Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 77805 - dev-db/mysql symlink vulnerability
Summary: dev-db/mysql symlink vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL: http://lists.mysql.com/internals/20600
Whiteboard: B3 [glsa] jaervosz
Keywords:
: 78558 (view as bug list)
Depends on: 78678
Blocks:
  Show dependency tree
 
Reported: 2005-01-13 03:37 UTC by Sune Kloppenborg Jeppesen
Modified: 2005-08-15 21:28 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
patch for mysql-4.1.8 modified from http://lists.mysql.com/internals/20600 (mysql-4.1.8-bug77805.patch,3.31 KB, patch)
2005-01-17 15:40 UTC, Francesco R. (RETIRED)
no flags Details | Diff
4.1.9 ebuild patches ewarn (my-stuff-4.1.9.tar.gz,5.11 KB, application/octet-stream)
2005-01-20 16:48 UTC, francesco riosa
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2005-01-13 03:37:32 UTC
Issues reported by Javier Fernandez-Sanguino Pena and Debian Security Audit Team.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-01-13 09:07:36 UTC
This is CAN-2005-0004 and can be considered semi-public.
Robin: please apply fix to 4.0.23 and bump in portage ?
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-01-17 06:08:59 UTC
Public now @ http://secunia.com/advisories/13867/
Comment 3 Francesco R. (RETIRED) gentoo-dev 2005-01-17 15:40:34 UTC
Created attachment 48789 [details, diff]
patch for mysql-4.1.8 modified from http://lists.mysql.com/internals/20600

sligtly modified the patch reported in the url given.
It should apply cleanly on mysql-4.1.8 tree
Comment 4 Jasmin Buchert 2005-01-17 18:31:14 UTC
Patch for mysql-4.1.8 also applys cleanly to mysql-4.1.9 (bug #78452).
Comment 5 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-18 12:29:54 UTC
*** Bug 78558 has been marked as a duplicate of this bug. ***
Comment 6 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-18 12:47:48 UTC
Robin/Jasmin please provide a patch for 4.0.22 or we'll have to mark 4.1 stable to fix this.
Comment 7 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-01-18 13:15:59 UTC
The patch here applies cleanly to the 4.0.

4.1 is package.masked still, for several reasons. It _will_ break the tree (needing massive revdep-rebuild, and many packages don't build against it yet).
Comment 8 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-18 13:38:55 UTC
Robin/Solar if the patch is fine please apply it.
Comment 9 Robert Coie (RETIRED) gentoo-dev 2005-01-18 14:06:51 UTC
I think there's a slight typo in the attached patch, where we have two $ on 
the $MYSQL_CNF assignment.  Applied to 4.0.23-r1 and 4.1.8-r1.
Comment 10 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-18 22:33:24 UTC
Thx rac, but please don't close security bugs as we also handle stable marking.

Arches please test and mark stable 4.0.23-r1.
Comment 11 Olivier Crete (RETIRED) gentoo-dev 2005-01-18 23:51:53 UTC
stable on x86
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-01-19 01:44:10 UTC
I vote for a GLSA since mysqlaccess is an admin tool in PATH.
Comment 13 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-19 01:51:12 UTC
I vote for a GLSA on this one too.
Comment 14 Markus Rothe (RETIRED) gentoo-dev 2005-01-19 05:22:02 UTC
stable on ppc64
Comment 15 Gustavo Zacarias (RETIRED) gentoo-dev 2005-01-19 07:26:39 UTC
stable on sparc.
Comment 16 Ernst Herzberg 2005-01-19 08:25:50 UTC
STOP!
http://bugs.gentoo.org/show_bug.cgi?id=78678
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2005-01-19 09:11:36 UTC
I don't think the patch from 4.0.23 to 4.0.23-r1 broke it, it must be something between 4.0.22 and 4.0.23 itself.

Back to ebuild status, uncalling arches and setting 78678 as blocker
Comment 18 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-01-19 13:13:07 UTC
crap
there is another bug in 4.0.23 as well.
http://bugs.mysql.com/bug.php?id=7515

It's broken in 4.0.23 and 4.1.8, so I've put 4.0.23 back as ~arch for all values of arch.

