oss-sec mailing list archives
Re: CVE request: MySQL incomplete fix for CVE-2008-2079
From: Tomas Hoger <thoger () redhat com>
Date: Tue, 9 Sep 2008 22:23:45 +0200
Hi! While we are on the MySQL, following issue should probably get CVE id as well... CVE id CVE-2008-2079 was assigned to MySQL flaw that allowed attackers to get access to the tables created by other database users in the future. Devin Carraway of Debian noticed, that the upstream fix can be defeated by local users via directory symlinks: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480292#25 Patch used in the DSA-1608-1 differed from the upstream fix by addition of realpath call to expand all symlinks in the path specified in DATA / INDEX DIRECTORY directives: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480292#42 Which is also possible to defeat, as described by Devin in the upstream bug report related to the original issue: http://bugs.mysql.com/bug.php?id=32167 comment dated with "[18 Jul 9:43]" Upstream addressed the problem by doing the check at open time, not only at creation time, and the fix is mentioned in the 5.0.70 (and possibly other) release notes (using original CVE id): http://dev.mysql.com/doc/refman/5.0/en/releasenotes-es-5-0-70.html -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- CVE request: MySQL empty bit-string literal server crash Robert Buchholz (Sep 09)
- Re: CVE request: MySQL empty bit-string literal server crash Steven M. Christey (Sep 09)
- Re: CVE request: MySQL incomplete fix for CVE-2008-2079 Tomas Hoger (Sep 09)
- Re: CVE request: MySQL incomplete fix for CVE-2008-2079 Steven M. Christey (Sep 15)