Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 84924 - MySQL: Two Vulnerabilities (fixed in 4.0.24, version bump needed)
Summary: MySQL: Two Vulnerabilities (fixed in 4.0.24, version bump needed)
Status: RESOLVED DUPLICATE of bug 84819
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/14547/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-03-11 19:12 UTC by Peter Gordon (RETIRED)
Modified: 2005-07-17 13:06 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Gordon (RETIRED) gentoo-dev 2005-03-11 19:12:18 UTC 
TITLE:
MySQL Two Vulnerabilities

SECUNIA ADVISORY ID:
SA14547

VERIFY ADVISORY:
http://secunia.com/advisories/14547/

CRITICAL:
Less critical

IMPACT:
Privilege escalation, System access

WHERE:
>From local network

SOFTWARE:
MySQL 4.x
http://secunia.com/product/404/

DESCRIPTION:
Stefano Di Paola has reported two vulnerabilities in MySQL, which
potentially can be exploited by malicious users to compromise a
vulnerable system and by malicious, local users to perform certain
actions on a vulnerable system with escalated privileges.

1) An input validation error in the "udf_init()" function in
"sql_udf.cc" causes the "dl" field of the "mysql.func" table to not
be properly sanitised before being used to load libraries. This can
be exploited by manipulating the "mysql" administrative database
directly via a "INSERT INTO" statement instead of using "CREATE
FUNCTION".

Successful exploitation allows loading a malicious library from an
arbitrary location, but requires "INSERT" and "DELETE" permissions on
the "mysql" administrative database.

NOTE: This can be exploited remotely if a user has privileges to
create local files via a "SELECT ... INTO OUTFILE" statement.

2) Temporary files are created insecurely with the "CREATE TEMPORARY
TABLE" command and can be exploited via symlink attacks to overwrite
arbitrary files with the privileges of MySQL.

The vulnerabilities have been reported in versions 4.0.23, and 4.1.10
and prior.

SOLUTION:
The vulnerabilities have been fixed in version 4.0.24.

Do not grant untrusted users privileges to perform "CREATE TEMPORARY
TABLE" statements and manipulate the "mysql" administrative database.

PROVIDED AND/OR DISCOVERED BY:
Stefano Di Paola

Reproducible: Always
Steps to Reproduce:
1.
2.
3.




Portage 2.0.51.19 (default-linux/x86/2004.3, gcc-3.4.3, glibc-2.3.4.20050125-r1,
2.6.11.2 i686)
=================================================================
System uname: 2.6.11.2 i686 AMD Athlon(tm) processor
Gentoo Base System version 1.6.10
Python:              dev-lang/python-2.4-r2 [2.4 (#2, Feb  9 2005, 19:08:43)]
ccache version 2.3 [enabled]
dev-lang/python:     2.4-r2
sys-devel/autoconf:  2.59-r6, 2.13
sys-devel/automake:  1.6.3, 1.8.5-r3, 1.9.5, 1.5, 1.7.9-r1, 1.4_p6
sys-devel/binutils:  2.15.92.0.2-r5
sys-devel/libtool:   1.5.10-r5
virtual/os-headers:  2.6.8.1-r2
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CFLAGS="-O2 -march=athlon-tbird -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config
/usr/lib/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/
/usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/
/usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -march=athlon-tbird -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs autoconfig ccache distlocks parallel-fetch sandbox sfperms"
GENTOO_MIRRORS="http://mirror.datapipe.net/gentoo
http://distro.ibiblio.org/pub/Linux/distributions/gentoo/
http://distfiles.gentoo.org"
LANG="en_US.utf8"
LC_ALL="en_US.utf8"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.us.gentoo.org/gentoo-portage"
USE="x86 3dnow 3dnowex X X509 aac aalib acpi alsa apache2 apm artworkextra
audiofile avi bash-completion bcmath bidi bindist bitmap-fonts bmp bzip2 bzlib
calendar cdparanoia chroot cjk cpdflib crypt cscope ctype cups curl curlwrappers
dba dbx directfb encode erandom exif fam fbcon ffmpeg flac font-server
foomaticdb fortran fpx ftp gcj gd gdbm ggi gif gimpprint glitz glut gnutls gpm
graphviz gstreamer gtk gtk2 gtkhtml hal iconv imap imlib innodb ipv6 java
javacomm javascript jbig jikes jpeg lcms ldap libcaca live lua mad mbox md5sum
mhash mikmod mime ming mmap mmx mmx2 mng mozdevelop mozilla mozsvg mozxmlterm
mp3 mpeg mpi mplayer mysql mysqli ncurses nls nptl nptlonly nvidia objc
offensive oggvorbis opengl openntpd pam pam_console parse-clocks pcmcia pcre
perl php physfs pic png pnp posix ppds pwdb python readline real rtc ruby sasl
sdk sdl session silc simplexml skey slang sndfile sockets speex spell sqlite ssl
startup-notification stroke svg svga sysvipc tcltk tcpd tetex theora threads
tidy tiff tokenizer toolbar truetype truetype-fonts type1-fonts unicode usb
utempter wddx wmf xchatdccserver xine xml xml2 xpm xprint xsl xv xvid zlib
video_cards_nvidia"
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-11 22:45:20 UTC 

*** This bug has been marked as a duplicate of 84819 ***