Bug 454077 - (CVE-2008-4098) CVE-2008-4098 mysql: incomplete upstream fix for CVE-2008-2079
CVE-2008-4098 mysql: incomplete upstream fix for CVE-2008-2079
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
source=debian,reported=20080703,publi...
: Security
Depends On: 512255 512257
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-04 09:08 EDT by Tomas Hoger
Modified: 2010-02-17 04:50 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-02-17 04:50:22 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Devin Carraway's proposed fix (717 bytes, patch)
2008-07-08 11:09 EDT, Tomas Hoger
no flags Details | Diff
Upstream patch for 4.1.x (16.93 KB, patch)
2009-12-15 12:55 EST, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2008-07-04 09:08:18 EDT
Devin Carraway of the Debian Security Team discovered that the upstream fix for
the CVE-2008-2079 is incomplete and still makes it possible for local users to
create tables via INDEX/DATA DIRECTORY directives in the MySQL data directory
(/var/lib/mysql) via directory symlinks.

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480292#25

CVE-2008-2079 was tracked via bug bug #445222.

An attacker needs following to exploit this issue:
- MySQL database account with privileges to create tables
- shell access to the host running MySQL database with write access to a
directory accessible by the mysqld daemon process
Comment 1 Tomas Hoger 2008-07-04 09:10:41 EDT
Note: this attack does not work on existing tables. An attacker can only elevate
their access to another user's tables as the tables are created. As well, the
names of these created tables need to be predicted correctly for this attack to
succeed.

This issue does not affect MySQL packages as shipped in Red Hat Enterprise Linux
2.1 and 3, as they do not support DATA/INDEX DIRECTORY directives.
Comment 3 Tomas Hoger 2008-07-08 11:09:25 EDT
Created attachment 311275 [details]
Devin Carraway's proposed fix

Source: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480292#42
Comment 4 Tomas Hoger 2008-09-09 16:28:43 EDT
Devin Carraway reported, that his updated patch is still possible to defeat as described in the upstream bug report for the original issue:

  http://bugs.mysql.com/bug.php?id=32167  (comment dated with "[18 Jul 9:43]")

Upstream updated their fix to perform path check at table open time:

  http://lists.mysql.com/commits/52326    (commit to 5.0 branch)

This patch is included in upstream versions 5.0.70 and 5.1.28:

  http://dev.mysql.com/doc/refman/5.0/en/releasenotes-es-5-0-70.html
  http://dev.mysql.com/doc/refman/5.1/en/news-5-1-28.html
Comment 5 Tomas Hoger 2009-05-22 06:04:17 EDT
This issue does not affect Red Hat Enterprise Linux 5, as the fix for CVE-2008-2079 has not been released yet.  Once released, it will use the updated upstream patch, addressing the original flaw without introducing CVE-2008-4098.

Incomplete fix for CVE-2008-2079 was used in Red Hat Enterprise Linux 4, Red Hat Application Stack v1 and v2.  Future mysql updates in those products may address this flaw.
Comment 6 errata-xmlrpc 2009-05-26 13:06:18 EDT
This issue has been addressed in following products:

  Red Hat Web Application Stack for RHEL 5

Via RHSA-2009:1067 https://rhn.redhat.com/errata/RHSA-2009-1067.html
Comment 7 Tomas Hoger 2009-12-15 12:55:01 EST
Created attachment 378566 [details]
Upstream patch for 4.1.x

Extracted from upstream 4.1 bazaar branch:
  http://bazaar.launchpad.net/~mysql/mysql-server/mysql-4.1/revision/2705

Re-diffed against EL4 4.1.22.
Comment 8 errata-xmlrpc 2010-02-16 11:27:40 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0110 https://rhn.redhat.com/errata/RHSA-2010-0110.html

Note You need to log in before you can comment on or make changes to this bug.