Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 93792 - dev-db/xmysqladmin <= 1.0 insecure temporary file creation && maybe more
Summary: dev-db/xmysqladmin <= 1.0 insecure temporary file creation && maybe more
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Other
: High enhancement (vote)
Assignee: Gentoo Security
Whiteboard: B3 [ebuild+ masked]
: 95571 (view as bug list)
Depends on:
Reported: 2005-05-24 04:27 UTC by Romang
Modified: 2006-08-26 15:43 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Romang 2005-05-24 04:27:02 UTC

During the drop off a database, xmysqladmin dropt the database and create a tar.gz inside /tmp without checking if the file exist already.

void dropdb_drop(FL_OBJECT *obj, long data)
  char *cmd;

  if(!fl_show_question("WARNING!!!\nThis database will be delete.\nDo you want to continue?", 0))
  if(!fl_show_question("WARNING!!!\nThis database will be delete.\nAre you sure?", 0))

  cmd = (char *) malloc(2048);
  if(!cmd) return;

  sprintf(cmd, "%s %s/%s.tar%s %s%s/*", BACKUP, BACKUPDIR, g_dropdb_dbfname,
          BACKUPSUFFIX, Setup.datapath, g_dropdb_dbfname);

  fl_exe_command(cmd, 1);

    MYSQL connection;
    if(g_mysql_connect(&connection,, Setup.user, Setup.password))
      if(mysql_drop_db(&connection, g_dropdb_dbfname))
          fl_show_message("The database",g_dropdb_dbfname,"has been destroyed");

          fl_show_alert("Cannot connect to server","","",0);

Possible to overwrite arbitrary files or get the content off the database.

Maybe more bugs into this soft ;)

Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-29 01:15:51 UTC
Yes, perhaps BACKUPDIR could be set to "." in the Makefile?
Comment 2 Romang 2005-05-29 07:51:27 UTC

Yes it's a solution. If the . directory is not world writable.
Upstream should find another solution.

I contact him, and propose him the . solution.

Comment 3 Romang 2005-06-06 01:22:34 UTC

No upstream response.

Comment 4 Tavis Ormandy (RETIRED) gentoo-dev 2005-06-09 09:37:39 UTC
*** Bug 95571 has been marked as a duplicate of this bug. ***
Comment 5 Tavis Ormandy (RETIRED) gentoo-dev 2005-06-09 09:38:17 UTC
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-06-24 05:56:43 UTC
So we need to patch the Makefile (or remove the package) since upstream is silent.

No maintainer...
mysql herd, do you feel like taking this one ?
rphillips: you're the only survivor in the old committers, let us know if you
accept to patch again.

I guess we'll have to mask/remove it if noone wants it.
Comment 7 Francesco R. (RETIRED) gentoo-dev 2005-06-27 01:38:27 UTC
Koon: can you hard mask it in my place please ?
Waiting approval from herd lead to remove it.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-06-27 01:57:39 UTC
Package masked on vivo's request. Bug kept open until complete removal.
Comment 9 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-08-17 17:25:59 UTC
I don't agree that this is insecure temp file creation.
the permissions of the created file in /tmp are 644.

sure the design decision of creating /tmp/foo.tar.gz without checkign that it
already exists isn't great, but it's not bad given that xmysqladmin is run with
user permissions. it fails if the user doesn't have permissions to write there,
provided your /tmp is set up correctly with the sticky bit.

It looks like it should be acceptable to set umask(0077) before running tar.
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-03-22 12:41:27 UTC
Any news on this one?
Comment 11 Luca Longinotti (RETIRED) gentoo-dev 2006-04-16 13:09:15 UTC
MySQL herd doesn't really want to maintain this, since it's p.masked since a long time, I'd go for removal.
If none speaks up, I'll send the last rites email tomorrow, and remove from the tree two weeks after that.
Best regards, CHTEKK.
Comment 12 Luca Longinotti (RETIRED) gentoo-dev 2006-08-26 15:43:55 UTC
Removed from Portage.
Best regards, CHTEKK.