LAST BYTE ONLY (YASSL)
Description:- TLS cipher negociation happens incorrectly
leading to the use of a different
Analysis:- YaSSL based MySQL server will compare only the
last byte of each cipher sent in the Client Hello message.
This can cause TLS connections to fail, due to the server
picking a cipher which the client doesn't actually support.
Fix:- A fix for detecting cipher suites with non leading
zeros is included as YaSSL only supports cipher suites with
leading zeros.
DESCRIPTION
===========
Buffer overflow is reported in a lot of code sections
spanning across server, client programs, Regex libraries
etc. If not handled appropriately, they can cause abnormal
behaviour.
ANALYSIS
========
The reported casea are the ones which are likely to result
in SEGFAULT, MEMORY LEAK etc.
FIX
===
- sprintf() has been replaced by my_snprintf() to avoid
buffer overflow.
- my_free() is done after checking if the pointer isn't
NULL already and setting it to NULL thereafter at few
places.
- Buffer is ensured to be large enough to hold the data.
- 'unsigned int' (aka 'uint') is replaced with 'size_t'
to avoid wraparound.
- Memory is freed (if not done so) after its alloced and
used.
- Inserted assert() for size check in InnoDb memcached
code (from 5.6 onwards)
- Other minor changes
one leading zeros for the key agreement instead of
potentially any number.
There is about 1 in 50,000 connections to fail
when using DHE cipher suites. The second problem was the
case where a server would send a public value shorter than
the prime value, causing about 1 in 128 client connections
to fail, and also caused the yaSSL client to read off the
end of memory.
All client side DHE cipher suite users should update.
Note: The patch is received from YaSSL people
YASSL-COMPILED SERVER/CLIENT
Description: thread_pool.thread_pool_connect hangs when the server and
client are compiled with yaSSL.
Bug-fix: Test thread_pool.thread_pool_connect was temporary disabled for
yaSSL. However, now that yaSSL is fixed it runs OK. The bug was
introduced by one of the yaSSL updates. set_current was not working for
i == 0. Now this is fixed. YASSL is updated to 2.3.7d
INITIAL STARTUP
Description: By using mysql_ssl_rsa_setup to get SSL enabled server
(after running mysqld --initialize) server don't answer properly
to "mysqladmin ping" first 30 secs after startup.
Bug-fix: YASSL validated certificate date to the minute but should have
to the second. This is why the ssl on the server side was not up right
away after new certs were created with mysql_ssl_rsa_setup. The fix for
that was submitted by Todd. YASSL was updated to 2.3.7c.
Affects at least 5.6 and 5.7. In customer case, the "client" happened to
be a replication slave, therefore his server crashed.
Bug-fix:
The bug was in yassl. Todd Ouska has provided us with the patch.
(cherry picked from commit 42ffa91aad898b02f0793b669ffd04f5c178ce39)
Description:- Replace, the string replacement utility fails
on the windows platform.
Analysis:- The utility takes files and multiple string
pairs as input. In the windows platform, the utility maps
the standard input incorrectly (Considers 0 as the fd for
standard input instead of 2048 on windows). Hence when the
input file is supplied to the utility due to the incorrect
mapping, a bad file descriptor error is generated causing
the utility to exit with an error.
Fix:- "my_fileno()" is used for getting the correct file
despscriptor for standard input.
LIES ABOUT SUITE_LEN_
and
Bug#19355577 : YASSL PRE-AUTH BUFFER OVERFLOW WHEN CLIENT
LIES ABOUT COMP_LEN_
Description : Updating yaSSL to version 2.3.4.
IN
SSL_CTX_LOAD_VERIFY_
LOCATIONS()
and
OFF-BY-ONE PROBLEM IN
VOID CERTDECODER::
GETDATE(DATETYPE DT)
IN ASN.CPP
Description : Fixes corner cases in yassl code.
Refer to bug page for details.
Bug#18187290 ISSUE WITH BUILDING MYSQL USING CMAKE 2.8.12
We want to upgrade to VS2013 on Windows.
In order to do this, we need to upgrade to cmake 2.8.12
This has introduced some incompatibilities for .pdb files,
and "make install" no longer works.
