Bug 592079 - (CVE-2010-1848) CVE-2010-1848 mysql: multiple insufficient table name checks
CVE-2010-1848 mysql: multiple insufficient table name checks
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
public=20100513,reported=20100513,sou...
: Security
Depends On: 590598 592862 592874 592875 645637 645638 833942 915890 984994 985414
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-13 15:45 EDT by Vincent Danen
Modified: 2016-11-08 11:23 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 915890 (view as bug list)
Environment:
Last Closed: 2015-07-29 10:19:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch backported to 5.0.77, EL5 (2.79 KB, patch)
2010-05-20 09:12 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Vincent Danen 2010-05-13 15:45:41 EDT
The upcoming MySQL 5.1.47 release indicates [1] a fix for the following issue, which has been assigned CVE-2010-1848.  Currently the bug report [2] is not public.

 The server failed to check the table name argument of a COM_FIELD_LIST command packet for validity and compliance to acceptable table name standards. This could be exploited to bypass almost all forms of checks for privileges and table-level grants by providing a specially crafted table name argument to COM_FIELD_LIST.

 In MySQL 5.0 and above, this allowed an authenticated user with SELECT privileges on one table to obtain the field definitions of any table in all other databases and potentially of other MySQL instances accessible from the server's file system.

 Additionally, for MySQL version 5.1 and above, an authenticated user with DELETE or SELECT privileges on one table could delete or read content from any other table in all databases on this server, and potentially of other MySQL instances accessible from the server's file system. (Bug#53371, CVE-2010-1848)


Without access to the upstream bug, it is difficult to determine if this affects older releases, however the 5.0.91 release notes [3] do not currently note this flaw, so it may only affect 5.1.x.

[1] http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html
[2] http://bugs.mysql.com/bug.php?id=53371
[3] http://dev.mysql.com/doc/refman/5.0/en/news-5-0-91.html
Comment 1 Tomas Hoger 2010-05-14 03:25:21 EDT
Upstream commits that reference upstream bug, both 5.0 and 5.1 branches:

http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.0-bugteam/revision/2861
http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.1-bugteam/revision/3367
Comment 3 Tomas Hoger 2010-05-14 06:23:20 EDT
The two issues described in the upstream release notes as quote in comment #0 seem unrelated, they are the same type of flaw, but affect different versions and impacts are quite different too:

- COM_FIELD_LIST issue - allows authenticated user to get info about fields of any table in any database via directory traversal.  As info returned in response to COM_FIELD_LIST is limited to table structure info, which significantly limits the impact of the flaw.  This affect pre-5.0 versions too.

- There is additional instance of the similar problem in 5.1+, but it allows authenticated user to read or modify arbitrary table.  Example based on upstream test cases:
  SELECT * FROM `../mysql/user`;
Comment 8 Tomas Hoger 2010-05-20 09:12:53 EDT
Created attachment 415407 [details]
Patch backported to 5.0.77, EL5

http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.0-bugteam/revision/2861

Note: needs to be applied after CVE-2010-1850 fix.
Comment 9 Tomas Hoger 2010-05-20 11:02:26 EDT
Statement:

The Red Hat Security Response Team has rated this issue as having low security
impact, a future update may address this flaw for Red Hat Enterprise Linux 3 and 4 mysql packages.
Comment 11 Fedora Update System 2010-05-24 19:31:33 EDT
mysql-5.1.47-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/mysql-5.1.47-1.fc12
Comment 12 Fedora Update System 2010-05-24 19:31:55 EDT
mysql-5.1.47-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/mysql-5.1.47-1.fc13
Comment 13 Fedora Update System 2010-05-24 19:32:16 EDT
mysql-5.1.47-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/mysql-5.1.47-1.fc11
Comment 16 errata-xmlrpc 2010-05-26 10:57:45 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0442 https://rhn.redhat.com/errata/RHSA-2010-0442.html
Comment 17 Fedora Update System 2010-06-07 18:27:43 EDT
mysql-5.1.47-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2010-06-07 18:30:16 EDT
mysql-5.1.47-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2010-06-07 18:31:37 EDT
mysql-5.1.47-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 23 errata-xmlrpc 2010-11-03 16:04:57 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0824 https://rhn.redhat.com/errata/RHSA-2010-0824.html

Note You need to log in before you can comment on or make changes to this bug.