[<prev] [next>] [thread-next>] [month] [year] [list]
Date: Wed, 11 Nov 2009 12:48:44 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>
Cc: coley <coley@...re.org>, serg@...ql.com
Subject: CVE assignment and second opinion needed
Hi Steve,
So this one is a bit tricky.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555626
There are almost two flaws here, certainly one. The issue really boils down to
if /var/lib/mysql is world readable, it's possible for a local user who also
has database access, and can guess a future database table name, could ensure
that table will be a world writable file. That's an impressive runon sentence.
So The question I have with respect to CVE assignment, is which part of this
is worth of the ID. I'm thinking the directory permissions are possibly an
issue, but by itself, isn't really a security flaw.
The CREATE TABLE not fixing permissions if the file already exists is probably
closer to the real problem. Being able to do a select into an outfile anywhere
by default may also be an issue.
I'm CCing Sergei Golubchik from MySQL who reported this to the packagers list
so he can weigh in if I'm wrong (which is very possible).
Also, Sergei, do you folks have a fix for this yet? I'm curious to see what
you're fixing, which may help decide CVE assignment.
Thanks.
--
JB
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Powered by Openwall GNU/*/Linux -
Powered by OpenVZ