NO Security vulnerability in Percona Server / XtraDB Cluster provided binaries

Many of you heard of this nasty security vulnerability in MySQL, and as we are getting a lot of inquiries how does it affect Percona Server, I decided to address it in this post.

  • The issue exists in the source code of MySQL 5.5.23 or earlier and MySQL 5.1.62 or earlier. The same is true for Percona Server, as we share the same code base.
  • However binaries provided by Percona do not have this problem, as in our build process we do not use sse-optimized glibc memcmp. This is true for any version of Percona and all tar.gz, RPM and DEB packages. Once again, if you use binary builds, provided by Percona from our official download area, or from our repositories, you are safe.
  • If you use your own or third-party binaries, we cannot guarantee that they built properly, and therefore, binaries based on versions 5.5.23 or earlier and 5.1.62 or earlier may be affected by this security vulnerability. You can test if it is, using, for example, the script from this post.
  • In any case, it is a good idea to use the latest 5.5 or 5.1 version, so you may consider to upgrade

Share this post

Comments (13)

  • Justin Swanhart Reply

    I think the title is a little confusing. For clarity, I think it should be:
    NO Security vulnerability in Percona Server / XtraDB Cluster provided binaries.

    June 11, 2012 at 5:25 pm
  • Claudio Nanni Reply

    how to check if a build was done using “sse-optimized glibc memcmp” ?

    June 11, 2012 at 11:06 pm
  • eRadical Reply

    MariaDB 5.5.x binaries are, also, NOT affected by this bug.

    June 12, 2012 at 12:14 am
  • Nils Reply

    So, what if I want SSE optimized memcmp?

    June 12, 2012 at 12:34 am
  • Vadim Tkachenko Reply


    You can test your binary with following script:
    for i in `seq 1 1000`; do mysql -u root –password=bad -h 2>/dev/null; done

    June 12, 2012 at 3:30 pm
  • Vadim Tkachenko Reply


    You need to figure out how to properly compile binaries and force glibc to use sse-optimized version.

    June 12, 2012 at 3:31 pm
  • GBA Reply

    Can you please clarify what versions you believe to be unaffected? I just tried this on my server running percona 5.5-20-55 on oneiric, installed from deb files, and got in:

    $ for i in `seq 1 1000`; do mysql -u root -pnotthepassword; done
    ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
    ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
    ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
    ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
    … …
    ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
    Welcome to the MySQL monitor. Commands end with ; or \g.
    Your MySQL connection id is 7487309
    Server version: 5.5.20-55-log Percona Server (GPL), Release 24.1

    Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

    Oracle is a registered trademark of Oracle Corporation and/or its
    affiliates. Other names may be trademarks of their respective

    Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.


    June 12, 2012 at 10:28 pm
  • Claudio Nanni Reply

    Thanks Vadim,
    I don’t know if I expressed my question properly,
    is there a way to know if a mysql(or anything else) binary was built using “sse-optimized glibc memcmp” ?

    June 13, 2012 at 12:26 am
  • eRadical Reply

    It would be nice to have the configure command somewhere as in PHP:

    [root@caffeine ~]# php -i | grep “Configure Command”
    Configure Command => ‘./configure’ ‘–cache-file=../php-5.4.3.cache’ ‘–with-config-file-path=/etc’ ‘–with-config-file-scan-dir=/etc/php.d’ ‘–with-
    enable-sockets’ ‘–enable-sysvmsg’ ‘–enable-sysvsem’ ‘–enable-sysvshm’ ‘–with-tidy’ ‘–enable-wddx’ ‘–enable-xml’ ‘–enable-xmlreader’ ‘–with-xmlrpc’ ‘–enable-xmlwriter’ ‘–with-xsl’ ‘–enable-zip’ ‘–with-pcre-dir’ ‘–with-pear’ ‘–enable-fpm’

    June 13, 2012 at 12:36 am
  • Nils Reply

    Vadim, I was just being facetious, from looking at the code I don’t think this is a compiler problem….

    June 13, 2012 at 1:28 am
  • Stewart Smith Reply

    from a quick look at the disassembly for glibc, I believe it will at link time select the optimal implementation for the processor you’re running on.

    June 13, 2012 at 5:38 am
  • Raghavendra Reply


    From what testing I did (may be others can confirm), if objdump -T -t `which mysqld` | grep memcmp returns something other than empty, then it is using glibc memcmp (it will show like ‘U memcmp’ in nm output meaning it is resolved at dynamic link-time by

    You can also do (as root), LD_BIND_NOW=yes LD_DEBUG=full LD_DEBUG_OUTPUT=/tmp/mysqld.ld.out mysqld –user=mysql

    the file /tmp/mysqld.ld.out should output all the bindings done (LD_BIND_NOW is required to disable lazy loading otherwise you will need to login mysql -u root -pxxxx to test the loading) — including the one required for memcmp.

    The rationale behind objdump is that if gcc has made the code for memcmp builtin, then you will see repz cmpsb in place of memcmp.

    You can also do
    objdump -dS `which mysqld` | perl -lne ‘if(/:$/../^$/){ print $_; }’

    to disassemble the code and see if it is repz cmpsb (the assembly emitted by gcc) or ” callq 567d10 ” a call to glibc memcmp.

    Note: This only proves one-way, the existence of glibc memcmp doesn’t confirm the vulnerability, however, the absence of it and presence of assembly in its place should deny* the vuln.

    (* – deny according to this seclist post – , if it is vulnerable inspite of builtin code then that full disclosure stands invalid).

    If you want to build a vulnerable binary for testing you can also force gcc with -fno-builtin-memcmp in CFLAGS/CXXFLAGS.

    June 14, 2012 at 9:55 pm
  • Vadim Tkachenko Reply


    Thank you for your report.
    We made further research, and there is the result.

    June 19, 2012 at 2:23 pm

Leave a Reply