Bug 543653 (CVE-2009-4030)

Summary: CVE-2009-4030 mysql: Incomplete fix for CVE-2008-2079 / CVE-2008-4098
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: kreilly, kvolny, squoggle, tgl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://lists.mysql.com/commits/52326
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-02-17 09:56:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 512255, 512257, 549329, 556505, 556506, 833941    
Bug Blocks:    

Description Jan Lieskovsky 2009-12-02 19:21:25 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4030 to
the following vulnerability:

MySQL 5.1.x before 5.1.41 allows local users to bypass certain
privilege checks by calling CREATE TABLE on a MyISAM table with
modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are
originally associated with pathnames without symlinks, and that can
point to tables created at a future time at which a pathname is
modified to contain a symlink to a subdirectory of the MySQL data home
directory, related to incorrect calculation of the
mysql_unpacked_real_data_home value. NOTE: this vulnerability exists
because of an incomplete fix for CVE-2008-4098 and CVE-2008-2079.

References:
-----------
http://lists.mysql.com/commits/89940
http://www.openwall.com/lists/oss-security/2009/11/19/3
http://marc.info/?l=oss-security&m=125908040022018&w=2
http://www.openwall.com/lists/oss-security/2009/11/24/6
http://marc.info/?l=oss-security&m=125908080222685&w=2
http://bugs.mysql.com/bug.php?id=32167
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-41.html

Upstream patch:
---------------
http://lists.mysql.com/commits/52326

Comment 1 Jan Lieskovsky 2009-12-02 19:24:00 UTC
This issue does NOT affect the version of mysql package, as shipped with
Red Hat Enteprise Linux 3.

This issue affects the version of mysql package, as shipped with 
Red Hat Enterprise Linux 4.

This issue does NOT affect the version of mysql package, as shipped with
Red Hat Enteprise Linux 5.

Update: Red Hat Enteprise Linux 5 is affected too, see comment #4 below.

Comment 4 Tomas Hoger 2009-12-16 13:30:46 UTC
As far as I can tell, this problem can only occur when mysqld is started with relative path as an argument to --datadir, but not starting with the '.'.  If datadir relative path starts with the '.', it is expected to be treated as relative to current working directory.  If it does not, it's treated as relative to --basedir directory ("/usr" by default RHEL / Fedora packages).  In such case DATA/INDEX DIRECTORY argument will be compared to "CWD/datadir_path" instead of the intended "basedir_path/datadir_path", resulting in a not working protection.

By default, mysqld is started with --basedir=/usr and --datadir=/var/lib/mysql .  It is unlikely to be changed to --datadir=relative_path_not_starting_with_dot given the basedir default.  Hence it's limited to certain non-default and rather unlikely setups.

(In reply to comment #1)
> This issue affects the version of mysql package, as shipped with 
> Red Hat Enterprise Linux 4.
> 
> This issue does NOT affect the version of mysql package, as shipped with
> Red Hat Enteprise Linux 5.

This info is not correct, problem exists in the latest Red Hat Enterprise Linux 5 MySQL packages (mysql-5.0.77-3.el5) too.

Comment 5 Tomas Hoger 2009-12-21 10:41:34 UTC
The patch is committed in upstream 5.1 bazaar branch:
http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.1/revision/1810.3967.4

but *not* included in 5.1.41 tarballs.

Comment 8 Mac 2010-01-04 15:11:06 UTC
Will there be a fix for Red Hat Enterprise Linux 4 & 5?

Comment 9 Tomas Hoger 2010-01-04 15:47:51 UTC
Fix may appear in the future updates.  As explained above, this has no impact on the default or typical configuration, only unlikely setups are affected.

If you don't need to use symlinks, you can configure MySQL to not create them using skip-symbolic-links.

Comment 13 errata-xmlrpc 2010-02-16 16:05:45 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0109 https://rhn.redhat.com/errata/RHSA-2010-0109.html

Comment 14 errata-xmlrpc 2010-02-16 16:27:51 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0110 https://rhn.redhat.com/errata/RHSA-2010-0110.html