89203 – app-db/mysql: table with underscores corner case

Bug 89203 - app-db/mysql: table with underscores corner case

Summary: app-db/mysql: table with underscores corner case

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High normal
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2005-04-15 10:29 UTC by Thierry Carrez (RETIRED)
Modified:	2005-04-19 11:42 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
mysql_CAN-2004-0957_new.patch (mysql_CAN-2004-0957_new.patch,2.61 KB, patch) 2005-04-17 10:51 UTC, Thierry Carrez (RETIRED)	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thierry Carrez (RETIRED) gentoo-dev

2005-04-15 10:29:50 UTC

I was wondering if we really took care of this one, as apparently a corner case was recently found and fixed :

===========================================================
Ubuntu Security Notice USN-109-1	     April 06, 2005
mysql-dfsg vulnerability
CAN-2004-0957
===========================================================
[...]
USN-32-1 fixed a database privilege escalation vulnerability; original
advisory text:

  "If a user was granted privileges to a database with a name
  containing an underscore ("_"), the user also gained the ability to
  grant privileges to other databases with similar names.
  (CAN-2004-0957)"

Recently a corner case was discovered where this vulnerability can
still be exploited, so another update is necessary.
=====================================================

Comment 1 Jakub Moc (RETIRED) gentoo-dev

2005-04-15 19:53:49 UTC

You mean Bug 83163? I really hope this is fixed ;-) (it turned out to be actually phpmyadmin problem - Bug 83792)

Comment 2 Thierry Carrez (RETIRED) gentoo-dev

2005-04-16 04:36:08 UTC

I was just wondering why Debian, Ubuntu and Mandriva issued updated advisories saying they fixed it (like we did) but a new corner case was recently discovered so they re-fixed it (like we didn't).

Maybe our MySQL is simply not affected by this, just keeping this open until someone can confirm it (probably by looking at the Debian/Ubuntu patches)

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2005-04-17 10:50:02 UTC

There definitely is something up here...

http://packages.qa.debian.org/m/mysql-dfsg.html
Debian released a mysql-dfsg_4.0.24-5 to fix this.

http://dev.mysql.com/doc/mysql/en/news-4-0-25.html
MySQL lists that bug in the not-yet-released 4.0.25 Changelog.

I'll isolate the 4.0.24-5 patch from eth Debian thing so that our MySQL guys can have a look.

Comment 4 Thierry Carrez (RETIRED) gentoo-dev

2005-04-17 10:51:21 UTC

Created attachment 56533 [details, diff]
mysql_CAN-2004-0957_new.patch

Patch extracted from Debian's diffs...

Comment 5 Robin Johnson archtester

2005-04-17 16:17:58 UTC

I can't reproduce it on 4.0.24.

Command sequence:
# mysql -uroot -p....
> CREATE DATABASE something_com;
Query OK, 1 row affected (0.01 sec)
> GRANT SELECT ON something_com.* TO someone@localhost IDENTIFIED BY 'someo
ne';
Query OK, 0 rows affected (0.00 sec)
> QUIT;
# mysql -usomeone -psomeone
> CREATE DATABASE `something?com`;
ERROR 1044: Access denied for user: 'someone@localhost' to database 'something?com'

(and create table is properly secured as well).

I also tested with the someone user just having the 'USAGE' privilege, and that doesn't even give them access to something_com, which is correct.

Comment 6 Thierry Carrez (RETIRED) gentoo-dev

2005-04-19 11:42:09 UTC

Closed as worksforyou then.