[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20121202192522.GA26118@meddwl>
Date: Sun, 2 Dec 2012 20:25:22 +0100
From: Sergei Golubchik <serg@...monty.org>
To: oss-security@...ts.openwall.com
Cc: Kurt Seifried <kseifried@...hat.com>,
king cope <isowarez.isowarez.isowarez@...glemail.com>,
full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
todd@...ketstormsecurity.org, submit@...sec.com,
Mitre CVE assign department <cve-assign@...re.org>,
Steven Christey <coley@...re.org>, security@...iadb.org,
security@...ql.com, Ritwik Ghoshal <ritwik.ghoshal@...cle.com>,
moderators@...db.org
Subject: Re: Re: [Full-disclosure] MySQL (Linux) Stack based
buffer overrun PoC Zeroday
Hi, Huzaifa!
Here's the vendor's reply:
On Dec 02, Huzaifa Sidhpurwala wrote:
>
> * CVE-2012-5611 MySQL (Linux) Stack based buffer overrun PoC Zeroday
> http://seclists.org/fulldisclosure/2012/Dec/4
> https://bugzilla.redhat.com/show_bug.cgi?id=882599
A duplicate of CVE-2012-5579
Already fixed in all stable MariaDB version.
> * CVE-2012-5612 MySQL (Linux) Heap Based Overrun PoC Zeroday
> http://seclists.org/fulldisclosure/2012/Dec/5
> https://bugzilla.redhat.com/show_bug.cgi?id=882600
Acknowledged.
https://mariadb.atlassian.net/browse/MDEV-3908
> * CVE-2012-5613 MySQL (Linux) Database Privilege Elevation Zeroday
> Exploit
> http://seclists.org/fulldisclosure/2012/Dec/6
> https://bugzilla.redhat.com/show_bug.cgi?id=882606
Not a bug. MySQL manual specifies many times very explicitly:
===
* Do not grant the `FILE' privilege to nonadministrative users. Any
user that has this privilege can write a file anywhere in the file
system with the privileges of the *Note `mysqld': mysqld. daemon.
To make this a bit safer, files generated with *Note `SELECT ...
INTO OUTFILE': select. do not overwrite existing files and are
writable by everyone.
The `FILE' privilege may also be used to read any file that is
world-readable or accessible to the Unix user that the server runs
as. With this privilege, you can read any file into a database
table. This could be abused, for example, by using *Note `LOAD
DATA': load-data. to load `/etc/passwd' into a table, which then
can be displayed with *Note `SELECT': select.
===
You should exercise particular caution in granting the `FILE'
and administrative privileges:
* The `FILE' privilege can be abused to read into a database table
any files that the MySQL server can read on the server host. This
includes all world-readable files and files in the server's data
directory. The table can then be accessed using *Note `SELECT':
select. to transfer its contents to the client host.
===
Additionally, MySQL (and MariaDB) provides a --secure-file-priv
option that allows to restrict all FILE operations to a specific
directory.
Thus, CVE-2012-5613 is not a bug, but a result of a misconfiguration,
much like an anonymous ftp upload access to the $HOME of the ftp user.
> * CVE-2012-5614 MySQL Denial of Service Zeroday PoC
> http://seclists.org/fulldisclosure/2012/Dec/7
> https://bugzilla.redhat.com/show_bug.cgi?id=882607
Acknowledged.
https://mariadb.atlassian.net/browse/MDEV-3910
> * CVE-2012-5615 MySQL Remote Preauth User Enumeration Zeroday
> http://seclists.org/fulldisclosure/2012/Dec/9
> https://bugzilla.redhat.com/show_bug.cgi?id=882608
This is hardly a "zeroday" issue, it was known for, like, ten years.
But I'll see what we can do here.
https://mariadb.atlassian.net/browse/MDEV-3909
Regards,
Sergei
MariaDB Security Coordinator
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
