[gentoo-announce] [ GLSA 200405-20 ] Insecure Temporary File Creation In MySQL - gentoo-announce

From:	Thierry Carrez <koon@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200405-20 ] Insecure Temporary File Creation In MySQL
Date:	Tue, 25 May 2004 20:48:22
Message-Id:	`40B3B0D6.6070407@gentoo.org`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5

Gentoo Linux Security Advisory                           GLSA 200405-20

6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7

                                            http://security.gentoo.org/

8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9

10

  Severity: Normal

11

     Title: Insecure Temporary File Creation In MySQL

12

      Date: May 25, 2004

13

      Bugs: #46242

14

        ID: 200405-20

15

16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

17

18

Synopsis

19

========

20

21

Two MySQL utilities create temporary files with hardcoded paths,

22

allowing an attacker to use a symlink to trick MySQL into overwriting

23

important data.

24

25

Background

26

==========

27

28

MySQL is a popular open-source multi-threaded, multi-user SQL database

29

server.

30

31

Affected packages

32

=================

33

34

    -------------------------------------------------------------------

35

     Package       /   Vulnerable   /                       Unaffected

36

    -------------------------------------------------------------------

37

  1  dev-db/mysql      < 4.0.18-r2                        >= 4.0.18-r2

38

39

Description

40

===========

41

42

The MySQL bug reporting utility (mysqlbug) creates a temporary file to

43

log bug reports to. A malicious local user with write access to the

44

/tmp directory could create a symbolic link of the name mysqlbug-N

45

pointing to a protected file, such as /etc/passwd, such that when

46

mysqlbug creates the Nth log file, it would end up overwriting the

47

target file. A similar vulnerability exists with the mysql_multi

48

utility, which creates a temporary file called mysql_multi.log.

49

50

Impact

51

======

52

53

Since mysql_multi runs as root, a local attacker could use this to

54

destroy any other users' data or corrupt and destroy system files.

55

56

Workaround

57

==========

58

59

One could modify both scripts to log to a directory that users do not

60

have write permission to, such as /var/log/mysql/.

61

62

Resolution

63

==========

64

65

All users should upgrade to the latest stable version of MySQL.

66

67

    # emerge sync

68

69

    # emerge -pv ">=dev-db/mysql-4.0.18-r2"

70

    # emerge ">=dev-db/mysql-4.0.18-r2"

71

72

References

73

==========

74

75

  [ 1 ] CAN-2004-0381

76

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0381

77

  [ 2 ] CAN-2004-0388

78

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0388

79

80

Availability

81

============

82

83

This GLSA and any updates to it are available for viewing at

84

the Gentoo Security Website:

85

86

     http://security.gentoo.org/glsa/glsa-200405-20.xml

87

88

Concerns?

89

=========

90

91

Security is a primary focus of Gentoo Linux and ensuring the

92

confidentiality and security of our users machines is of utmost

93

importance to us. Any security concerns should be addressed to

94

security@g.o or alternatively, you may file a bug at

95

http://bugs.gentoo.org.

96

97

License

98

=======

99

100

Copyright 2004 Gentoo Technologies, Inc; referenced text

101

belongs to its owner(s).

102

103

The contents of this document are licensed under the

104

Creative Commons - Attribution / Share Alike license.

105

106

http://creativecommons.org/licenses/by-sa/1.0

107

108

-----BEGIN PGP SIGNATURE-----

109

Version: GnuPG v1.2.4 (GNU/Linux)

110

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

111

112

iD8DBQFAs7DVvcL1obalX08RArIlAJ44WS5mZ6JVO+WFz2zNh+gVyRJYsQCdEDdq

113

O9uEFUw2mEPAt3dFqKsRnbk=

114

=cYDI

115

-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5	Gentoo Linux Security Advisory GLSA 200405-20
6	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7	http://security.gentoo.org/
8	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10	Severity: Normal
11	Title: Insecure Temporary File Creation In MySQL
12	Date: May 25, 2004
13	Bugs: #46242
14	ID: 200405-20
15
16	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18	Synopsis
19	========
20
21	Two MySQL utilities create temporary files with hardcoded paths,
22	allowing an attacker to use a symlink to trick MySQL into overwriting
23	important data.
24
25	Background
26	==========
27
28	MySQL is a popular open-source multi-threaded, multi-user SQL database
29	server.
30
31	Affected packages
32	=================
33
34	-------------------------------------------------------------------
35	Package / Vulnerable / Unaffected
36	-------------------------------------------------------------------
37	1 dev-db/mysql < 4.0.18-r2 >= 4.0.18-r2
38
39	Description
40	===========
41
42	The MySQL bug reporting utility (mysqlbug) creates a temporary file to
43	log bug reports to. A malicious local user with write access to the
44	/tmp directory could create a symbolic link of the name mysqlbug-N
45	pointing to a protected file, such as /etc/passwd, such that when
46	mysqlbug creates the Nth log file, it would end up overwriting the
47	target file. A similar vulnerability exists with the mysql_multi
48	utility, which creates a temporary file called mysql_multi.log.
49
50	Impact
51	======
52
53	Since mysql_multi runs as root, a local attacker could use this to
54	destroy any other users' data or corrupt and destroy system files.
55
56	Workaround
57	==========
58
59	One could modify both scripts to log to a directory that users do not
60	have write permission to, such as /var/log/mysql/.
61
62	Resolution
63	==========
64
65	All users should upgrade to the latest stable version of MySQL.
66
67	# emerge sync
68
69	# emerge -pv ">=dev-db/mysql-4.0.18-r2"
70	# emerge ">=dev-db/mysql-4.0.18-r2"
71
72	References
73	==========
74
75	[ 1 ] CAN-2004-0381
76	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0381
77	[ 2 ] CAN-2004-0388
78	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0388
79
80	Availability
81	============
82
83	This GLSA and any updates to it are available for viewing at
84	the Gentoo Security Website:
85
86	http://security.gentoo.org/glsa/glsa-200405-20.xml
87
88	Concerns?
89	=========
90
91	Security is a primary focus of Gentoo Linux and ensuring the
92	confidentiality and security of our users machines is of utmost
93	importance to us. Any security concerns should be addressed to
94	security@g.o or alternatively, you may file a bug at
95	http://bugs.gentoo.org.
96
97	License
98	=======
99
100	Copyright 2004 Gentoo Technologies, Inc; referenced text
101	belongs to its owner(s).
102
103	The contents of this document are licensed under the
104	Creative Commons - Attribution / Share Alike license.
105
106	http://creativecommons.org/licenses/by-sa/1.0
107
108	-----BEGIN PGP SIGNATURE-----
109	Version: GnuPG v1.2.4 (GNU/Linux)
110	Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
111
112	iD8DBQFAs7DVvcL1obalX08RArIlAJ44WS5mZ6JVO+WFz2zNh+gVyRJYsQCdEDdq
113	O9uEFUw2mEPAt3dFqKsRnbk=
114	=cYDI
115	-----END PGP SIGNATURE-----

Gentoo Archives: gentoo-announce