[debian-mysql] Bug#732306: mysql-5.5: installation creates database test and sets up insecure database permissions

[Salvatore Bonaccorso]

Package: mysql-5.5
Version: 5.5.17-1
Severity: serious
Tags: security

[Opening this as serious, as stable will be fixed trough a
wheezy-security upload, and nees also be addressed for jessie]

Matthias Reichl reported the following issue with the mysql-5.5
package:

----cut---------cut---------cut---------cut---------cut---------cut-----
mysql-server-5.5 ships with the upstream mysql_install_db script
which creates a database "test" and sets up permissions that
allow anonymous access, without a password, from localhost to
the "test" database and any databases starting with "test_" that
users might have created after installing mysql-server.

mysql> select Host, User, Db from mysql.db;
+------+------+---------+
| Host | User | Db      |
+------+------+---------+
| %    |      | test    |
| %    |      | test\_% |
+------+------+---------+

MySQL documentation recommends dropping these permissions and
the "test" database.
http://dev.mysql.com/doc/refman/5.5/en/default-privileges.html ,
section "Securing Test Databases".

mysql-server-5.1 in squeeze didn't setup these permissions and
didn't create the test database, the debian patches
33_scripts__mysql_create_system_tables__no_test.dpatch and
41_scripts__mysql_install_db.sh__no_test.dpatch removed the code
from /usr/bin/mysql_install_db and /usr/share/mysql/mysql_system_tables.sql .

Please re-add these patches to mysql-server-5.5 and include some code
in the pre/postinst script to remove these permissions and the
"test" database on current installations.
----cut---------cut---------cut---------cut---------cut---------cut-----

Regards,
Salvatore