The upcoming MySQL 5.1.47 release indicates [1] a fix for the following issue, which has been assigned CVE-2010-1848. Currently the bug report [2] is not public. The server failed to check the table name argument of a COM_FIELD_LIST command packet for validity and compliance to acceptable table name standards. This could be exploited to bypass almost all forms of checks for privileges and table-level grants by providing a specially crafted table name argument to COM_FIELD_LIST. In MySQL 5.0 and above, this allowed an authenticated user with SELECT privileges on one table to obtain the field definitions of any table in all other databases and potentially of other MySQL instances accessible from the server's file system. Additionally, for MySQL version 5.1 and above, an authenticated user with DELETE or SELECT privileges on one table could delete or read content from any other table in all databases on this server, and potentially of other MySQL instances accessible from the server's file system. (Bug#53371, CVE-2010-1848) Without access to the upstream bug, it is difficult to determine if this affects older releases, however the 5.0.91 release notes [3] do not currently note this flaw, so it may only affect 5.1.x. [1] http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html [2] http://bugs.mysql.com/bug.php?id=53371 [3] http://dev.mysql.com/doc/refman/5.0/en/news-5-0-91.html
Upstream commits that reference upstream bug, both 5.0 and 5.1 branches: http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.0-bugteam/revision/2861 http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.1-bugteam/revision/3367
The two issues described in the upstream release notes as quote in comment #0 seem unrelated, they are the same type of flaw, but affect different versions and impacts are quite different too: - COM_FIELD_LIST issue - allows authenticated user to get info about fields of any table in any database via directory traversal. As info returned in response to COM_FIELD_LIST is limited to table structure info, which significantly limits the impact of the flaw. This affect pre-5.0 versions too. - There is additional instance of the similar problem in 5.1+, but it allows authenticated user to read or modify arbitrary table. Example based on upstream test cases: SELECT * FROM `../mysql/user`;
Created attachment 415407 [details] Patch backported to 5.0.77, EL5 http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.0-bugteam/revision/2861 Note: needs to be applied after CVE-2010-1850 fix.
Statement: The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw for Red Hat Enterprise Linux 3 and 4 mysql packages.
mysql-5.1.47-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/mysql-5.1.47-1.fc12
mysql-5.1.47-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/mysql-5.1.47-1.fc13
mysql-5.1.47-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/mysql-5.1.47-1.fc11
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0442 https://rhn.redhat.com/errata/RHSA-2010-0442.html
mysql-5.1.47-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
mysql-5.1.47-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
mysql-5.1.47-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2010:0824 https://rhn.redhat.com/errata/RHSA-2010-0824.html