oss-sec mailing list archives
Re: mysql-5.1.41
From: Tomas Hoger <thoger () redhat com>
Date: Thu, 17 Dec 2009 17:01:59 +0100
On Thu, 17 Dec 2009 16:28:16 +0100 Sergei Golubchik <serg () mysql com> wrote:
Name: CVE-2009-4030 MySQL 5.1.x before 5.1.41 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL data home directory, related to incorrect calculation of the mysql_unpacked_real_data_home value. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4098 and CVE-2008-2079.This problem is limited to situation where --datadir gets a relative path not starting with '.' and current working directory is not --basedir, right?You mean the last problem in the bug report ? Yes.
The "Fixed a initialization order remark by Serg" fix, problem pointed out in your comment dated as "[14 Jul 15:53] Sergei Golubchik". As when you use full path for --datadir, it's correctly expanded using realpath. Relative paths starting with '.' are expected to be resolved from CWD. I've not checked path starting with '~', they may be affected by this problem too. Thank you for clarifications / confirmations! -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- mysql-5.1.41 Oden Eriksson (Nov 19)
- <Possible follow-ups>
- Re: mysql-5.1.41 Josh Bressers (Nov 23)
- Re: mysql-5.1.41 Jan Lieskovsky (Nov 24)
- Re: mysql-5.1.41 Jan Lieskovsky (Nov 24)
- Re: mysql-5.1.41 Sergei Golubchik (Nov 24)
- Re: mysql-5.1.41 Steven M. Christey (Nov 30)
- Re: mysql-5.1.41 Tomas Hoger (Dec 16)
- Re: mysql-5.1.41 Sergei Golubchik (Dec 17)
- Re: mysql-5.1.41 Tomas Hoger (Dec 17)
- Re: mysql-5.1.41 Jan Lieskovsky (Nov 24)