Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4030 to the following vulnerability: MySQL 5.1.x before 5.1.41 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL data home directory, related to incorrect calculation of the mysql_unpacked_real_data_home value. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4098 and CVE-2008-2079. References: ----------- http://lists.mysql.com/commits/89940 http://www.openwall.com/lists/oss-security/2009/11/19/3 http://marc.info/?l=oss-security&m=125908040022018&w=2 http://www.openwall.com/lists/oss-security/2009/11/24/6 http://marc.info/?l=oss-security&m=125908080222685&w=2 http://bugs.mysql.com/bug.php?id=32167 http://dev.mysql.com/doc/refman/5.1/en/news-5-1-41.html Upstream patch: --------------- http://lists.mysql.com/commits/52326
This issue does NOT affect the version of mysql package, as shipped with Red Hat Enteprise Linux 3. This issue affects the version of mysql package, as shipped with Red Hat Enterprise Linux 4. This issue does NOT affect the version of mysql package, as shipped with Red Hat Enteprise Linux 5. Update: Red Hat Enteprise Linux 5 is affected too, see comment #4 below.
As far as I can tell, this problem can only occur when mysqld is started with relative path as an argument to --datadir, but not starting with the '.'. If datadir relative path starts with the '.', it is expected to be treated as relative to current working directory. If it does not, it's treated as relative to --basedir directory ("/usr" by default RHEL / Fedora packages). In such case DATA/INDEX DIRECTORY argument will be compared to "CWD/datadir_path" instead of the intended "basedir_path/datadir_path", resulting in a not working protection. By default, mysqld is started with --basedir=/usr and --datadir=/var/lib/mysql . It is unlikely to be changed to --datadir=relative_path_not_starting_with_dot given the basedir default. Hence it's limited to certain non-default and rather unlikely setups. (In reply to comment #1) > This issue affects the version of mysql package, as shipped with > Red Hat Enterprise Linux 4. > > This issue does NOT affect the version of mysql package, as shipped with > Red Hat Enteprise Linux 5. This info is not correct, problem exists in the latest Red Hat Enterprise Linux 5 MySQL packages (mysql-5.0.77-3.el5) too.
The patch is committed in upstream 5.1 bazaar branch: http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.1/revision/1810.3967.4 but *not* included in 5.1.41 tarballs.
Will there be a fix for Red Hat Enterprise Linux 4 & 5?
Fix may appear in the future updates. As explained above, this has no impact on the default or typical configuration, only unlikely setups are affected. If you don't need to use symlinks, you can configure MySQL to not create them using skip-symbolic-links.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0109 https://rhn.redhat.com/errata/RHSA-2010-0109.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2010:0110 https://rhn.redhat.com/errata/RHSA-2010-0110.html