Bug 454077 (CVE-2008-4098)
Summary: | CVE-2008-4098 mysql: incomplete upstream fix for CVE-2008-2079 | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||
Severity: | low | Docs Contact: | |||||||
Priority: | low | ||||||||
Version: | unspecified | CC: | bressers, byte, kvolny, tgl, vdanen | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2010-02-17 09:50:22 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 512255, 512257 | ||||||||
Bug Blocks: | |||||||||
Attachments: |
|
Description
Tomas Hoger
2008-07-04 13:08:18 UTC
Note: this attack does not work on existing tables. An attacker can only elevate their access to another user's tables as the tables are created. As well, the names of these created tables need to be predicted correctly for this attack to succeed. This issue does not affect MySQL packages as shipped in Red Hat Enterprise Linux 2.1 and 3, as they do not support DATA/INDEX DIRECTORY directives. Created attachment 311275 [details] Devin Carraway's proposed fix Source: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480292#42 Devin Carraway reported, that his updated patch is still possible to defeat as described in the upstream bug report for the original issue: http://bugs.mysql.com/bug.php?id=32167 (comment dated with "[18 Jul 9:43]") Upstream updated their fix to perform path check at table open time: http://lists.mysql.com/commits/52326 (commit to 5.0 branch) This patch is included in upstream versions 5.0.70 and 5.1.28: http://dev.mysql.com/doc/refman/5.0/en/releasenotes-es-5-0-70.html http://dev.mysql.com/doc/refman/5.1/en/news-5-1-28.html This issue does not affect Red Hat Enterprise Linux 5, as the fix for CVE-2008-2079 has not been released yet. Once released, it will use the updated upstream patch, addressing the original flaw without introducing CVE-2008-4098. Incomplete fix for CVE-2008-2079 was used in Red Hat Enterprise Linux 4, Red Hat Application Stack v1 and v2. Future mysql updates in those products may address this flaw. This issue has been addressed in following products: Red Hat Web Application Stack for RHEL 5 Via RHSA-2009:1067 https://rhn.redhat.com/errata/RHSA-2009-1067.html Created attachment 378566 [details] Upstream patch for 4.1.x Extracted from upstream 4.1 bazaar branch: http://bazaar.launchpad.net/~mysql/mysql-server/mysql-4.1/revision/2705 Re-diffed against EL4 4.1.22. This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2010:0110 https://rhn.redhat.com/errata/RHSA-2010-0110.html |