Bug 592079 (CVE-2010-1848)

Summary: CVE-2010-1848 mysql: multiple insufficient table name checks
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: byte, hhorak, kvolny
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 915890 (view as bug list) Environment:
Last Closed: 2015-07-29 14:19:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 590598, 592862, 592874, 592875, 645637, 645638, 833942, 915890, 984994, 985414    
Bug Blocks:    
Attachments:
Description Flags
Patch backported to 5.0.77, EL5 none

Description Vincent Danen 2010-05-13 19:45:41 UTC 
The upcoming MySQL 5.1.47 release indicates [1] a fix for the following issue, which has been assigned CVE-2010-1848.  Currently the bug report [2] is not public.

 The server failed to check the table name argument of a COM_FIELD_LIST command packet for validity and compliance to acceptable table name standards. This could be exploited to bypass almost all forms of checks for privileges and table-level grants by providing a specially crafted table name argument to COM_FIELD_LIST.

 In MySQL 5.0 and above, this allowed an authenticated user with SELECT privileges on one table to obtain the field definitions of any table in all other databases and potentially of other MySQL instances accessible from the server's file system.

 Additionally, for MySQL version 5.1 and above, an authenticated user with DELETE or SELECT privileges on one table could delete or read content from any other table in all databases on this server, and potentially of other MySQL instances accessible from the server's file system. (Bug#53371, CVE-2010-1848)


Without access to the upstream bug, it is difficult to determine if this affects older releases, however the 5.0.91 release notes [3] do not currently note this flaw, so it may only affect 5.1.x.

[1] http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html
[2] http://bugs.mysql.com/bug.php?id=53371
[3] http://dev.mysql.com/doc/refman/5.0/en/news-5-0-91.html
Comment 1 Tomas Hoger 2010-05-14 07:25:21 UTC 
Upstream commits that reference upstream bug, both 5.0 and 5.1 branches:

http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.0-bugteam/revision/2861
http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.1-bugteam/revision/3367
Comment 3 Tomas Hoger 2010-05-14 10:23:20 UTC 
The two issues described in the upstream release notes as quote in comment #0 seem unrelated, they are the same type of flaw, but affect different versions and impacts are quite different too:

- COM_FIELD_LIST issue - allows authenticated user to get info about fields of any table in any database via directory traversal.  As info returned in response to COM_FIELD_LIST is limited to table structure info, which significantly limits the impact of the flaw.  This affect pre-5.0 versions too.

- There is additional instance of the similar problem in 5.1+, but it allows authenticated user to read or modify arbitrary table.  Example based on upstream test cases:
  SELECT * FROM `../mysql/user`;
Comment 8 Tomas Hoger 2010-05-20 13:12:53 UTC 
Created attachment 415407 [details]
Patch backported to 5.0.77, EL5

http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.0-bugteam/revision/2861

Note: needs to be applied after CVE-2010-1850 fix.
Comment 9 Tomas Hoger 2010-05-20 15:02:26 UTC 
Statement:

The Red Hat Security Response Team has rated this issue as having low security
impact, a future update may address this flaw for Red Hat Enterprise Linux 3 and 4 mysql packages.
Comment 11 Fedora Update System 2010-05-24 23:31:33 UTC 
mysql-5.1.47-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/mysql-5.1.47-1.fc12
Comment 12 Fedora Update System 2010-05-24 23:31:55 UTC 
mysql-5.1.47-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/mysql-5.1.47-1.fc13
Comment 13 Fedora Update System 2010-05-24 23:32:16 UTC 
mysql-5.1.47-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/mysql-5.1.47-1.fc11
Comment 16 errata-xmlrpc 2010-05-26 14:57:45 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0442 https://rhn.redhat.com/errata/RHSA-2010-0442.html
Comment 17 Fedora Update System 2010-06-07 22:27:43 UTC 
mysql-5.1.47-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2010-06-07 22:30:16 UTC 
mysql-5.1.47-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2010-06-07 22:31:37 UTC 
mysql-5.1.47-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 23 errata-xmlrpc 2010-11-03 20:04:57 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0824 https://rhn.redhat.com/errata/RHSA-2010-0824.html