Red Hat Bugzilla – Bug 152437
CAN-2005-0709 mysql-server update needed for LACD (CAN-2005-0710 CAN-2005-0711)
Last modified: 2013-07-02 23:04:34 EDT
The following issues need to be fixed in the RHEL3 LACD mysql-server package: (CAN-2005-0711) Description of problem: If an authenticated user has CREATE TEMPORARY TABLE privileges on any existent database, a symlink attack is possible. Reported to vulnwatch.org by Stefano Di Paola on 11 Mar 2005 Version-Release number of selected component (if applicable): mysql-4.1.7-5.RHEL4.1 How reproducible: Requires some luck to guess name that will be used for temp file, but unfortunately that's fairly predictable. (CAN-2005-0709 CAN-2005-0710) Description of problem: MySQL allows users with very low privileges to create user-defined functions that reference code in loadable shared libraries. Obviously this creates a risk of users being able to cause the server to execute arbitrary code. There are some rather ad-hoc restrictions intended to prevent misuse of the feature, but Stefano Di Paola found two different ways to create problems anyway: you can call an arbitrary function belonging to any standard system library, and you can circumvent the check against giving an absolute path to a library.
For the casual reader, currently, RHEL-3 versions of the MySQL server have not been patched for the vulnerability announced in: http://rhn.redhat.com/errata/RHSA-2005-334.html The only packages released in this errata for RHEL-3 were the client, headers, and benchmark - the mysql-server RPM was not included, and is still vulnerable to this attack.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-348.html