Bug 125991

Summary: CAN-2004-0388 and CAN-2004-0381: insecure temporary file creation
Product: [Fedora] Fedora Reporter: Robert Scheck <redhat-bugzilla>
Component: mysqlAssignee: Tom Lane <tgl>
Status: CLOSED ERRATA QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 2CC: hhorak
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.debian.org/security/2004/dsa-483
Whiteboard:
Fixed In Version: 3.23.58-9.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-01-30 23:48:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
mysql-3.23.58-symlink.patch none

Description Robert Scheck 2004-06-14 22:12:53 UTC 
Description of problem:
CAN-2004-0388: The script mysqld_multi in MySQL allows local users
               to overwrite arbitrary files via a symlink attack.

CAN-2004-0381: The script mysqlbug in MySQL allows local users to
               overwrite arbitrary files via a symlink attack.

Version-Release number of selected component (if applicable):
mysql-3.23.58-9

Expected results:
Patch/update (my patches are ported from Debian and Mandrake).

Additional info:
I only found CAN-2004-0381 (bug #119442) for RHEL3.
Comment 1 Robert Scheck 2004-06-14 22:13:32 UTC 
Created attachment 101129 [details]
mysql-3.23.58-symlink.patch
Comment 2 Tom Lane 2004-06-15 19:30:59 UTC 

*** This bug has been marked as a duplicate of 119442 ***
Comment 3 Mark J. Cox 2004-06-16 13:42:21 UTC 
Reopening; we usually keep separate tracking bugs for FC and RHEL
since they run on different schedules for QA etc.  

This bug is for FC1 and FC2 tracking
Comment 4 Robert Scheck 2004-10-06 15:07:10 UTC 
Fedora Core Development's -11 solves this issue. Does FC2 get an 
update?
Comment 5 Tom Lane 2004-10-06 22:22:23 UTC 
It seems a sufficiently low-priority matter that I wasn't planning to
push out a separate update.  I might get overruled on that though.
Comment 6 Robert Scheck 2005-01-30 23:48:17 UTC 
I'll close this bug, because:
- Fedora Core 2 got mysql-3.23.58-9.1
- Fedora Core 3 got mysql-3.23.58-14
- Red Hat Enterprise Linux 2.1 got mysql-3.23.58-1.72.1
- Red Hat Enterprise Linux 3 got mysql-3.23.58-2.3
this issue should be solved in any active supported distribution.