SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   MySQL Vendors:   MySQL.com
(Gentoo Issues Fix) MySQL 'mysqlaccess.sh' Unsafe Temporary Files May Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1012970
SecurityTracker URL:  http://securitytracker.com/id/1012970
CVE Reference:   CVE-2005-0004   (Links to External Site)
Date:  Jan 24 2005
Impact:   Modification of system information, Modification of user information, Root access via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.0
Description:   A vulnerability was reported in MySQL in the 'mysqlaccess.sh' script. A local user may be able to obtain elevated privileges.

The vendor reported that 'mysqlaccess.sh' creates temporary files in an unsafe manner. A local user can create a symbolic link (symlink) from a critical file on the system to a temporary file to be used by the script. Then, when the script is executed, the symlinked file may be modified with the privileges of the script.

The vendor credits Javier Fernandez-Sanguino Pena and the Debian Security Audit Team with reporting this flaw.

Impact:   A local user may be able to obtain elevated privileges.
Solution:   Gentoo has released a fix and indicates that all MySQL users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/mysql-4.0.22-r2"

Vendor URL:  www.mysql.com/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Gentoo)

Message History:   This archive entry is a follow-up to the message listed below.
Jan 17 2005 MySQL 'mysqlaccess.sh' Unsafe Temporary Files May Let Local Users Gain Elevated Privileges



 Source Message Contents

Subject:  [gentoo-announce] [ GLSA 200501-33 ] MySQL: Insecure temporary file creation



--lrZ03NoBR/3+SXJZ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200501-33
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: MySQL: Insecure temporary file creation
      Date: January 23, 2005
      Bugs: #77805
        ID: 200501-33

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

MySQL is vulnerable to symlink attacks, potentially allowing a local
user to overwrite arbitrary files.

Background
==========

MySQL is a fast, multi-threaded, multi-user SQL database server.

Affected packages
=================

    -------------------------------------------------------------------
     Package       /   Vulnerable   /                       Unaffected
    -------------------------------------------------------------------
  1  dev-db/mysql      < 4.0.22-r2                        >= 4.0.22-r2

Description
===========

Javier Fernandez-Sanguino Pena from the Debian Security Audit Project
discovered that the 'mysqlaccess' script creates temporary files in
world-writeable directories with predictable names.

Impact
======

A local attacker could create symbolic links in the temporary files
directory, pointing to a valid file somewhere on the filesystem. When
the mysqlaccess script is executed, this would result in the file being
overwritten with the rights of the user running the software, which
could be the root user.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All MySQL users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-db/mysql-4.0.22-r2"

References
==========

  [ 1 ] CAN-2005-0004
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0004
  [ 2 ] Secunia Advisory SA13867
        http://secunia.com/advisories/13867/

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200501-33.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

--lrZ03NoBR/3+SXJZ
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFB9CCXRsm3eDkOu7kRAlULAJ90ptyrg0rjZ5ZHUg6TakKXu2EWiQCff3yi
Iy36YMEReFbRhkUIl4DzSuA=
=Gcgp
-----END PGP SIGNATURE-----

--lrZ03NoBR/3+SXJZ--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC