60744 – dev-db/mysql: insecure temporary file creation

Bug 60744 - dev-db/mysql: insecure temporary file creation

Summary: dev-db/mysql: insecure temporary file creation

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://lists.debian.org/debian-securi...
Whiteboard:	A3 [glsa] jaervosz
Keywords:

Depends on:
Blocks:

Reported:	2004-08-18 01:20 UTC by Matthias Geerdsen (RETIRED)
Modified:	2004-09-26 20:53 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthias Geerdsen (RETIRED) gentoo-dev

2004-08-18 01:20:07 UTC

CAN-2004-0457
http://lists.mysql.com/internals/15185 has the patch Debian used according to the changelog of the stable version:

"mysql (3.23.49-8.7) stable-security; urgency=high

  * Non-maintainer upload by the Security Team
  * Applied upstream patch by Sergei Golubchik <serg@mysql.com> to fix
    insecure temporary file creation [scripts/mysqlhotcopy.sh,
    http://lists.mysql.com/internals/15185, CAN-2004-0457]

 -- Martin Schulze <joey@infodrom.org>  Sat, 14 Aug 2004 17:24:09 +0200"


and:

http://packages.debian.org/changelogs/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.20-11/changelog

"mysql-dfsg (4.0.20-11) unstable; urgency=high

  * SECURITY
    This version fixes a security flaw in mysqlhotcopy which created
    temporary files in /tmp which had predictable filenames and such
    could be used for a tempfile run attack.
    The issue has been recorded as CAN-2004-0457.

 -- Christian Hammers <ch@debian.org>  Sat, 14 Aug 2004 18:27:19 +0200"

Reproducible: Always
Steps to Reproduce:

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-08-23 11:48:30 UTC

mysql-bugs please provide an updated ebuild.

Comment 2 Robin Johnson archtester

2004-08-23 13:31:28 UTC

in cvs now.
3.23.58-r1
4.0.20-r1

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-08-23 13:41:48 UTC

Arches please mark stable.

Target keywords:

3.23.58-r1 alpha hppa ppc sparc x86

4.0.20-r1 alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sparc x86

Comment 4 Jason Wever (RETIRED) gentoo-dev

2004-08-23 21:37:31 UTC

Package maintainers, is it possible to test a test case or two that would show this is indeed fixed?

Security, sorry for sounding like a broken record ;)

Comment 5 Robin Johnson archtester

2004-08-23 23:41:14 UTC

weeve: I don't even know anybody that uses the affected utility, much less be able to produce a halfway usable testcase for it. This is one of the times I'd say that so long as the fixed code is in the mysqlhotcopy script, I'd have to leave it at that.

Comment 6 Pieter Van den Abeele (RETIRED) gentoo-dev

2004-08-24 10:42:28 UTC

masked stable on ppc.

Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev

2004-08-24 14:44:38 UTC

3.23.58-r1 & 4.0.20-r1 sparc stable.
The test case can be done in a simple way, use mysqlhotcopy to copy (sic) a big db, so as to have time to kill the process and check the resulting non-cleaned up temporary file it uses.
Otherwise you can play with an strace, but it's a torture.

Comment 8 Hardave Riar (RETIRED) gentoo-dev

2004-08-24 20:25:07 UTC

Stable on mips

Comment 9 Bryan Østergaard (RETIRED) gentoo-dev

2004-08-25 09:18:40 UTC

Stable on alpha.

Comment 10 SpanKY gentoo-dev

2004-08-25 22:29:48 UTC

moved to stable for arm/hppa/amd64/ia64

Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-08-28 15:51:30 UTC

***bump***
Arches please mark stable
***bump***

Comment 12 Robin Johnson archtester

2004-08-28 21:56:49 UTC

done on x86.

Comment 13 Thierry Carrez (RETIRED) gentoo-dev

2004-09-01 08:46:26 UTC

GLSA 200409-02
ppc64, s390 : please mark mysql-4.0.20-r1 stable to benefit from that GLSA.

Comment 14 Tom Gall (RETIRED) gentoo-dev

2004-09-26 20:53:27 UTC

fixed on ppc64