Bug 592079 (CVE-2010-1848) - CVE-2010-1848 mysql: multiple insufficient table name checks
Summary: CVE-2010-1848 mysql: multiple insufficient table name checks
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-1848
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 590598 592862 592874 592875 645637 645638 833942 915890 984994 985414
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-13 19:45 UTC by Vincent Danen
Modified: 2021-02-24 23:09 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 915890 (view as bug list)
Environment:
Last Closed: 2015-07-29 14:19:11 UTC
Embargoed:


Attachments (Terms of Use)
Patch backported to 5.0.77, EL5 (2.79 KB, patch)
2010-05-20 13:12 UTC, Tomas Hoger
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0442 0 normal SHIPPED_LIVE Important: mysql security update 2010-05-26 14:57:41 UTC
Red Hat Product Errata RHSA-2010:0824 0 normal SHIPPED_LIVE Moderate: mysql security update 2010-11-03 20:04:50 UTC

Description Vincent Danen 2010-05-13 19:45:41 UTC
The upcoming MySQL 5.1.47 release indicates [1] a fix for the following issue, which has been assigned CVE-2010-1848.  Currently the bug report [2] is not public.

 The server failed to check the table name argument of a COM_FIELD_LIST command packet for validity and compliance to acceptable table name standards. This could be exploited to bypass almost all forms of checks for privileges and table-level grants by providing a specially crafted table name argument to COM_FIELD_LIST.

 In MySQL 5.0 and above, this allowed an authenticated user with SELECT privileges on one table to obtain the field definitions of any table in all other databases and potentially of other MySQL instances accessible from the server's file system.

 Additionally, for MySQL version 5.1 and above, an authenticated user with DELETE or SELECT privileges on one table could delete or read content from any other table in all databases on this server, and potentially of other MySQL instances accessible from the server's file system. (Bug#53371, CVE-2010-1848)


Without access to the upstream bug, it is difficult to determine if this affects older releases, however the 5.0.91 release notes [3] do not currently note this flaw, so it may only affect 5.1.x.

[1] http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html
[2] http://bugs.mysql.com/bug.php?id=53371
[3] http://dev.mysql.com/doc/refman/5.0/en/news-5-0-91.html

Comment 1 Tomas Hoger 2010-05-14 07:25:21 UTC
Upstream commits that reference upstream bug, both 5.0 and 5.1 branches:

http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.0-bugteam/revision/2861
http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.1-bugteam/revision/3367

Comment 3 Tomas Hoger 2010-05-14 10:23:20 UTC
The two issues described in the upstream release notes as quote in comment #0 seem unrelated, they are the same type of flaw, but affect different versions and impacts are quite different too:

- COM_FIELD_LIST issue - allows authenticated user to get info about fields of any table in any database via directory traversal.  As info returned in response to COM_FIELD_LIST is limited to table structure info, which significantly limits the impact of the flaw.  This affect pre-5.0 versions too.

- There is additional instance of the similar problem in 5.1+, but it allows authenticated user to read or modify arbitrary table.  Example based on upstream test cases:
  SELECT * FROM `../mysql/user`;

Comment 8 Tomas Hoger 2010-05-20 13:12:53 UTC
Created attachment 415407 [details]
Patch backported to 5.0.77, EL5

http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.0-bugteam/revision/2861

Note: needs to be applied after CVE-2010-1850 fix.

Comment 9 Tomas Hoger 2010-05-20 15:02:26 UTC
Statement:

The Red Hat Security Response Team has rated this issue as having low security
impact, a future update may address this flaw for Red Hat Enterprise Linux 3 and 4 mysql packages.

Comment 11 Fedora Update System 2010-05-24 23:31:33 UTC
mysql-5.1.47-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/mysql-5.1.47-1.fc12

Comment 12 Fedora Update System 2010-05-24 23:31:55 UTC
mysql-5.1.47-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/mysql-5.1.47-1.fc13

Comment 13 Fedora Update System 2010-05-24 23:32:16 UTC
mysql-5.1.47-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/mysql-5.1.47-1.fc11

Comment 16 errata-xmlrpc 2010-05-26 14:57:45 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0442 https://rhn.redhat.com/errata/RHSA-2010-0442.html

Comment 17 Fedora Update System 2010-06-07 22:27:43 UTC
mysql-5.1.47-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2010-06-07 22:30:16 UTC
mysql-5.1.47-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2010-06-07 22:31:37 UTC
mysql-5.1.47-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 errata-xmlrpc 2010-11-03 20:04:57 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0824 https://rhn.redhat.com/errata/RHSA-2010-0824.html


Note You need to log in before you can comment on or make changes to this bug.