/en/mariadb/mariadb-bug-fixing-policy/ this is still a yellow threat level as it requires an authenticated user. I'm not saying its a perfect policy, but it certainly will be addressed. There are a number of other bugs in the same category. The next 10.0 and 10.1 releases aren't too far away https://mariadb.atlassian.net/projects/MDEV?selectedItem=com.atlassian.jira.jira-projects-plugin:release-page and the release team will make sure this is included along with any other high importance bug fixes.
                  Hide
                  Permalink
                  danblack Daniel Black added a comment -

                  https://github.com/MariaDB/server/pull/60

                  thanks for the test case secresearch

                  Show
                  danblack Daniel Black added a comment - https://github.com/MariaDB/server/pull/60 thanks for the test case secresearch
                  Hide
                  Permalink
                  serg Sergei Golubchik added a comment -

                  I've merged pcre 8.37, but this only fixes packages where we build with bundled pcre. Normally we prefer to use system libraries, when possible. So for packages where we link with system pcre, this issue needs to be fixed by distributions. Hopefully it already is.

                  Show
                  serg Sergei Golubchik added a comment - I've merged pcre 8.37, but this only fixes packages where we build with bundled pcre. Normally we prefer to use system libraries, when possible. So for packages where we link with system pcre, this issue needs to be fixed by distributions. Hopefully it already is.

                    People

                    • Assignee:
                      serg Sergei Golubchik
                      Reporter:
                      secresearch secresearch
                    • Votes:
                      1 Vote for this issue
                      Watchers:
                      4 Start watching this issue

                      Dates

                      • Created:
                        Updated:
                        Resolved: