Date: Tue, 9 Sep 2008 22:23:45 +0200 From: Tomas Hoger <thoger@...hat.com> To: oss-security@...ts.openwall.com Cc: coley@...re.org Subject: Re: CVE request: MySQL incomplete fix for CVE-2008-2079 Hi! While we are on the MySQL, following issue should probably get CVE id as well... CVE id CVE-2008-2079 was assigned to MySQL flaw that allowed attackers to get access to the tables created by other database users in the future. Devin Carraway of Debian noticed, that the upstream fix can be defeated by local users via directory symlinks: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480292#25 Patch used in the DSA-1608-1 differed from the upstream fix by addition of realpath call to expand all symlinks in the path specified in DATA / INDEX DIRECTORY directives: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480292#42 Which is also possible to defeat, as described by Devin in the upstream bug report related to the original issue: http://bugs.mysql.com/bug.php?id=32167 comment dated with "[18 Jul 9:43]" Upstream addressed the problem by doing the check at open time, not only at creation time, and the fix is mentioned in the 5.0.70 (and possibly other) release notes (using original CVE id): http://dev.mysql.com/doc/refman/5.0/en/releasenotes-es-5-0-70.html -- Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