Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 24 Nov 2009 19:16:26 +0100
From: Sergei Golubchik <serg@...ql.com>
To: Jan Lieskovsky <jlieskov@...hat.com>
Cc: oss-security@...ts.openwall.com, coley <coley@...re.org>,
  MySQL Security Team <security@...ql.com>
Subject: Re: mysql-5.1.41

Hi, Jan!

On Nov 24, Jan Lieskovsky wrote:
> Hi Josh,
>
>   looked further into these issues.
>
> A, wrt http://bugs.mysql.com/bug.php?id=32167
>
> You are right, that  CVE-2008-2079 was originally assigned to:
>    http://bugs.mysql.com/bug.php?id=32167
>
> On "[6 May 2008 11:16] Sergei Golubchik" states:
>
> please, note in the manual that it's CVE-2008-2079
>
> But last comment on this bug mentions:
>
> <quote>
>
> [12 Nov 4:50] Paul DuBois
>
> Noted in 5.1.41, 5.5.0, 6.0.14 changelogs.
>
> Additional corrections were made for the symlink-related privilege
> problem originally addressed in MySQL 5.1.24. The original fix did
> not correctly handle the data directory path name if it contained
> symlinked directories in its path, and the check was made only at
> table-creation time, not at table-opening time later.
>
> </quote>
>
> Also MySQL-5.1.41 news file now contains:
>
> Important Change: Security Fix: Additional
> corrections were made for the symlink-related
> privilege problem originally addressed in MySQL
> 5.1.24. The original fix did not correctly handle
> the data directory path name if it contained
> symlinked directories in its path, and the check
> was made only at table-creation time, not at
> table-opening time later. (Bug#32167, CVE-2008-2079)"
>
> Consequence:
> ===========
>
> So I think we will need a new CVE id as incomplete fix for CVE-2009-2079.
> Relevant patch is here (2845 Georgi Kodinov	2009-11-03)
>   http://lists.mysql.com/commits/89940
>
> Cc-ed MySQL security team to confirm this assumption.

Not confirming :)
The patch you referenced has a changeset comment
"
  Fixed a initialization order remark by Serg : correct directory
  expansion order implemented on server startup.
"

And it fixes a problem mentined in my bug comment from [14 Jul 15:53].

The changelog entry you quoted above goes up to bug comment from
[25 Nov 2008 17:26] (no, I don't know why it took a year to get it to
the manual). And the "original fix" is apparently this one:

http://lists.mysql.com/commits/43206 (from 2008-02-29)

while the "additional" is this:

http://lists.mysql.com/commits/52326 (from 2008-08-22)

> Conclusion - so two CVE ids are needed:
> ---------------------------------------
> 1, One for incomplete fix for CVE-2009-2079 issue) --
>    "and the check was made only at table-creation time, not at 
> table-opening time later"

cannot this one go under existing CVE ?

Regards / Mit vielen Grüßen,
Sergei

-- 
   __  ___     ___ ____  __
  /  |/  /_ __/ __/ __ \/ /   Sergei Golubchik <serg@....com>
 / /|_/ / // /\ \/ /_/ / /__  Principal Software Engineer/Server Architect
/_/  /_/\_, /___/\___\_\___/  Sun Microsystems GmbH, HRB München 161028
       <___/                  Sonnenallee 1, 85551 Kirchheim-Heimstetten
Geschäftsführer: Thomas Schroeder, Wolfgang Engels, Wolf Frenkel
Vorsitzender des Aufsichtsrates: Martin Häring

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