Bug 860808 (CVE-2012-4452)

Summary:	CVE-2012-4452 mysql: regression of CVE-2009-4030
Product:	[Other] Security Response	Reporter:	Vincent Danen <vdanen>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED ERRATA	QA Contact:
Severity:	low	Docs Contact:
Priority:	low
Version:	unspecified	CC:	hhorak, kvolny, security-response-team, tgl
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2013-01-08 06:09:25 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	860921
Bug Blocks:	816611, 860811

Description Vincent Danen 2012-09-26 18:38:56 UTC

It was found that the fix for CVE-2009-4030 was removed from the MySQL packages as provided with RHSA-2012:0127 when it was updated to version 5.0.95.  Upstream claimed to have corrected this in version 5.0.88, so the patch was removed when it did not apply.  As a result, MySQL version 5.0.95-1.el5_7.1 became vulnerable to CVE-2009-4030 again.

For most default or typical configurations, this flaw has no impact.  Please see https://bugzilla.redhat.com/show_bug.cgi?id=543653#c4 for further discussion on the possible scenarios where this flaw can be triggered.  If the basedir and datadir directives are unchanged in MySQL's configuration or command-line arguments, this flaw has no impact.

Comment 2 Huzaifa S. Sidhpurwala 2012-09-27 06:06:53 UTC

Statement:

(none)

Comment 5 Murray McAllister 2012-11-15 01:37:35 UTC

Acknowledgements:

This issue was discovered by Karel Volný of the Red Hat Quality Engineering team.

Comment 6 errata-xmlrpc 2013-01-08 04:54:51 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0121 https://rhn.redhat.com/errata/RHSA-2013-0121.html