EmergencyEMERGENCY? Get 24/7 Help Now!

NO Security vulnerability in Percona Server / XtraDB Cluster provided binaries

 | June 11, 2012 |  Posted In: MySQL, Percona Software, XtraDB Cluster


Many of you heard of this nasty security vulnerability in MySQL, and as we are getting a lot of inquiries how does it affect Percona Server, I decided to address it in this post.

  • The issue exists in the source code of MySQL 5.5.23 or earlier and MySQL 5.1.62 or earlier. The same is true for Percona Server, as we share the same code base.
  • However binaries provided by Percona do not have this problem, as in our build process we do not use sse-optimized glibc memcmp. This is true for any version of Percona and all tar.gz, RPM and DEB packages. Once again, if you use binary builds, provided by Percona from our official download area, or from our repositories, you are safe.
  • If you use your own or third-party binaries, we cannot guarantee that they built properly, and therefore, binaries based on versions 5.5.23 or earlier and 5.1.62 or earlier may be affected by this security vulnerability. You can test if it is, using, for example, the script from this post.
  • In any case, it is a good idea to use the latest 5.5 or 5.1 version, so you may consider to upgrade
Vadim Tkachenko

Vadim Tkachenko co-founded Percona in 2006 and serves as its Chief Technology Officer. Vadim leads Percona Labs, which focuses on technology research and performance evaluations of Percona’s and third-party products. Percona Labs designs no-gimmick tests of hardware, filesystems, storage engines, and databases that surpass the standard performance and functionality scenario benchmarks. Vadim’s expertise in LAMP performance and multi-threaded programming help optimize MySQL and InnoDB internals to take full advantage of modern hardware. Oracle Corporation and its predecessors have incorporated Vadim’s source code patches into the mainstream MySQL and InnoDB products. He also co-authored the book High Performance MySQL: Optimization, Backups, and Replication 3rd Edition.


  • Can you please clarify what versions you believe to be unaffected? I just tried this on my server running percona 5.5-20-55 on oneiric, installed from deb files, and got in:

    $ for i in `seq 1 1000`; do mysql -u root -pnotthepassword; done
    ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
    ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
    ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
    ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
    … …
    ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
    Welcome to the MySQL monitor. Commands end with ; or \g.
    Your MySQL connection id is 7487309
    Server version: 5.5.20-55-log Percona Server (GPL), Release 24.1

    Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

    Oracle is a registered trademark of Oracle Corporation and/or its
    affiliates. Other names may be trademarks of their respective

    Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.


  • Thanks Vadim,
    I don’t know if I expressed my question properly,
    is there a way to know if a mysql(or anything else) binary was built using “sse-optimized glibc memcmp” ?

  • It would be nice to have the configure command somewhere as in PHP:

    [root@caffeine ~]# php -i | grep “Configure Command”
    Configure Command => ‘./configure’ ‘–cache-file=../php-5.4.3.cache’ ‘–with-config-file-path=/etc’ ‘–with-config-file-scan-dir=/etc/php.d’ ‘–with-
    enable-sockets’ ‘–enable-sysvmsg’ ‘–enable-sysvsem’ ‘–enable-sysvshm’ ‘–with-tidy’ ‘–enable-wddx’ ‘–enable-xml’ ‘–enable-xmlreader’ ‘–with-xmlrpc’ ‘–enable-xmlwriter’ ‘–with-xsl’ ‘–enable-zip’ ‘–with-pcre-dir’ ‘–with-pear’ ‘–enable-fpm’

  • @Claudio/others,,

    From what testing I did (may be others can confirm), if objdump -T -t `which mysqld` | grep memcmp returns something other than empty, then it is using glibc memcmp (it will show like ‘U memcmp’ in nm output meaning it is resolved at dynamic link-time by ld.so)

    You can also do (as root), LD_BIND_NOW=yes LD_DEBUG=full LD_DEBUG_OUTPUT=/tmp/mysqld.ld.out mysqld –user=mysql

    the file /tmp/mysqld.ld.out should output all the bindings done (LD_BIND_NOW is required to disable lazy loading otherwise you will need to login mysql -u root -pxxxx to test the loading) — including the one required for memcmp.

    The rationale behind objdump is that if gcc has made the code for memcmp builtin, then you will see repz cmpsb in place of memcmp.

    You can also do
    objdump -dS `which mysqld` | perl -lne ‘if(/:$/../^$/){ print $_; }’

    to disassemble the code and see if it is repz cmpsb (the assembly emitted by gcc) or ” callq 567d10 ” a call to glibc memcmp.

    Note: This only proves one-way, the existence of glibc memcmp doesn’t confirm the vulnerability, however, the absence of it and presence of assembly in its place should deny* the vuln.

    (* – deny according to this seclist post – http://seclists.org/oss-sec/2012/q2/493 , if it is vulnerable inspite of builtin code then that full disclosure stands invalid).

    If you want to build a vulnerable binary for testing you can also force gcc with -fno-builtin-memcmp in CFLAGS/CXXFLAGS.

  • GBA,

    Thank you for your report.
    We made further research, and there is the result.

Leave a Reply