Re: CVE request: Debian's package "mysql-server" leaks credential information

[larry Cashdollar <larry0 () me com>]

On Jun 8, 2013, at 7:56 AM, gremlin () gremlin ru wrote:

> On 08-Jun-2013 07:43:21 -0400, larry Cashdollar wrote:
>
> > > > According to the bug report details that's a race condition.
> > > > A malicious user is using a vulnerability in the way the
> > > > installation script handles changing file permissions to disclose
> > > > sensitive information.
> > > Yes. And, once again, that's a misconfiguration - the file should
> > > be created as 0600 root:root during installation and only after
> > > that chmod() and chown() may be applied.
> > I'd agree if this were a configuration file we were talking about,
> > but it's an installation script.
>
> So what? The installation script may contain the `umask 077` line,
> can't it?

Yes, then their would be no bug to exploit.  My assertion is that we are changing an installation script, not a 
configuration file. I guess you could argue that the post install script is doing the configuration however.  I guess 
it will depend on if issues similar to this one have been assigned CVEs in the past.

Cheers.
Larry

> -- 
> Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
> GPG key ID: 0xEF3B1FA8, keyserver: hkp://subkeys.pgp.net
> GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8