一、漏洞信息
漏洞编号：CVE-2023-6129
漏洞归属组件：mysql5
漏洞归属的版本：5.7.21,5.7.34,5.7.38,5.7.39,5.7.40,5.7.41,5.7.42,5.7.43,5.7.44
CVSS V3.0分值：
BaseScore：6.5 Medium
Vector：CVSS：3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
漏洞简述：
Issue summary: The POLY1305 MAC (message authentication code) implementationcontains a bug that might corrupt the internal state of applications runningon PowerPC CPU based platforms if the CPU provides vector instructions.Impact summary: If an attacker can influence whether the POLY1305 MACalgorithm is used, the application state might be corrupted with variousapplication dependent consequences.The POLY1305 MAC (message authentication code) implementation in OpenSSL forPowerPC CPUs restores the contents of vector registers in a different orderthan they are saved. Thus the contents of some of these vector registersare corrupted when returning to the caller. The vulnerable code is used onlyon newer PowerPC processors supporting the PowerISA 2.07 instructions.The consequences of this kind of internal application state corruption canbe various - from no consequences, if the calling application does notdepend on the contents of non-volatile XMM registers at all, to the worstconsequences, where the attacker could get complete control of the applicationprocess. However unless the compiler uses the vector registers for storingpointers, the most likely consequence, if any, would be an incorrect resultof some application dependent calculations or a crash leading to a denial ofservice.The POLY1305 MAC algorithm is most frequently used as part of theCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)algorithm. The most common usage of this AEAD cipher is with TLS protocolversions 1.2 and 1.3. If this cipher is enabled on the server a maliciousclient can influence whether this AEAD cipher is used. This implies thatTLS server applications using OpenSSL can be potentially impacted. Howeverwe are currently not aware of any concrete application that would be affectedby this issue therefore we consider this a Low severity security issue.
漏洞公开时间：2024-01-10 01:15:12
漏洞创建时间：2024-07-18 02:10:17
漏洞详情参考链接：
https://nvd.nist.gov/vuln/detail/CVE-2023-6129

漏洞分析指导链接：
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
漏洞数据来源:
openBrain开源漏洞感知系统
漏洞补丁信息：

二、漏洞分析结构反馈
影响性分析说明：

openEuler评分：
6.5
Vector：CVSS：3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
受影响版本排查(受影响/不受影响)：
1.master(5.7.43):
2.openEuler-20.03-LTS-SP1(5.7.44):
3.openEuler-20.03-LTS-SP4(5.7.44):
4.openEuler-22.03-LTS(5.7.38):
5.openEuler-22.03-LTS-Next(5.7.44):
6.openEuler-22.03-LTS-SP1(5.7.44):
7.openEuler-22.03-LTS-SP2(5.7.44):
8.openEuler-22.03-LTS-SP3(5.7.44):
9.openEuler-24.03-LTS(5.7.43):
10.openEuler-24.03-LTS-Next(5.7.43):
11.openEuler-22.03-LTS-SP4(5.7.44):

修复是否涉及abi变化(是/否)：
1.master(5.7.43):
2.openEuler-20.03-LTS-SP1(5.7.44):
3.openEuler-20.03-LTS-SP4(5.7.44):
4.openEuler-22.03-LTS(5.7.38):
5.openEuler-22.03-LTS-Next(5.7.44):
6.openEuler-22.03-LTS-SP1(5.7.44):
7.openEuler-22.03-LTS-SP2(5.7.44):
8.openEuler-22.03-LTS-SP3(5.7.44):
9.openEuler-24.03-LTS(5.7.43):
10.openEuler-24.03-LTS-Next(5.7.43):