Re: potential vulnerability of mysqld running with root privileges

[Sergei Golubchik <sergii () PISEM NET>]

Hi!

On Mar 18, Pavlov, Lesha wrote:
> Anybody, who get login and password to mysql can use it as DoS or r00t
> exploit because mysql accepts '../blah-blah' as valid database name and
> each table represented by 3 files tablename.ISD, tablename.ISM and
> tablename.frm, But, when mysqld checks table already exists or not
> exists, it checks _only_ tablename.frm :

[skip]

> Vulnerable versions:
> This DoS/exploit tested on mysql-3.20.32a but i see another versions of
> mysql also vulnerabile.

3.20 is not simply outdated - it's VERY old.
Official supported is 3.23 branch now.
3.23.1 was releases more than a year ago.

And 3.23 doesn't has that bug.

> Recomendations:
> * Patch mysql to treat database names, started by '..' as incorrect
> database names.

3.23 does it.

> Patches:
>  not yet

Why, there are for several years !

Regards,
Sergei

--
MySQL Development Team
   __  ___     ___ ____  __
  /  |/  /_ __/ __/ __ \/ /   Sergei Golubchik <serg () mysql com>
 / /|_/ / // /\ \/ /_/ / /__  MySQL AB, http://www.mysql.com/
/_/  /_/\_, /___/\___\_\___/  Osnabrueck, Germany
       <___/