Bug 397071 (CVE-2007-5969)

Summary: CVE-2007-5969 mysql: possible system table information overwrite using symlinks
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: kreilly, tgl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-12-19 16:35:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 422161, 422171, 422181, 422191, 422201, 422211, 424921, 424931    
Bug Blocks:    

Description Tomas Hoger 2007-11-23 17:07:47 UTC 
From the changelog of not yet released versions of MySQL:

Security Fix: Using RENAME TABLE against a table with explicit DATA DIRECTORY
and INDEX DIRECTORY options can be used to overwrite system table information by
replacing the symbolic link points. the file to which the symlink points.

MySQL will now return an error when the file to which the symlink points already
exists. (Bug#32111, CVE-2007-5969)

Mentioned in:

MySQL 4.1.24
http://dev.mysql.com/doc/refman/4.1/en/news-4-1-24.html

MySQL Enterprise 5.0.52
http://dev.mysql.com/doc/refman/5.0/en/releasenotes-es-5-0-52.html

Referenced MySQL bug report is not public at the moment:
http://bugs.mysql.com/bug.php?id=32111
Comment 2 Tomas Hoger 2007-11-26 12:04:14 UTC 
Also mentioned in:

MySQL 5.1.23
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-23.html

MySQL 6.0.4
http://dev.mysql.com/doc/refman/6.0/en/news-6-0-4.html
Comment 3 Tomas Hoger 2007-12-11 17:36:40 UTC 
CVE description:

CVE-2007-5969:

MySQL Community Server before 5.0.51, when a table relies on symlinks
created through explicit DATA DIRECTORY and INDEX DIRECTORY options,
allows remote authenticated users to overwrite system table
information and gain privileges via a RENAME TABLE statement that
changes the symlink to point to an existing file.

References: 
http://lists.mysql.com/announce/495
http://bugs.mysql.com/32111
http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0-51.html
http://dev.mysql.com/doc/refman/5.0/en/releasenotes-es-5-0-52.html

Upstream bug report remains private.
Comment 4 Tomas Hoger 2007-12-12 12:15:07 UTC 
Additional info and upstream patch:

  http://lists.mysql.com/commits/37835
Comment 8 Tomas Hoger 2007-12-19 16:35:45 UTC 
Problem was fixed in all affected supported products:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2007-1155.html

Red Hat Application Stack:  	
  http://rhn.redhat.com/errata/RHSA-2007-1157.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-4471
  https://admin.fedoraproject.org/updates/F8/FEDORA-2007-4465