http://thread.gmane.org/gmane.comp.security.oss.general/362 ----------------- snip ----------------- MySQL 4.1.24, 5.0.60, 5.1.24, and 6.0.5 fixes an issue allowing an authenticated attacker to gain full access to tables that will be created by another database user in the future, if an attacker can predict name of such tables (and MyISAM storage engine is used). References: http://bugs.mysql.com/bug.php?id=32167 http://dev.mysql.com/doc/refman/4.1/en/news-4-1-24.html http://dev.mysql.com/doc/refman/5.0/en/releasenotes-es-5-0-60.html http://dev.mysql.com/doc/refman/5.1/en/news-5-1-24.html http://dev.mysql.com/doc/refman/6.0/en/news-6-0-5.html [...] Release notes also mention following change: Security Enhancement: It was possible to force an error message of excessive length which could lead to a buffer overflow. This has been made no longer possible as a security precaution. (Bug#32707) http://bugs.mysql.com/bug.php?id=32707 According to the upstream, there is currently no know exploitation vector for this issue. Error messages are controlled by the server and it is believed that crafted messages can only by provided by modifying system files / binaries, which does not cross trust boundary. ----------------- snip ----------------- Do we still support mysql-4? <4.1.24 is also vulnerable. (Not exactly sure this is not a dupe, but it does not look too similar to previous issues...)
Attempting to set whiteboard.
This does not not only apply to tables that will be created, but also to existing ones! Important Change: Security Fix: It was possible to circumvent privileges through the creation of MyISAM tables employing the DATA DIRECTORY and INDEX DIRECTORY options to overwrite existing table files in the MySQL data directory. Use of the MySQL data directory in DATA DIRECTORY and INDEX DIRECTORY is now disallowed. (Bug#32167) http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2079
5.0.60 is in the tree now. Passes my testing on amd64 and ppc64-32ul. Test procedure: FEATURES='userpriv test' USE='-berkdb perl ssl cluster' emerge mysql
(In reply to comment #3) > 5.0.60 is in the tree now. > > Passes my testing on amd64 and ppc64-32ul. > Test procedure: > FEATURES='userpriv test' USE='-berkdb perl ssl cluster' emerge mysql > arches, please test and mark stable dev-db/mysql-5.0.60-r1. Target Keywords: "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd"
Sparc stable for mysql-5.0.60-r1 --- I've been using this since 04.vi.08.
Stable for HPPA.
AMD64 tests attempted per robbat2-specification: Stopping All Servers Failed 47/483 tests, 90.27% were successful. The log files in var/log may give you some hint of what went wrong. If you want to report this error, please read first the documentation at http://dev.mysql.com/doc/mysql/en/mysql-test-suite.html The servers were restarted 106 times Spent 526.491 of 1125 seconds executing testcases mysql-test-run in ps-protocol mode: *** Failing the test(s): loaddata_autocom_ndb ndb_alter_table ndb_alter_table2 ndb_auto_increment ndb_autodiscover ndb_autodiscover2 ndb_autodiscover3 ndb_basic ndb_bitfield ndb_blob ndb_bug26793 ndb_bug31477 ndb_cache ndb_cache2 ndb_cache_multi ndb_cache_multi2 ndb_charset ndb_condition_pushdown ndb_config ndb_database ndb_gis ndb_index ndb_index_ordered ndb_index_unique ndb_insert ndb_limit ndb_load ndb_loaddatalocal ndb_lock ndb_minmax ndb_multi ndb_read_multi_range ndb_rename ndb_replace ndb_restore ndb_restore_different_endian_data ndb_restore_print ndb_single_user ndb_subquery ndb_transaction ndb_trigger ndb_truncate ndb_types ndb_update ps_7ndb rpl_ndb_innodb_trans strict_autoinc_5ndb mysql-test-run: *** ERROR: there were failing test cases make: *** [test-ps] Error 1 System info: Portage 2.1.4.4 (hardened/amd64, gcc-3.4.6, glibc-2.6.1-r0, 2.6.24-hardened-r3 x86_64) ================================================================= System uname: 2.6.24-hardened-r3 x86_64 Dual-Core AMD Opteron(tm) Processor 2218 Timestamp of tree: Thu, 17 Jul 2008 11:15:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] app-shells/bash: 3.2_p33 dev-lang/python: 2.4.4-r13 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.61-r2 sys-devel/automake: 1.7.9-r1, 1.10.1 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=opteron -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=opteron -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks