+++ This bug was initially created as a clone of Bug #158688 +++ mysql_install_db in MySQL 4.x before 4.0.12 and 5.x up to 5.0.4 creates the mysql_install_db.X file with a predictable filename and insecure permissions, which allows local users to execute arbitrary SQL commands by modifying the file's contents. More information is in the full-disclosure post: http://marc.theaimsgroup.com/?l=full-disclosure&m=111632686805498&w=2
This does not affect FC3, only FC4, since we were still using MySQL 3.x at the time and the faulty code is not in 3.x.
The plan for FC4 is to push mysql-4.1.12 which includes a fix for this. (I intend to ship 4.1.12 in RHEL4 QU2 as well, but let's get some testing in FC4 branch first.)