I'll see about backporting CAN-2005-0004 to 4.0.22.
Comment 19 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-01-19 15:22:03 UTC
Ok, lets try this again. mysql-4.0.22-r2 is in the tree as ~arch, and contains the security fix.
Comment 20 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-19 22:49:23 UTC
Thx Robin for backporting.

Arches please test and mark mysql-4.0.22-r2 stable
Comment 21 Markus Rothe (RETIRED) gentoo-dev 2005-01-19 23:38:17 UTC
stable on ppc64.. once more.

.. I should have noticed this ..
Comment 22 Gustavo Zacarias (RETIRED) gentoo-dev 2005-01-20 07:26:38 UTC
4.0.22-r2 stable on sparc.
Comment 23 Olivier Crete (RETIRED) gentoo-dev 2005-01-20 09:50:24 UTC
stable on x86 too... this bug looks pretty bad for our testing... (myself included..). Could we do something to improve our QA on this sort of thing?
Comment 24 Bryan Østergaard (RETIRED) gentoo-dev 2005-01-20 10:22:29 UTC
4.0.22-r2 stable on alpha.
Comment 25 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-01-20 11:25:42 UTC
tester:
The libtool glitch didn't show up as I strongly suspect most devs are using the new libtool where it's bypassed.
Comment 26 francesco riosa 2005-01-20 16:48:29 UTC
Created attachment 49070 [details]
4.1.9 ebuild patches ewarn

really sorry for the typo signaled in #9 by Robert Coie

the patch signaled in #18 From Robin Johnson for mysql 4.0 reside at 
http://mysql.bkbits.net:8080/mysql-4.0/patch@1.2014
and is shorter than 100 rows

the one for mysql 4.1 include fix for MySQL Bugs: #7297: "Date decoding
trouble" but I was unable to apply to 4.1.8. It was already applied ???

so the motive to write this message has been dropped, to not trash (hoping not
to trash your ;) completely my time I've modified the 4.1.8-r1 ebuild to build
4.1.9.

changes are :
1) Added documentation for upgrade, and removed corrispondent TODO, you have
already experienced my english so please read and correct errors if there are.
Moved wait time out from warning() and modified wait time
2) modified again mysqld_safe patch, IMHO you can valutate to remove this
patch, the checks it do always fall into the chosen behaviour, it move often,
and is executed at startup only.
3) thrssl patch is not needed anymore, commented it

compiled with all useflag on but "debug" and "ruby"
included files:

# tar -ztf my-stuff-4.1.9.tar.gz
mysql-4.1.9.ebuild
4.1.8-r1_4.1.9.patch
files/digest-mysql-4.1.9
files/mysql-4.1.9-mysqld-safe-sh.diff

and a final note: mysql generally compile with -O3 optimization using -Os
should be evaluated at least on amd64 and x86, the executabe is 10% smaller and
I bet the cache hit increase more than that 10%, but this is argument for
another thread.
Comment 27 Luca Barbato gentoo-dev 2005-01-21 12:20:39 UTC
4.0.22-r2 stable on ppc.
Comment 28 Simon Stelling (RETIRED) gentoo-dev 2005-01-21 13:24:36 UTC
amd64 done
Comment 29 Luke Macken (RETIRED) gentoo-dev 2005-01-23 14:10:21 UTC
GLSA 200501-33

ia64/arm/hppa/s390/mips, please mark stable to benefit from GLSA.
Comment 30 Joshua Kinard gentoo-dev 2005-02-06 20:31:37 UTC
mips stable.
Comment 31 Francesco R. (RETIRED) gentoo-dev 2005-02-15 06:54:03 UTC
MySQL AB today released version 4.1.10 that fix this bug too
Comment 32 René Nussbaumer (RETIRED) gentoo-dev 2005-06-26 05:30:47 UTC
Already stable on hppa