Date: Wed, 11 Nov 2009 12:48:44 -0500 (EST) From: Josh Bressers <bressers@...hat.com> To: oss-security <oss-security@...ts.openwall.com> Cc: coley <coley@...re.org>, serg@...ql.com Subject: CVE assignment and second opinion needed Hi Steve, So this one is a bit tricky. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555626 There are almost two flaws here, certainly one. The issue really boils down to if /var/lib/mysql is world readable, it's possible for a local user who also has database access, and can guess a future database table name, could ensure that table will be a world writable file. That's an impressive runon sentence. So The question I have with respect to CVE assignment, is which part of this is worth of the ID. I'm thinking the directory permissions are possibly an issue, but by itself, isn't really a security flaw. The CREATE TABLE not fixing permissions if the file already exists is probably closer to the real problem. Being able to do a select into an outfile anywhere by default may also be an issue. I'm CCing Sergei Golubchik from MySQL who reported this to the packagers list so he can weigh in if I'm wrong (which is very possible). Also, Sergei, do you folks have a fix for this yet? I'm curious to see what you're fixing, which may help decide CVE assignment. Thanks. -- JB
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.