Bug 397071 - (CVE-2007-5969) CVE-2007-5969 mysql: possible system table information overwrite using symlinks
CVE-2007-5969 mysql: possible system table information overwrite using symlinks
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
source=internet,reported=20071123,pub...
: Security
Depends On: 422161 422171 422181 422191 422201 422211 424921 424931
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-23 12:07 EST by Tomas Hoger
Modified: 2010-10-22 16:39 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-12-19 11:35:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2007-11-23 12:07:47 EST
From the changelog of not yet released versions of MySQL:

Security Fix: Using RENAME TABLE against a table with explicit DATA DIRECTORY
and INDEX DIRECTORY options can be used to overwrite system table information by
replacing the symbolic link points. the file to which the symlink points.

MySQL will now return an error when the file to which the symlink points already
exists. (Bug#32111, CVE-2007-5969)

Mentioned in:

MySQL 4.1.24
http://dev.mysql.com/doc/refman/4.1/en/news-4-1-24.html

MySQL Enterprise 5.0.52
http://dev.mysql.com/doc/refman/5.0/en/releasenotes-es-5-0-52.html

Referenced MySQL bug report is not public at the moment:
http://bugs.mysql.com/bug.php?id=32111
Comment 2 Tomas Hoger 2007-11-26 07:04:14 EST
Also mentioned in:

MySQL 5.1.23
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-23.html

MySQL 6.0.4
http://dev.mysql.com/doc/refman/6.0/en/news-6-0-4.html
Comment 3 Tomas Hoger 2007-12-11 12:36:40 EST
CVE description:

CVE-2007-5969:

MySQL Community Server before 5.0.51, when a table relies on symlinks
created through explicit DATA DIRECTORY and INDEX DIRECTORY options,
allows remote authenticated users to overwrite system table
information and gain privileges via a RENAME TABLE statement that
changes the symlink to point to an existing file.

References: 
http://lists.mysql.com/announce/495
http://bugs.mysql.com/32111
http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0-51.html
http://dev.mysql.com/doc/refman/5.0/en/releasenotes-es-5-0-52.html

Upstream bug report remains private.
Comment 4 Tomas Hoger 2007-12-12 07:15:07 EST
Additional info and upstream patch:

  http://lists.mysql.com/commits/37835
Comment 8 Tomas Hoger 2007-12-19 11:35:45 EST
Problem was fixed in all affected supported products:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2007-1155.html

Red Hat Application Stack:  	
  http://rhn.redhat.com/errata/RHSA-2007-1157.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-4471
  https://admin.fedoraproject.org/updates/F8/FEDORA-2007-4465

Note You need to log in before you can comment on or make changes to this bug.