Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 144199 - dev-db/mysql: 5.x privilege escalation + bypass security restriction
Summary: dev-db/mysql: 5.x privilege escalation + bypass security restriction
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/21506/
Whiteboard: ~3/4(?) [noglsa] Falco
Keywords:
Depends on:
Blocks: 144999
  Show dependency tree
 
Reported: 2006-08-17 06:20 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2006-10-23 11:32 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-08-17 06:20:50 UTC 
Privilege escalation:
http://bugs.mysql.com/bug.php?id=17647
if you have rights on the "foo" database, you can create foO, fOo, fOO, Foo .... databases.

bypass some security restriction:
http://bugs.mysql.com/bug.php?id=18630

all in SA 21506 http://secunia.com/advisories/21506/

That will be corrected in 5.0.25
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-13 23:34:17 UTC 
It's already fixed in upstream CVS. Should we use the patch or wait for 5.0.25?
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-14 07:03:33 UTC 
Lets wait for the upstream release.
Comment 3 Luca Longinotti (RETIRED) gentoo-dev 2006-10-14 13:41:46 UTC 
dev-db/mysql-5.0.26 is in the tree which fixes those problems (5.0.25 wasn't released to the wide public, only to commercial customers).
The bug can be closed I think since no mysql-5 version is stable yet.
Best regards, CHTEKK.
Comment 4 Francesco R. (RETIRED) gentoo-dev 2006-10-23 11:17:20 UTC 
gracious stealth ping to the understaffed security team
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2006-10-23 11:32:05 UTC 
thanks vivo ;-)

closing this without GLSA, since mysql 5.x is still marked ~arch