Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 2 Dec 2012 20:25:22 +0100
From: Sergei Golubchik <>
Cc: Kurt Seifried <>,
	king cope <>,,,,,
	Mitre CVE assign department <>,
	Steven Christey <>,,, Ritwik Ghoshal <>,
Subject: Re: Re: [Full-disclosure] MySQL (Linux) Stack based
 buffer overrun PoC Zeroday

Hi, Huzaifa!

Here's the vendor's reply:

On Dec 02, Huzaifa Sidhpurwala wrote:
> * CVE-2012-5611 MySQL (Linux) Stack based buffer overrun PoC Zeroday

A duplicate of CVE-2012-5579
Already fixed in all stable MariaDB version.

> * CVE-2012-5612 MySQL (Linux) Heap Based Overrun PoC Zeroday


> * CVE-2012-5613 MySQL (Linux) Database Privilege Elevation Zeroday
> Exploit

Not a bug. MySQL manual specifies many times very explicitly:

   * Do not grant the `FILE' privilege to nonadministrative users. Any
     user that has this privilege can write a file anywhere in the file
     system with the privileges of the *Note `mysqld': mysqld. daemon.
     To make this a bit safer, files generated with *Note `SELECT ...
     INTO OUTFILE': select. do not overwrite existing files and are
     writable by everyone.

     The `FILE' privilege may also be used to read any file that is
     world-readable or accessible to the Unix user that the server runs
     as. With this privilege, you can read any file into a database
     table. This could be abused, for example, by using *Note `LOAD
     DATA': load-data. to load `/etc/passwd' into a table, which then
     can be displayed with *Note `SELECT': select.
You should exercise particular caution in granting the `FILE'
and administrative privileges:

   * The `FILE' privilege can be abused to read into a database table
     any files that the MySQL server can read on the server host. This
     includes all world-readable files and files in the server's data
     directory.  The table can then be accessed using *Note `SELECT':
     select. to transfer its contents to the client host.

Additionally, MySQL (and MariaDB) provides a --secure-file-priv
option that allows to restrict all FILE operations to a specific

Thus, CVE-2012-5613 is not a bug, but a result of a misconfiguration,
much like an anonymous ftp upload access to the $HOME of the ftp user.

> * CVE-2012-5614 MySQL Denial of Service Zeroday PoC


> * CVE-2012-5615 MySQL Remote Preauth User Enumeration Zeroday

This is hardly a "zeroday" issue, it was known for, like, ten years.
But I'll see what we can do here.

MariaDB Security Coordinator

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