[gentoo-announce] [ GLSA 200409-02 ] MySQL: Insecure temporary file creation in mysqlhotcopy - gentoo-announce

From:	Thierry Carrez <koon@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200409-02 ] MySQL: Insecure temporary file creation in mysqlhotcopy
Date:	Wed, 01 Sep 2004 15:45:26
Message-Id:	`4135EDBF.9000405@gentoo.org`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5

Gentoo Linux Security Advisory                           GLSA 200409-02

6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7

                                            http://security.gentoo.org/

8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9

10

  Severity: Normal

11

     Title: MySQL: Insecure temporary file creation in mysqlhotcopy

12

      Date: September 01, 2004

13

      Bugs: #60744

14

        ID: 200409-02

15

16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

17

18

Synopsis

19

========

20

21

The mysqlhotcopy utility can create temporary files with predictable

22

paths, allowing an attacker to use a symlink to trick MySQL into

23

overwriting important data.

24

25

Background

26

==========

27

28

MySQL is a popular open-source multi-threaded, multi-user SQL database

29

server.

30

31

Affected packages

32

=================

33

34

    -------------------------------------------------------------------

35

     Package       /  Vulnerable  /                         Unaffected

36

    -------------------------------------------------------------------

37

  1  dev-db/mysql      <= 4.0.20                          >= 4.0.20-r1

38

39

Description

40

===========

41

42

Jeroen van Wolffelaar discovered that the MySQL database hot copy

43

utility (mysqlhotcopy.sh), when using the scp method, uses temporary

44

files with predictable names. A malicious local user with write access

45

to the /tmp directory could create a symbolic link pointing to a file,

46

which may then be overwritten. In cases where mysqlhotcopy is run as

47

root, a malicious user could create a symlink to a critical file such

48

as /etc/passwd and cause it to be overwritten.

49

50

Impact

51

======

52

53

A local attacker could use this vulnerability to destroy other users'

54

data or corrupt and destroy system files, possibly leading to a denial

55

of service condition.

56

57

Workaround

58

==========

59

60

There is no known workaround at this time.

61

62

Resolution

63

==========

64

65

All MySQL users should upgrade to the latest version:

66

67

    # emerge sync

68

69

    # emerge -pv ">=dev-db/mysql-4.0.20-r1"

70

    # emerge ">=dev-db/mysql-4.0.20-r1"

71

72

References

73

==========

74

75

  [ 1 ] CAN-2004-0457

76

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0457

77

78

Availability

79

============

80

81

This GLSA and any updates to it are available for viewing at

82

the Gentoo Security Website:

83

84

  http://security.gentoo.org/glsa/glsa-200409-02.xml

85

86

Concerns?

87

=========

88

89

Security is a primary focus of Gentoo Linux and ensuring the

90

confidentiality and security of our users machines is of utmost

91

importance to us. Any security concerns should be addressed to

92

security@g.o or alternatively, you may file a bug at

93

http://bugs.gentoo.org.

94

95

License

96

=======

97

98

Copyright 2004 Gentoo Foundation, Inc; referenced text

99

belongs to its owner(s).

100

101

The contents of this document are licensed under the

102

Creative Commons - Attribution / Share Alike license.

103

104

http://creativecommons.org/licenses/by-sa/1.0

105

106

107

-----BEGIN PGP SIGNATURE-----

108

Version: GnuPG v1.2.4 (GNU/Linux)

109

Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

110

111

iD8DBQFBNe2/vcL1obalX08RAnCHAJ0W1NV44t2Z8xg2KZ5pA2IFP3QwCQCgk7Vm

112

7e5vtqbm5qpe3N3stRbPNis=

113

=/6Kl

114

-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5	Gentoo Linux Security Advisory GLSA 200409-02
6	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7	http://security.gentoo.org/
8	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10	Severity: Normal
11	Title: MySQL: Insecure temporary file creation in mysqlhotcopy
12	Date: September 01, 2004
13	Bugs: #60744
14	ID: 200409-02
15
16	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18	Synopsis
19	========
20
21	The mysqlhotcopy utility can create temporary files with predictable
22	paths, allowing an attacker to use a symlink to trick MySQL into
23	overwriting important data.
24
25	Background
26	==========
27
28	MySQL is a popular open-source multi-threaded, multi-user SQL database
29	server.
30
31	Affected packages
32	=================
33
34	-------------------------------------------------------------------
35	Package / Vulnerable / Unaffected
36	-------------------------------------------------------------------
37	1 dev-db/mysql <= 4.0.20 >= 4.0.20-r1
38
39	Description
40	===========
41
42	Jeroen van Wolffelaar discovered that the MySQL database hot copy
43	utility (mysqlhotcopy.sh), when using the scp method, uses temporary
44	files with predictable names. A malicious local user with write access
45	to the /tmp directory could create a symbolic link pointing to a file,
46	which may then be overwritten. In cases where mysqlhotcopy is run as
47	root, a malicious user could create a symlink to a critical file such
48	as /etc/passwd and cause it to be overwritten.
49
50	Impact
51	======
52
53	A local attacker could use this vulnerability to destroy other users'
54	data or corrupt and destroy system files, possibly leading to a denial
55	of service condition.
56
57	Workaround
58	==========
59
60	There is no known workaround at this time.
61
62	Resolution
63	==========
64
65	All MySQL users should upgrade to the latest version:
66
67	# emerge sync
68
69	# emerge -pv ">=dev-db/mysql-4.0.20-r1"
70	# emerge ">=dev-db/mysql-4.0.20-r1"
71
72	References
73	==========
74
75	[ 1 ] CAN-2004-0457
76	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0457
77
78	Availability
79	============
80
81	This GLSA and any updates to it are available for viewing at
82	the Gentoo Security Website:
83
84	http://security.gentoo.org/glsa/glsa-200409-02.xml
85
86	Concerns?
87	=========
88
89	Security is a primary focus of Gentoo Linux and ensuring the
90	confidentiality and security of our users machines is of utmost
91	importance to us. Any security concerns should be addressed to
92	security@g.o or alternatively, you may file a bug at
93	http://bugs.gentoo.org.
94
95	License
96	=======
97
98	Copyright 2004 Gentoo Foundation, Inc; referenced text
99	belongs to its owner(s).
100
101	The contents of this document are licensed under the
102	Creative Commons - Attribution / Share Alike license.
103
104	http://creativecommons.org/licenses/by-sa/1.0
105
106
107	-----BEGIN PGP SIGNATURE-----
108	Version: GnuPG v1.2.4 (GNU/Linux)
109	Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
110
111	iD8DBQFBNe2/vcL1obalX08RAnCHAJ0W1NV44t2Z8xg2KZ5pA2IFP3QwCQCgk7Vm
112	7e5vtqbm5qpe3N3stRbPNis=
113	=/6Kl
114	-----END PGP SIGNATURE-----

Gentoo Archives: gentoo-announce