Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 11 Nov 2009 12:48:44 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>
Cc: coley <coley@...re.org>, serg@...ql.com
Subject: CVE assignment and second opinion needed

Hi Steve,

So this one is a bit tricky.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555626

There are almost two flaws here, certainly one. The issue really boils down to
if /var/lib/mysql is world readable, it's possible for a local user who also
has database access, and can guess a future database table name, could ensure
that table will be a world writable file. That's an impressive runon sentence.

So The question I have with respect to CVE assignment, is which part of this
is worth of the ID. I'm thinking the directory permissions are possibly an
issue, but by itself, isn't really a security flaw.

The CREATE TABLE not fixing permissions if the file already exists is probably
closer to the real problem. Being able to do a select into an outfile anywhere
by default may also be an issue.

I'm CCing Sergei Golubchik from MySQL who reported this to the packagers list
so he can weigh in if I'm wrong (which is very possible).

Also, Sergei, do you folks have a fix for this yet? I'm curious to see what
you're fixing, which may help decide CVE assignment.

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.