To reproduce:
cmake --build . --target package --config debug
The fix:
Rather than installing .pdb files for static libraries, we use the /Z7 flag
to store symbolic debugging information in the .obj files.
Problem:
It was reported that on Debian and KFreeBSD platforms, i386 architecture
machines certain SSL tests are failing. main.ssl_connect rpl.rpl_heartbeat_ssl
rpl.rpl_ssl1 rpl.rpl_ssl main.ssl_cipher, main.func_encrypt were the tests that
were reportedly failing (crashing). The reason for the crashes are said to be
due to the assembly code of yaSSL.
Solution:
There was initially a workaround suggested i.e., to enable
-DTAOCRYPT_DISABLE_X86ASM flag which would prevent the crash, but at an expense
of 4X reduction of speed. Since this was unacceptable, the fix was the
functions using assembly, now input variables from the function call using
extended inline assembly on GCC instead of relying on direct assembly code.
WITH SSL ENABLED
Problem:
It was reported that MySQL community utilities cannot connect to a MySQL
Enterprise 5.6.x server with SSL configured. We can reproduce the issue
when we try to connect an MySQL Enterprise Server with a MySQL Client with
--ssl-ca parameter enabled.
We get an ERROR 2026 (HY000): SSL connection error: unknown error number.
Solution:
The root cause of the problem was determined to be the difference in handling
of the certificates by OpenSSL(Enterprise) and yaSSL(Community). OpenSSL expects
a blank certificate to be sent when a parameter (ssl-ca, or ssl-cert or ssl-key)
has not been specified.On the other hand yaSSL doesn't send any certificate and
since OpenSSL does not expect this behaviour it returns an Unknown SSL error.
The issue was resolved by yaSSL adding capability to send blank certificate when
any of the parameter is missing.
In order to keep error message numbers stable between GA releases, we
can not now add a new error message to 5.1/5.5 as this message would get
a number now used in 5.6.
This patch enforces this by adding a 5.1/5.5 specific check when processing
the error message file. If a new error message is added, building will
abort and report an error.
TLS AND DTLS RECORD PROTOCOLS
Description: In yassl, decryption phase in TLS protocol
depends on type of padding. This patch
removes this dependancy and makes error
generation/decryption process independent
of padding type.
DOPROCESSREPLY()
Description: Function DoProcessReply() calls function
decrypt_message() in a while loop without
performing a check on available buffer
space. This can cause buffer overflow and
crash the server. This patch is fix provided
by Sawtooth to resolve the issue.
CONNECTIONS IF SPE
Problem description: -ssl-key value is not validated, you can assign any bogus
text to --ssl-key and it is not verified that it exists, and more importantly,
it allows the client to connect to mysqld.
Fix: Added proper validations checks for --ssl-key.
Note:
1) Documentation changes require for 5.1, 5.5, 5.6 and trunk in the sections
listed below and the details are :
http://dev.mysql.com/doc/refman/5.6/en/ssl-options.html#option_general_ssl
and
REQUIRE SSL section of
http://dev.mysql.com/doc/refman/5.6/en/grant.html
2) Client having with option '--ssl', should able to get ssl connection. This
will be implemented as part of separate fix in 5.6 and trunk.
SHOW 2012 INSTEAD OF 2011
* Added a new macro to hold the current year :
COPYRIGHT_NOTICE_CURRENT_YEAR
* Modified ORACLE_WELCOME_COPYRIGHT_NOTICE macro
to take the initial year as parameter and pick
current year from the above mentioned macro.
AND LIBCRYPTO
Problem: libmysqlclient_r exports symbols from yaSSL library which
conflict with openSSL symbols. This issue is related to symbols
used by CURL library and are defined in taocrypt. Taocrypt has
dummy implementation of these functions. Due to this when a
program which uses libcurl library functions is compiled using
libmysqlclient_r and libcurl, it hits segmentation fault in
execution phase.
Solution: MySQL should not be exporting such symbols. However, these
functions are not used by MySQL code at all. So avoid compiling
them in the first place.
$SUBJ$
1. Took a diff between the previous base version and the
mysql sources.
2. Added the new 2.1.4 base version.
3. Reviewed and re-applied the diff from step #1.
