NO Security vulnerability in Percona Server / XtraDB Cluster provided binaries

PREVIOUS POST
NEXT POST

Many of you heard of this nasty security vulnerability in MySQL, and as we are getting a lot of inquiries how does it affect Percona Server, I decided to address it in this post.

  • The issue exists in the source code of MySQL 5.5.23 or earlier and MySQL 5.1.62 or earlier. The same is true for Percona Server, as we share the same code base.
  • However binaries provided by Percona do not have this problem, as in our build process we do not use sse-optimized glibc memcmp. This is true for any version of Percona and all tar.gz, RPM and DEB packages. Once again, if you use binary builds, provided by Percona from our official download area, or from our repositories, you are safe.
  • If you use your own or third-party binaries, we cannot guarantee that they built properly, and therefore, binaries based on versions 5.5.23 or earlier and 5.1.62 or earlier may be affected by this security vulnerability. You can test if it is, using, for example, the script from this post.
  • In any case, it is a good idea to use the latest 5.5 or 5.1 version, so you may consider to upgrade
PREVIOUS POST
NEXT POST

Comments

  1. says

    I think the title is a little confusing. For clarity, I think it should be:
    NO Security vulnerability in Percona Server / XtraDB Cluster provided binaries.

  2. GBA says

    Can you please clarify what versions you believe to be unaffected? I just tried this on my server running percona 5.5-20-55 on oneiric, installed from deb files, and got in:

    $ for i in `seq 1 1000`; do mysql -u root -pnotthepassword; done
    ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
    ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
    ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
    ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
    … …
    ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
    Welcome to the MySQL monitor. Commands end with ; or \g.
    Your MySQL connection id is 7487309
    Server version: 5.5.20-55-log Percona Server (GPL), Release 24.1

    Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

    Oracle is a registered trademark of Oracle Corporation and/or its
    affiliates. Other names may be trademarks of their respective
    owners.

    Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

    mysql>

  3. says

    Thanks Vadim,
    I don’t know if I expressed my question properly,
    is there a way to know if a mysql(or anything else) binary was built using “sse-optimized glibc memcmp” ?
    Thanks

  4. says

    It would be nice to have the configure command somewhere as in PHP:

    [root@caffeine ~]# php -i | grep “Configure Command”
    Configure Command => ‘./configure’ ‘–cache-file=../php-5.4.3.cache’ ‘–with-config-file-path=/etc’ ‘–with-config-file-scan-dir=/etc/php.d’ ‘–with-
    …………………………………………………………………………………………..
    enable-sockets’ ‘–enable-sysvmsg’ ‘–enable-sysvsem’ ‘–enable-sysvshm’ ‘–with-tidy’ ‘–enable-wddx’ ‘–enable-xml’ ‘–enable-xmlreader’ ‘–with-xmlrpc’ ‘–enable-xmlwriter’ ‘–with-xsl’ ‘–enable-zip’ ‘–with-pcre-dir’ ‘–with-pear’ ‘–enable-fpm’

  5. Nils says

    Vadim, I was just being facetious, from looking at the code I don’t think this is a compiler problem….

  6. says

    from a quick look at the disassembly for glibc, I believe it will at link time select the optimal implementation for the processor you’re running on.

  7. says

    @Claudio/others,,

    From what testing I did (may be others can confirm), if objdump -T -t `which mysqld` | grep memcmp returns something other than empty, then it is using glibc memcmp (it will show like ‘U memcmp’ in nm output meaning it is resolved at dynamic link-time by ld.so)

    You can also do (as root), LD_BIND_NOW=yes LD_DEBUG=full LD_DEBUG_OUTPUT=/tmp/mysqld.ld.out mysqld –user=mysql

    the file /tmp/mysqld.ld.out should output all the bindings done (LD_BIND_NOW is required to disable lazy loading otherwise you will need to login mysql -u root -pxxxx to test the loading) — including the one required for memcmp.

    The rationale behind objdump is that if gcc has made the code for memcmp builtin, then you will see repz cmpsb in place of memcmp.

    You can also do
    objdump -dS `which mysqld` | perl -lne ‘if(/:$/../^$/){ print $_; }’

    to disassemble the code and see if it is repz cmpsb (the assembly emitted by gcc) or ” callq 567d10 ” a call to glibc memcmp.

    Note: This only proves one-way, the existence of glibc memcmp doesn’t confirm the vulnerability, however, the absence of it and presence of assembly in its place should deny* the vuln.

    (* – deny according to this seclist post – http://seclists.org/oss-sec/2012/q2/493 , if it is vulnerable inspite of builtin code then that full disclosure stands invalid).

    If you want to build a vulnerable binary for testing you can also force gcc with -fno-builtin-memcmp in CFLAGS/CXXFLAGS.

Leave a Reply

Your email address will not be published. Required fields are marked *