Large mysql requests broken after security update, null character inserted close to 16MB boundary

Hi jbruijn,
first of all thanks for your report and your help to make Ubuntu better.

I'm subscribing Nish who was driving the php update, but I think he might be subscribed to php anyway.

The one thing you really could help us with very likely would be some steps to reproduce.
So if you could (e.g. in a fresh VM) check what commands you need to set up a very trivial DB, containing a 16M field the way you have it and a very trivial php to fetch that showing the issue - that would be great.

We often try to create such ourselves, but more often than not some unexpected small differences make them not trigger the issue - so if you could provide such a few steps to reproduce that would certainly help a lot!

I just uploaded php7.0 - 7.0.16-0ubuntu0.16.04.1~ppa1 to https://launchpad.net/~nacc/+archive/ubuntu/php7testbuilds to see if maybe 7.0.16 fixed it (I do see a few MySQL changes). If not, we might need to report this upstream as a regression.

Getting a reproduction testcase (database example dump and script that reproduces the error), would be very helpful.

Thanks,
Nish

Thanks guys, I'll whip up a quick VM to see if I can make this easy to reproduce, and see what happens on the testbuild... I'll get back to you!

Okay, turns out this one is fairly easy to reproduce, using:

- Ubuntu 16.04
- MariaDB Server (not tested on mysql, but I expect similar results)
- php 7.0 (7.0.15)
- phpMyAdmin

Configuration:
MariaDB: max_allowed_packet = 128M
php: post_max_size and upload_max_filesize raised to 128M

Import the some SQL data, for instance: https://we.tl/vb37KISpUU.
This will build you a MyISAM table with 4 columns, 3x varchar(1) and 1 longblob. The table will have one big blob in it, with 32Mbyte worth of 0x20 (space)

Downloading the binary through phpMyAdmin on 7.0.15 will produce a file with a null-character inserted at (for my setup) 0xFFFFF6, the rest of the file is as expected.

I'll try to get the testbuild working next...

Unfortunately, 7.0.16 doesn't seem to fix the issue...

I have reported this upstream at https://bugs.php.net/bug.php?id=74179 as I'm also not seeing anything obvious (there are hanges to MySQL support between 7.0.8 and 7.0.15, but it's not obvious that any would lead to this particular issue.

I just uploaded the upstream regression fix referred to in the upstream bug as 7.0.15-0ubuntu0.16.04.3~ppa1 in the same PPA.

Presuming it does pass your tests, @jbruijn, I'll work with the security team to get this rolled out.

Thanks for your excellent and quick responses in this bug and helping make (keep :) Ubuntu great!

Updated the new 7.0.15 from the PPA, preliminary tests would suggest it's working just fine! My thanks to everyone at Ubuntu (especially Nish) and php for their support in squashing this bug!

This bug was fixed in the package php7.0 - 7.0.15-1ubuntu3

---------------
php7.0 (7.0.15-1ubuntu3) zesty; urgency=medium

  * debian/patches/fix_74021.patch: Fix fetch_array with more than
    MEDIUMBLOB. Thanks to andrewnester <email address hidden>.
    Closes LP: #1668017.

 -- Nishanth Aravamudan <email address hidden> Tue, 28 Feb 2017 13:22:45 -0800

I will release xenial and yakkety packages as a security update regression today or tomorrow.

Hello jbruijn, or anyone else affected,

Accepted php7.0 into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/php7.0/7.0.15-0ubuntu0.16.10.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello jbruijn, or anyone else affected,

Accepted php7.0 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/php7.0/7.0.15-0ubuntu0.16.04.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Tested the proposed php7.0 (7.0.15-0ubuntu0.16.04.3) for Xenial, I can confirm it fixes the issue that was introduced by 7.0.15-0ubuntu0.16.04.2!

This was supposed to be released as a security update today, not an SRU.

This bug was fixed in the package php7.0 - 7.0.15-0ubuntu0.16.10.4

---------------
php7.0 (7.0.15-0ubuntu0.16.10.4) yakkety-security; urgency=medium

  * SECURITY REGRESSION: large mysql requests broken (LP: #1668017)
    - debian/patches/fix_74021.patch: fix fetch_array with more than
      MEDIUMBLOB in ext/mysqlnd/mysqlnd_wireprotocol.c, added tests to
      ext/mysqli/tests/bug73800.phpt, ext/mysqli/tests/bug74021.phpt.

 -- Marc Deslauriers <email address hidden> Wed, 01 Mar 2017 10:50:27 -0500

This bug was fixed in the package php7.0 - 7.0.15-0ubuntu0.16.04.4

---------------
php7.0 (7.0.15-0ubuntu0.16.04.4) xenial-security; urgency=medium

  * SECURITY REGRESSION: large mysql requests broken (LP: #1668017)
    - debian/patches/fix_74021.patch: fix fetch_array with more than
      MEDIUMBLOB in ext/mysqlnd/mysqlnd_wireprotocol.c, added tests to
      ext/mysqli/tests/bug73800.phpt, ext/mysqli/tests/bug74021.phpt.

 -- Marc Deslauriers <email address hidden> Wed, 01 Mar 2017 10:55:45 -0500