Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 46242 - dev-db/mysql : Insecure Temp File Creation Vulnerabilities
Summary: dev-db/mysql : Insecure Temp File Creation Vulnerabilities
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All Linux
: Highest critical (vote)
Assignee: Gentoo Security
: 45727 (view as bug list)
Depends on:
Reported: 2004-03-30 07:27 UTC by schaedpq
Modified: 2004-09-22 21:33 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Patched mysqlbug script (mysqlbug,10.35 KB, text/plain)
2004-03-30 07:28 UTC, schaedpq

Note You need to log in before you can comment on or make changes to this bug.
Description schaedpq 2004-03-30 07:27:17 UTC
The mysql bugreporting utility uses a hardcoded filename to create a temporary file if a bugreport is aborted. This can be exploited for a symbolic link attack which can lead to destruction of data and DoS (e.g. overwriting /etc/passwd).

Reproducible: Didn't try
Steps to Reproduce:

See on bugtraq:

The issue has been fixed in the mysql development source repository and will be
contained in the next release of MySQL.

The fix they used is:
# This is a BitKeeper generated diff -Nru style patch.
# ChangeSet
#   2004/03/24 20:27:07+01:00 serg@serg.mylan 
#   protection against "ln -s /etc/passwd /tmp/failed-mysql-bugreport"
# scripts/
#   2004/03/24 20:27:05+01:00 serg@serg.mylan +2 -2
#   protection against "ln -s /etc/passwd /tmp/failed-mysql-bugreport"
diff -Nru a/scripts/ b/scripts/
--- a/scripts/	Tue Mar 30 07:12:52 2004
+++ b/scripts/	Tue Mar 30 07:12:52 2004
@@ -252,9 +252,9 @@
 if cmp -s $TEMP $TEMP.x
   echo "File not changed, no bug report submitted."
-  cp $TEMP /tmp/failed-mysql-bugreport
+  mv -f $TEMP /tmp/failed-mysql-bugreport
   echo "The raw bug report exists in /tmp/failed-mysql-bugreport"
-  echo "If you use this remember that the first lines of the report now is a lie.."
+  echo "If you use this remember that the first lines of the report are now a
   exit 1

I patched the script /usr/bin/mysqlbug on my system and will attach the patched
script to this bug.
Comment 1 schaedpq 2004-03-30 07:28:13 UTC
Created attachment 28371 [details]
Patched mysqlbug script
Comment 2 Kurt Lieber (RETIRED) gentoo-dev 2004-03-30 07:30:31 UTC
mysql folks -- can you review/comment?
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-03-30 10:27:10 UTC
security: impact rating = verylow
mysql4.0 is reasonably bugless at this point in time.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-04-06 08:06:39 UTC
*** Bug 45727 has been marked as a duplicate of this bug. ***
Comment 5 Kurt Lieber (RETIRED) gentoo-dev 2004-04-07 11:32:33 UTC
Robin -- bug-free as it may be, we should still look at patching this.  We certainly get a boat load of bogus "package foo doesn't compile" bug reports and I'm sure mysql does as well.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2004-04-13 03:31:32 UTC
Fixed in (to be released) 4.0.19.
Wait or patch ?
Comment 7 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-04-13 09:06:24 UTC
-r1 in cvs
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2004-04-13 11:33:26 UTC
Waiting for stable...
Arches : please test :)

Comment 9 Jason Wever (RETIRED) gentoo-dev 2004-04-13 17:00:36 UTC
According to robbat2's latest changelog entry for this, there are some automake changes that need to be tested first.  Can someone elaborate on this and what criteria we can use to gauge if those changes are working ok?
Comment 10 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-04-13 18:42:40 UTC
the automake stuff relates to building with either NPTL or SSL (or both) enabled. it's just commented out from the previous revision.

if it builds with USE=ssl then you'll be fine. that's all thats really needed.

