Re: CVE request: MySQL incomplete fix for CVE-2008-2079

[Tomas Hoger <thoger () redhat com>]

Hi!

While we are on the MySQL, following issue should probably get CVE id
as well...

CVE id CVE-2008-2079 was assigned to MySQL flaw that allowed attackers
to get access to the tables created by other database users in the
future.

Devin Carraway of Debian noticed, that the upstream fix can be defeated
by local users via directory symlinks:

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480292#25

Patch used in the DSA-1608-1 differed from the upstream fix by addition
of realpath call to expand all symlinks in the path specified in DATA /
INDEX DIRECTORY directives:

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480292#42

Which is also possible to defeat, as described by Devin in the upstream
bug report related to the original issue:

  http://bugs.mysql.com/bug.php?id=32167
  comment dated with "[18 Jul 9:43]"

Upstream addressed the problem by doing the check at open time, not
only at creation time, and the fix is mentioned in the 5.0.70 (and
possibly other) release notes (using original CVE id):

  http://dev.mysql.com/doc/refman/5.0/en/releasenotes-es-5-0-70.html

-- 
Tomas Hoger / Red Hat Security Response Team