|Summary:||CVE-2010-1848 mysql: multiple insufficient table name checks|
|Product:||[Other] Security Response||Reporter:||Vincent Danen <vdanen>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||byte, hhorak, kvolny|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|:||915890 (view as bug list)||Environment:|
|Last Closed:||2015-07-29 14:19:11 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||590598, 592862, 592874, 592875, 645637, 645638, 833942, 915890, 984994, 985414|
Description Vincent Danen 2010-05-13 19:45:41 UTC
The upcoming MySQL 5.1.47 release indicates  a fix for the following issue, which has been assigned CVE-2010-1848. Currently the bug report  is not public. The server failed to check the table name argument of a COM_FIELD_LIST command packet for validity and compliance to acceptable table name standards. This could be exploited to bypass almost all forms of checks for privileges and table-level grants by providing a specially crafted table name argument to COM_FIELD_LIST. In MySQL 5.0 and above, this allowed an authenticated user with SELECT privileges on one table to obtain the field definitions of any table in all other databases and potentially of other MySQL instances accessible from the server's file system. Additionally, for MySQL version 5.1 and above, an authenticated user with DELETE or SELECT privileges on one table could delete or read content from any other table in all databases on this server, and potentially of other MySQL instances accessible from the server's file system. (Bug#53371, CVE-2010-1848) Without access to the upstream bug, it is difficult to determine if this affects older releases, however the 5.0.91 release notes  do not currently note this flaw, so it may only affect 5.1.x.  http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html  http://bugs.mysql.com/bug.php?id=53371  http://dev.mysql.com/doc/refman/5.0/en/news-5-0-91.html
Comment 1 Tomas Hoger 2010-05-14 07:25:21 UTC
Upstream commits that reference upstream bug, both 5.0 and 5.1 branches: http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.0-bugteam/revision/2861 http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.1-bugteam/revision/3367
Comment 3 Tomas Hoger 2010-05-14 10:23:20 UTC
The two issues described in the upstream release notes as quote in comment #0 seem unrelated, they are the same type of flaw, but affect different versions and impacts are quite different too: - COM_FIELD_LIST issue - allows authenticated user to get info about fields of any table in any database via directory traversal. As info returned in response to COM_FIELD_LIST is limited to table structure info, which significantly limits the impact of the flaw. This affect pre-5.0 versions too. - There is additional instance of the similar problem in 5.1+, but it allows authenticated user to read or modify arbitrary table. Example based on upstream test cases: SELECT * FROM `../mysql/user`;
Comment 8 Tomas Hoger 2010-05-20 13:12:53 UTC
Created attachment 415407 [details] Patch backported to 5.0.77, EL5 http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.0-bugteam/revision/2861 Note: needs to be applied after CVE-2010-1850 fix.
Comment 9 Tomas Hoger 2010-05-20 15:02:26 UTC
Statement: The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw for Red Hat Enterprise Linux 3 and 4 mysql packages.
Comment 11 Fedora Update System 2010-05-24 23:31:33 UTC
mysql-5.1.47-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/mysql-5.1.47-1.fc12
Comment 12 Fedora Update System 2010-05-24 23:31:55 UTC
mysql-5.1.47-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/mysql-5.1.47-1.fc13
Comment 13 Fedora Update System 2010-05-24 23:32:16 UTC
mysql-5.1.47-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/mysql-5.1.47-1.fc11
Comment 16 errata-xmlrpc 2010-05-26 14:57:45 UTC
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0442 https://rhn.redhat.com/errata/RHSA-2010-0442.html
Comment 17 Fedora Update System 2010-06-07 22:27:43 UTC
mysql-5.1.47-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2010-06-07 22:30:16 UTC
mysql-5.1.47-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2010-06-07 22:31:37 UTC
mysql-5.1.47-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.