MySQL with NPTL is not supported by upstream MySQL anyway (but lots of users want it).

the bug for the mysql automake stuff is bug #45177.
Comment 11 Bryan Østergaard (RETIRED) gentoo-dev 2004-04-14 08:22:57 UTC
It works fine with USE="ssl" on Alpha. Marked stable.
Comment 12 Michael McCabe (RETIRED) gentoo-dev 2004-04-14 09:21:40 UTC
Worked on s390 with USE="ssl", marked as stable
Comment 13 Jason Wever (RETIRED) gentoo-dev 2004-04-14 11:10:18 UTC
Stable on sparc.
Comment 14 Jon Portnoy (RETIRED) gentoo-dev 2004-04-28 13:48:59 UTC
Stable on AMD64 and x86.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2004-04-29 07:28:43 UTC
Still waiting on ppc to mark stable to issue the GLSA and/or close this one.
Comment 16 Guy Martin (RETIRED) gentoo-dev 2004-04-29 12:44:38 UTC
Stable on hppa.
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2004-05-11 01:43:48 UTC
There appears to be two possible symlink attacks in MySQL scripts :

The script mysqlbug in MySQL allows local users to overwrite arbitrary files via a symlink attack.

The script mysqld_multi in MySQL allows local users to overwrite arbitrary files via a symlink attack.

Robin : could you include a fixed mysqld_multi in 4.0.18-r1 ? Here is Debian's patch :

--- mysql-dfsg-4.0.18.orig/scripts/
+++ mysql-dfsg-4.0.18/scripts/
@@ -9,7 +9,7 @@
 $opt_config_file   = undef();
 $opt_example       = 0;
 $opt_help          = 0;
-$opt_log           = "/tmp/mysqld_multi.log";
+$opt_log           = "$ENV{HOME}/mysqld_multi.log";
 $opt_mysqladmin    = "@bindir@/mysqladmin";
 $opt_mysqld        = "@libexecdir@/mysqld";
 $opt_no_log        = 0;

Comment 18 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-05-13 20:48:13 UTC
would setting $opt_log in mysqld_multi to /var/log/mysql/mysqld_multi.log be acceptable? Arbitary users don't have access there, so that should resolve the security issue and clean things up some.
Comment 19 Thierry Carrez (RETIRED) gentoo-dev 2004-05-14 00:53:31 UTC
Robin : I am not sure. 
The $opt_log is the mysqld_multi commands results log, not the mysqld log. I could be wrong, but it seems to me that mysqld_multi is designed so that it can be called with ordinary user rights (if you provide it with accessible TCP port and data/log directories), hence the $HOME thing.
However, if you think it should be called only as root, you decide : your patch would in this case offer the needed security. If you want my opinion, I think user-based logging handles more cases and therefore is better.
Comment 20 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-05-17 20:22:30 UTC
mysqld_multi needs to be run as root
as it runs each of the child mysqld processes as different users.
i've back-ported the fix from 4.0.19 and i'm putting it in as 4.0.18-r2 very shortly (After i'm sure that 4.0.19 builds as well).
Comment 21 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-05-17 20:57:22 UTC
Koon: ok, both 4.0.18-r2 and 4.0.19 are in the cvs tree now.
Comment 22 Thierry Carrez (RETIRED) gentoo-dev 2004-05-18 06:19:44 UTC
Perfect !
ppc, mips, ia64 : please mark 4.0.18-r2 or 4.0.19 stable so we can close this one
Comment 23 Thierry Carrez (RETIRED) gentoo-dev 2004-05-24 02:05:09 UTC
ppc, mips, ia64 : please mark >=4.0.18-r2 stable so we can send the GLSA on this one.
Comment 24 Joshua Kinard gentoo-dev 2004-05-24 18:48:46 UTC
mips is done, just had to check the berkdb thing out some more.
Comment 25 Thierry Carrez (RETIRED) gentoo-dev 2004-05-25 11:30:17 UTC
In fact ppc marked stable... this one is GLSA-ready.
Comment 26 Thierry Carrez (RETIRED) gentoo-dev 2004-05-25 13:50:32 UTC
GLSA 200405-20