[debian-mysql] Bug#480292: CVE-2008-2079: mysql allows local users to bypass certain privilege checks
Devin Carraway
devin at debian.org
Sun Jul 6 21:42:31 UTC 2008
On Fri, Jul 04, 2008 at 02:56:00PM +0200, Tomas Hoger wrote:
> Looks like upstream patch is incomplete. Have you already notified
> upstream about the problem?
Not yet -- I still need to hand verify it against a pristine upstream; it's
reproducible with 5.0.51a from Sid, but the implementation of the path check
has changed significantly from the original patch. I'll look into that once I
get a workable fix out for etch.
> > In terms of exploitability, this allows any user with permissions to
> > create tables in a db the ability to read from, write to and delete
> > tables from any other database within the same mysql instance.
>
> Can you possibly explain this a little closer? MySQL should not allow
> you to overwrite existing tables via DATA/INDEX DIRECTORY directives.
> So you can only get access to tables created in the future, if you can
> predict their names. Or have you managed to escalate privileges to
> already existing tables using this flaw?
Sorry, I was taking the temporal part of the attack as read -- yes, the attack
is still based on creating the hostile tables before the victim database does.
--
Devin \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-mysql-maint/attachments/20080706/4b029e11/attachment.pgp
More information about the pkg-mysql-maint
mailing list