metadata-transfer sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="en_GB.UTF-8" LC_ALL="en_GB.UTF-8" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://red.linx.net/gentoo-portage" USE="amd64 bash-completion berkdb bzip2 cracklib crypt diskio elf gnutls hardened hpn ipv6 justify midi ncurses nls no-old-linux nptl nptlonly pam perl pic python readline sasl sse sse2 ssl unicode urandom xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i810 mach64 mga neomagic nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Used to diff to confirm, same 47 test failures on a non-hardened Core2 Duo: Portage 2.2_rc1 (default/linux/amd64/2008.0/developer, gcc-4.3.1, glibc-2.8_p20080602-r0, 2.6.26 x86_64) ================================================================= System uname: Linux-2.6.26-x86_64-Intel-R-_Core-TM-2_Duo_CPU_T7700_@_2.40GHz-with-glibc2.2.5 Timestamp of tree: Unknown app-shells/bash: 3.2_p39 dev-java/java-config: 1.3.7, 2.1.6-r1 dev-lang/python: 2.4.4-r6, 2.5.2-r5 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 2.0.0 sys-apps/openrc: 0.2.5 sys-apps/sandbox: 1.2.18.1-r3 sys-devel/autoconf: 2.13, 2.62-r1 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1-r1 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 2.2.4 virtual/os-headers: 2.6.25-r4 ACCEPT_KEYWORDS="amd64 ~amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=core2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="collision-protect cvs digest distlocks multilib-strict nostrip parallel-fetch preserve-libs sandbox sfperms sign strict unmerge-orphans userfetch userpriv usersandbox" GENTOO_MIRRORS="http://gentoo.virginmedia.com" LANG="en_GB.UTF-8" LC_ALL="en_GB.UTF-8" LDFLAGS="-Wl,--as-needed" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/cvs/gentoo-x86" PORTDIR_OVERLAY="/usr/local/portage" SYNC="cvs://chainsaw@cvs.gentoo.org:/var/cvsroot" USE="16bit 7zip S3TC X X509 a52 aac aalib ace acpi adns adplug alac alsa amd64 amr amrnb amrwb animgif aotuv aspell async asyncns audacious audiofile avahi bash-completion beagle berkdb binary-drivers bluetooth bonjour bzip2 cairo calendar cardbus cdda cddb cdparanoia cdr cdrom chardet chipcard chm cli consolekit cpio cracklib crypt css cups curl dbus device-mapper dhcp disk-partition diskio divx djvu dmi dri drm dts dv dvd dvdr dvdread dvi ecc eds elf emboss enca encode epiphany erandom evo exif exiv2 expat fam fat fbcondecor ffmpeg flac fortran ftp fuse g15 gconf gd gdbm gdl gdm gedit gif gimp glib glitz glut gmedia gnome gnome-keyring gnutls gpg gs gsm gstreamer gtk gtkhtml gzip hal hddtemp hfs howl-compat hpn ical icons iconv id3 id3tag idle idn ieee1394 imagemagick imap imlib inkjar inotify ipod ipv6 irda isdnlog jabber java jbig jce john jpeg jpeg2k juju keyring lame laptop lcms ldap libburn libcaca libgcrypt libnotify libsamplerate libssh2 libwww lilo logrotate lzma lzo mad magic md5sum mdnsresponder-compat midi mikmod mime mjpeg mmap mmx mmxext mng modplug mono mp2 mp3 mp4 mpeg mplayer mudflap multilib musepack nano-syntax nautilus ncurses nemesi neon network-cron networkmanager nls nptl nptlonly nsplugin nuv nvidia ogg opengl openmp openssl otr ots pam pango pcmcia pcre pdf perl physfs pidgin png pnm policykit posix ppds pppd pulseaudio python quicktime rar rdesktop readline reflection rss rtc samba scenarios sdl session sftp shorten sid smartcard smp sms sndfile snmp soup sourceview sox speex spell spl sqlite srt srv sse sse2 ssl ssse3 startup-notification subtitles svg svgz sysfs syslog szip t1lib taglib tagwriting tcpd theora thesaurus tiff timidity tls totem trayicon truetype tta twolame unicode urandom usb vcd vnc vorbis vorbis-psy vte wav wavpack wifi wma wmf wmp xcomposite xface xhtml xinerama xml xorg xpm xscreensaver xsettings xulrunner xv xvid yv12 zeroconf zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="nvidia" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS Please confirm that it is okay for AMD64 to proceed.
ppc64 stable
AMD64 stable keyword for 5.0.60-r1. Tested on hardened Opteron 2218 (hardened/amd64, gcc-3.4.6, glibc-2.6.1-r0, 2.6.24-hardened-r3 x86_64) and Core 2 Duo (default/linux/amd64/2008.0/developer, gcc-4.3.1, glibc-2.8_p20080602-r0, 2.6.26 x86_64). NDB fails tests on AMD64, discussed with robbat2 on IRC, clear to proceed.
ppc stable
alpha/ia64/x86 stable
glsa vote: YES
half-yes
yes too, request filed.
GLSA 200809-04
