EmergencyEMERGENCY? Get 24/7 Help Now!

NO Security vulnerability in Percona Server / XtraDB Cluster provided binaries

 | June 11, 2012 |  Posted In: MySQL, Percona Software, XtraDB Cluster

PREVIOUS POST
NEXT POST

Many of you heard of this nasty security vulnerability in MySQL, and as we are getting a lot of inquiries how does it affect Percona Server, I decided to address it in this post.

  • The issue exists in the source code of MySQL 5.5.23 or earlier and MySQL 5.1.62 or earlier. The same is true for Percona Server, as we share the same code base.
  • However binaries provided by Percona do not have this problem, as in our build process we do not use sse-optimized glibc memcmp. This is true for any version of Percona and all tar.gz, RPM and DEB packages. Once again, if you use binary builds, provided by Percona from our official download area, or from our repositories, you are safe.
  • If you use your own or third-party binaries, we cannot guarantee that they built properly, and therefore, binaries based on versions 5.5.23 or earlier and 5.1.62 or earlier may be affected by this security vulnerability. You can test if it is, using, for example, the script from this post.
  • In any case, it is a good idea to use the latest 5.5 or 5.1 version, so you may consider to upgrade
PREVIOUS POST
NEXT POST
Vadim Tkachenko

Vadim Tkachenko co-founded Percona in 2006 and serves as its Chief Technology Officer. Vadim leads Percona Labs, which focuses on technology research and performance evaluations of Percona’s and third-party products. Percona Labs designs no-gimmick tests of hardware, filesystems, storage engines, and databases that surpass the standard performance and functionality scenario benchmarks. Vadim’s expertise in LAMP performance and multi-threaded programming help optimize MySQL and InnoDB internals to take full advantage of modern hardware. Oracle Corporation and its predecessors have incorporated Vadim’s source code patches into the mainstream MySQL and InnoDB products. He also co-authored the book High Performance MySQL: Optimization, Backups, and Replication 3rd Edition.

13 Comments

  • Can you please clarify what versions you believe to be unaffected? I just tried this on my server running percona 5.5-20-55 on oneiric, installed from deb files, and got in:

    $ for i in `seq 1 1000`; do mysql -u root -pnotthepassword; done
    ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
    ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
    ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
    ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
    … …
    ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
    Welcome to the MySQL monitor. Commands end with ; or \g.
    Your MySQL connection id is 7487309
    Server version: 5.5.20-55-log Percona Server (GPL), Release 24.1

    Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

    Oracle is a registered trademark of Oracle Corporation and/or its
    affiliates. Other names may be trademarks of their respective
    owners.

    Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

    mysql>

  • Thanks Vadim,
    I don’t know if I expressed my question properly,
    is there a way to know if a mysql(or anything else) binary was built using “sse-optimized glibc memcmp” ?
    Thanks

  • It would be nice to have the configure command somewhere as in PHP:

    [root@caffeine ~]# php -i | grep “Configure Command”
    Configure Command => ‘./configure’ ‘–cache-file=../php-5.4.3.cache’ ‘–with-config-file-path=/etc’ ‘–with-config-file-scan-dir=/etc/php.d’ ‘–with-
    …………………………………………………………………………………………..
    enable-sockets’ ‘–enable-sysvmsg’ ‘–enable-sysvsem’ ‘–enable-sysvshm’ ‘–with-tidy’ ‘–enable-wddx’ ‘–enable-xml’ ‘–enable-xmlreader’ ‘–with-xmlrpc’ ‘–enable-xmlwriter’ ‘–with-xsl’ ‘–enable-zip’ ‘–with-pcre-dir’ ‘–with-pear’ ‘–enable-fpm’

  • @Claudio/others,,

    From what testing I did (may be others can confirm), if objdump -T -t `which mysqld` | grep memcmp returns something other than empty, then it is using glibc memcmp (it will show like ‘U memcmp’ in nm output meaning it is resolved at dynamic link-time by ld.so)

    You can also do (as root), LD_BIND_NOW=yes LD_DEBUG=full LD_DEBUG_OUTPUT=/tmp/mysqld.ld.out mysqld –user=mysql

    the file /tmp/mysqld.ld.out should output all the bindings done (LD_BIND_NOW is required to disable lazy loading otherwise you will need to login mysql -u root -pxxxx to test the loading) — including the one required for memcmp.

    The rationale behind objdump is that if gcc has made the code for memcmp builtin, then you will see repz cmpsb in place of memcmp.

    You can also do
    objdump -dS `which mysqld` | perl -lne ‘if(/:$/../^$/){ print $_; }’

    to disassemble the code and see if it is repz cmpsb (the assembly emitted by gcc) or ” callq 567d10 ” a call to glibc memcmp.

    Note: This only proves one-way, the existence of glibc memcmp doesn’t confirm the vulnerability, however, the absence of it and presence of assembly in its place should deny* the vuln.

    (* – deny according to this seclist post – http://seclists.org/oss-sec/2012/q2/493 , if it is vulnerable inspite of builtin code then that full disclosure stands invalid).

    If you want to build a vulnerable binary for testing you can also force gcc with -fno-builtin-memcmp in CFLAGS/CXXFLAGS.

  • GBA,

    Thank you for your report.
    We made further research, and there is the result.
    http://www.mysqlperformanceblog.com/2012/06/19/clarification-on-mysql-security-vulnerability/

Leave a Reply

 
 

Percona’s widely read Percona Data Performance blog highlights our expertise in enterprise-class software, support, consulting and managed services solutions for both MySQL® and MongoDB® across traditional and cloud-based platforms. The decades of experience represented by our consultants is found daily in numerous and relevant blog posts.

Besides specific database help, the blog also provides notices on upcoming events and webinars.
Want to get weekly updates listing the latest blog posts? Subscribe to our blog now! Submit your email address below and we’ll send you an update every Friday at 1pm ET.

No, thank you. Please do not ask me again.