Bug 152437 - CAN-2005-0709 mysql-server update needed for LACD (CAN-2005-0710 CAN-2005-0711)
Summary: CAN-2005-0709 mysql-server update needed for LACD (CAN-2005-0710 CAN-2005-0711)
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: mysql   
(Show other bugs)
Version: 3.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Tom Lane
QA Contact: David Lawrence
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2005-03-29 15:16 UTC by Josh Bressers
Modified: 2013-07-03 03:04 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-04-05 15:02:15 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:348 normal SHIPPED_LIVE Important: mysql-server security update 2005-04-05 04:00:00 UTC

Description Josh Bressers 2005-03-29 15:16:24 UTC
The following issues need to be fixed in the RHEL3 LACD mysql-server package:

Description of problem:
If an authenticated user has CREATE TEMPORARY TABLE privileges on any
existent database, a symlink attack is possible. 

Reported to vulnwatch.org by Stefano Di Paola on 11 Mar 2005

Version-Release number of selected component (if applicable):

How reproducible:
Requires some luck to guess name that will be used for temp file,
but unfortunately that's fairly predictable.

(CAN-2005-0709 CAN-2005-0710)
Description of problem:
MySQL allows users with very low privileges to create user-defined
functions that reference code in loadable shared libraries.  Obviously
this creates a risk of users being able to cause the server to execute
arbitrary code.  There are some rather ad-hoc restrictions intended to
prevent misuse of the feature, but Stefano Di Paola found two
different ways to create problems anyway: you can call an arbitrary
function belonging to any standard system library, and you can
circumvent the check against giving an absolute path to a library.

Comment 1 foobarra 2005-03-30 13:42:42 UTC
For the casual reader, currently, RHEL-3 versions of the MySQL server have not
been patched for the vulnerability announced in:


The only packages released in this errata for RHEL-3 were the client, headers,
and benchmark - the mysql-server RPM was not included, and is still vulnerable
to this attack.

Comment 2 Josh Bressers 2005-04-05 15:02:15 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.