Bug 454077 (CVE-2008-4098) - CVE-2008-4098 mysql: incomplete upstream fix for CVE-2008-2079
Summary: CVE-2008-4098 mysql: incomplete upstream fix for CVE-2008-2079
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-4098
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 512255 512257
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-04 13:08 UTC by Tomas Hoger
Modified: 2019-09-29 12:25 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-02-17 09:50:22 UTC


Attachments (Terms of Use)
Devin Carraway's proposed fix (717 bytes, patch)
2008-07-08 15:09 UTC, Tomas Hoger
no flags Details | Diff
Upstream patch for 4.1.x (16.93 KB, patch)
2009-12-15 17:55 UTC, Tomas Hoger
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1067 0 normal SHIPPED_LIVE Moderate: Red Hat Application Stack v2.3 security and enhancement update 2009-05-26 17:06:06 UTC
Red Hat Product Errata RHSA-2010:0110 0 normal SHIPPED_LIVE Moderate: mysql security update 2010-02-16 16:27:21 UTC

Description Tomas Hoger 2008-07-04 13:08:18 UTC
Devin Carraway of the Debian Security Team discovered that the upstream fix for
the CVE-2008-2079 is incomplete and still makes it possible for local users to
create tables via INDEX/DATA DIRECTORY directives in the MySQL data directory
(/var/lib/mysql) via directory symlinks.

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480292#25

CVE-2008-2079 was tracked via bug bug #445222.

An attacker needs following to exploit this issue:
- MySQL database account with privileges to create tables
- shell access to the host running MySQL database with write access to a
directory accessible by the mysqld daemon process

Comment 1 Tomas Hoger 2008-07-04 13:10:41 UTC
Note: this attack does not work on existing tables. An attacker can only elevate
their access to another user's tables as the tables are created. As well, the
names of these created tables need to be predicted correctly for this attack to
succeed.

This issue does not affect MySQL packages as shipped in Red Hat Enterprise Linux
2.1 and 3, as they do not support DATA/INDEX DIRECTORY directives.

Comment 3 Tomas Hoger 2008-07-08 15:09:25 UTC
Created attachment 311275 [details]
Devin Carraway's proposed fix

Source: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480292#42

Comment 4 Tomas Hoger 2008-09-09 20:28:43 UTC
Devin Carraway reported, that his updated patch is still possible to defeat as described in the upstream bug report for the original issue:

  http://bugs.mysql.com/bug.php?id=32167  (comment dated with "[18 Jul 9:43]")

Upstream updated their fix to perform path check at table open time:

  http://lists.mysql.com/commits/52326    (commit to 5.0 branch)

This patch is included in upstream versions 5.0.70 and 5.1.28:

  http://dev.mysql.com/doc/refman/5.0/en/releasenotes-es-5-0-70.html
  http://dev.mysql.com/doc/refman/5.1/en/news-5-1-28.html

Comment 5 Tomas Hoger 2009-05-22 10:04:17 UTC
This issue does not affect Red Hat Enterprise Linux 5, as the fix for CVE-2008-2079 has not been released yet.  Once released, it will use the updated upstream patch, addressing the original flaw without introducing CVE-2008-4098.

Incomplete fix for CVE-2008-2079 was used in Red Hat Enterprise Linux 4, Red Hat Application Stack v1 and v2.  Future mysql updates in those products may address this flaw.

Comment 6 errata-xmlrpc 2009-05-26 17:06:18 UTC
This issue has been addressed in following products:

  Red Hat Web Application Stack for RHEL 5

Via RHSA-2009:1067 https://rhn.redhat.com/errata/RHSA-2009-1067.html

Comment 7 Tomas Hoger 2009-12-15 17:55:01 UTC
Created attachment 378566 [details]
Upstream patch for 4.1.x

Extracted from upstream 4.1 bazaar branch:
  http://bazaar.launchpad.net/~mysql/mysql-server/mysql-4.1/revision/2705

Re-diffed against EL4 4.1.22.

Comment 8 errata-xmlrpc 2010-02-16 16:27:40 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0110 https://rhn.redhat.com/errata/RHSA-2010-0110.html


Note You need to log in before you can comment on or make changes to this bug.