Bug 1386138 (CVE-2005-0004)

Summary: CVE-2005-0004 mysql: CVE-2005-0004 mysqlaccess creates/overwrite files on the system
Product: [Other] Security Response Reporter: Cedric Buissart <cbuissar>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anemec, aortega, apevec, ayoung, byte, chrisw, cvsbot-xmlrpc, databases-maint, dciabrin, fdinitto, hhorak, jdornak, jorton, jschluet, jstanek, kbasil, lhh, lpeer, markmc, mbayer, mmuzila, mschorm, praiskup, rbryant, sclewis, srevivo, tdecacqu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-18 09:25:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1385047    

Description Cedric Buissart 2016-10-18 09:23:54 UTC 
CVE-2005-0004 allows an unprivileged local attacker to create/overwrite files on the machine with the privilege of the user running the mysqlaccess script (e.g.: usually a database administrator or root).
mysqlaccess uses a predictable file naming in /tmp to store temporary data. An attacker could create a symlink with a similar name, pointing elsewhere on the file system structure.

Upstream patch :
http://lists.mysql.com/internals/20600

mitre.org info on the CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=can-2005-0004

Affected versions : MySQL 4.0.23 and earlier, 4.1.x before 4.1.10, 5.0.x before 5.0.3, and other versions including 3.x

Versions shipped in Red Hat are not affected, since they are either using the patched version of mysqlaccess, or are not shipping mysqlaccess script.