397071 – (CVE-2007-5969) CVE-2007-5969 mysql: possible system table information overwrite using symlinks

Bug 397071 (CVE-2007-5969) - CVE-2007-5969 mysql: possible system table information overwrite using symlinks

Summary: CVE-2007-5969 mysql: possible system table information overwrite using symlinks

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2007-5969
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	422161 422171 422181 422191 422201 422211 424921 424931
Blocks:
TreeView+	depends on / blocked

Reported:	2007-11-23 17:07 UTC by Tomas Hoger
Modified:	2019-09-29 12:22 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-12-19 16:35:45 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2007:1155	0	normal	SHIPPED_LIVE	Important: mysql security update	2007-12-18 16:37:39 UTC
Red Hat Product Errata	RHSA-2007:1157	0	normal	SHIPPED_LIVE	Important: mysql security update	2007-12-19 16:12:05 UTC

Description Tomas Hoger 2007-11-23 17:07:47 UTC

From the changelog of not yet released versions of MySQL:

Security Fix: Using RENAME TABLE against a table with explicit DATA DIRECTORY
and INDEX DIRECTORY options can be used to overwrite system table information by
replacing the symbolic link points. the file to which the symlink points.

MySQL will now return an error when the file to which the symlink points already
exists. (Bug#32111, CVE-2007-5969)

Mentioned in:

MySQL 4.1.24
http://dev.mysql.com/doc/refman/4.1/en/news-4-1-24.html

MySQL Enterprise 5.0.52
http://dev.mysql.com/doc/refman/5.0/en/releasenotes-es-5-0-52.html

Referenced MySQL bug report is not public at the moment:
http://bugs.mysql.com/bug.php?id=32111

Comment 2 Tomas Hoger 2007-11-26 12:04:14 UTC

Also mentioned in:

MySQL 5.1.23
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-23.html

MySQL 6.0.4
http://dev.mysql.com/doc/refman/6.0/en/news-6-0-4.html

Comment 3 Tomas Hoger 2007-12-11 17:36:40 UTC

CVE description:

CVE-2007-5969:

MySQL Community Server before 5.0.51, when a table relies on symlinks
created through explicit DATA DIRECTORY and INDEX DIRECTORY options,
allows remote authenticated users to overwrite system table
information and gain privileges via a RENAME TABLE statement that
changes the symlink to point to an existing file.

References: 
http://lists.mysql.com/announce/495
http://bugs.mysql.com/32111
http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0-51.html
http://dev.mysql.com/doc/refman/5.0/en/releasenotes-es-5-0-52.html

Upstream bug report remains private.

Comment 4 Tomas Hoger 2007-12-12 12:15:07 UTC

Additional info and upstream patch:

  http://lists.mysql.com/commits/37835

Comment 8 Tomas Hoger 2007-12-19 16:35:45 UTC

Problem was fixed in all affected supported products:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2007-1155.html

Red Hat Application Stack:  	
  http://rhn.redhat.com/errata/RHSA-2007-1157.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-4471
  https://admin.fedoraproject.org/updates/F8/FEDORA-2007-4465

Note You need to log in before you can comment on or make changes to this bug.