Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20080909222345.2e0cca22@redhat.com>
Date: Tue, 9 Sep 2008 22:23:45 +0200
From: Tomas Hoger <thoger@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley@...re.org
Subject: Re: CVE request: MySQL incomplete fix for
 CVE-2008-2079

Hi!

While we are on the MySQL, following issue should probably get CVE id
as well...

CVE id CVE-2008-2079 was assigned to MySQL flaw that allowed attackers
to get access to the tables created by other database users in the
future.

Devin Carraway of Debian noticed, that the upstream fix can be defeated
by local users via directory symlinks:

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480292#25

Patch used in the DSA-1608-1 differed from the upstream fix by addition
of realpath call to expand all symlinks in the path specified in DATA /
INDEX DIRECTORY directives:

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480292#42

Which is also possible to defeat, as described by Devin in the upstream
bug report related to the original issue:

  http://bugs.mysql.com/bug.php?id=32167
  comment dated with "[18 Jul 9:43]"

Upstream addressed the problem by doing the check at open time, not
only at creation time, and the fix is mentioned in the 5.0.70 (and
possibly other) release notes (using original CVE id):

  http://dev.mysql.com/doc/refman/5.0/en/releasenotes-es-5-0-70.html

-- 
Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.