Bug 454077 (CVE-2008-4098)

Summary: CVE-2008-4098 mysql: incomplete upstream fix for CVE-2008-2079
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bressers, byte, kvolny, tgl, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-02-17 09:50:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 512255, 512257    
Bug Blocks:    
Attachments:
Description Flags
Devin Carraway's proposed fix
none
Upstream patch for 4.1.x none

Description Tomas Hoger 2008-07-04 13:08:18 UTC 
Devin Carraway of the Debian Security Team discovered that the upstream fix for
the CVE-2008-2079 is incomplete and still makes it possible for local users to
create tables via INDEX/DATA DIRECTORY directives in the MySQL data directory
(/var/lib/mysql) via directory symlinks.

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480292#25

CVE-2008-2079 was tracked via bug bug #445222.

An attacker needs following to exploit this issue:
- MySQL database account with privileges to create tables
- shell access to the host running MySQL database with write access to a
directory accessible by the mysqld daemon process
Comment 1 Tomas Hoger 2008-07-04 13:10:41 UTC 
Note: this attack does not work on existing tables. An attacker can only elevate
their access to another user's tables as the tables are created. As well, the
names of these created tables need to be predicted correctly for this attack to
succeed.

This issue does not affect MySQL packages as shipped in Red Hat Enterprise Linux
2.1 and 3, as they do not support DATA/INDEX DIRECTORY directives.
Comment 3 Tomas Hoger 2008-07-08 15:09:25 UTC 
Created attachment 311275 [details]
Devin Carraway's proposed fix

Source: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480292#42
Comment 4 Tomas Hoger 2008-09-09 20:28:43 UTC 
Devin Carraway reported, that his updated patch is still possible to defeat as described in the upstream bug report for the original issue:

  http://bugs.mysql.com/bug.php?id=32167  (comment dated with "[18 Jul 9:43]")

Upstream updated their fix to perform path check at table open time:

  http://lists.mysql.com/commits/52326    (commit to 5.0 branch)

This patch is included in upstream versions 5.0.70 and 5.1.28:

  http://dev.mysql.com/doc/refman/5.0/en/releasenotes-es-5-0-70.html
  http://dev.mysql.com/doc/refman/5.1/en/news-5-1-28.html
Comment 5 Tomas Hoger 2009-05-22 10:04:17 UTC 
This issue does not affect Red Hat Enterprise Linux 5, as the fix for CVE-2008-2079 has not been released yet.  Once released, it will use the updated upstream patch, addressing the original flaw without introducing CVE-2008-4098.

Incomplete fix for CVE-2008-2079 was used in Red Hat Enterprise Linux 4, Red Hat Application Stack v1 and v2.  Future mysql updates in those products may address this flaw.
Comment 6 errata-xmlrpc 2009-05-26 17:06:18 UTC 
This issue has been addressed in following products:

  Red Hat Web Application Stack for RHEL 5

Via RHSA-2009:1067 https://rhn.redhat.com/errata/RHSA-2009-1067.html
Comment 7 Tomas Hoger 2009-12-15 17:55:01 UTC 
Created attachment 378566 [details]
Upstream patch for 4.1.x

Extracted from upstream 4.1 bazaar branch:
  http://bazaar.launchpad.net/~mysql/mysql-server/mysql-4.1/revision/2705

Re-diffed against EL4 4.1.22.
Comment 8 errata-xmlrpc 2010-02-16 16:27:40 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0110 https://rhn.redhat.com/errata/RHSA-2010-0110.html