[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 9 Sep 2008 22:23:45 +0200
From: Tomas Hoger <thoger@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley@...re.org
Subject: Re: CVE request: MySQL incomplete fix for
CVE-2008-2079
Hi!
While we are on the MySQL, following issue should probably get CVE id
as well...
CVE id CVE-2008-2079 was assigned to MySQL flaw that allowed attackers
to get access to the tables created by other database users in the
future.
Devin Carraway of Debian noticed, that the upstream fix can be defeated
by local users via directory symlinks:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480292#25
Patch used in the DSA-1608-1 differed from the upstream fix by addition
of realpath call to expand all symlinks in the path specified in DATA /
INDEX DIRECTORY directives:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480292#42
Which is also possible to defeat, as described by Devin in the upstream
bug report related to the original issue:
http://bugs.mysql.com/bug.php?id=32167
comment dated with "[18 Jul 9:43]"
Upstream addressed the problem by doing the check at open time, not
only at creation time, and the fix is mentioned in the 5.0.70 (and
possibly other) release notes (using original CVE id):
http://dev.mysql.com/doc/refman/5.0/en/releasenotes-es-5-0-70.html
--
Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Powered by Openwall GNU/*/Linux -
Powered by OpenVZ
