Devin Carraway of the Debian Security Team discovered that the upstream fix for the CVE-2008-2079 is incomplete and still makes it possible for local users to create tables via INDEX/DATA DIRECTORY directives in the MySQL data directory (/var/lib/mysql) via directory symlinks. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480292#25 CVE-2008-2079 was tracked via bug bug #445222. An attacker needs following to exploit this issue: - MySQL database account with privileges to create tables - shell access to the host running MySQL database with write access to a directory accessible by the mysqld daemon process
Note: this attack does not work on existing tables. An attacker can only elevate their access to another user's tables as the tables are created. As well, the names of these created tables need to be predicted correctly for this attack to succeed. This issue does not affect MySQL packages as shipped in Red Hat Enterprise Linux 2.1 and 3, as they do not support DATA/INDEX DIRECTORY directives.
Created attachment 311275 [details] Devin Carraway's proposed fix Source: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480292#42
Devin Carraway reported, that his updated patch is still possible to defeat as described in the upstream bug report for the original issue: http://bugs.mysql.com/bug.php?id=32167 (comment dated with "[18 Jul 9:43]") Upstream updated their fix to perform path check at table open time: http://lists.mysql.com/commits/52326 (commit to 5.0 branch) This patch is included in upstream versions 5.0.70 and 5.1.28: http://dev.mysql.com/doc/refman/5.0/en/releasenotes-es-5-0-70.html http://dev.mysql.com/doc/refman/5.1/en/news-5-1-28.html
This issue does not affect Red Hat Enterprise Linux 5, as the fix for CVE-2008-2079 has not been released yet. Once released, it will use the updated upstream patch, addressing the original flaw without introducing CVE-2008-4098. Incomplete fix for CVE-2008-2079 was used in Red Hat Enterprise Linux 4, Red Hat Application Stack v1 and v2. Future mysql updates in those products may address this flaw.
This issue has been addressed in following products: Red Hat Web Application Stack for RHEL 5 Via RHSA-2009:1067 https://rhn.redhat.com/errata/RHSA-2009-1067.html
Created attachment 378566 [details] Upstream patch for 4.1.x Extracted from upstream 4.1 bazaar branch: http://bazaar.launchpad.net/~mysql/mysql-server/mysql-4.1/revision/2705 Re-diffed against EL4 4.1.22.
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2010:0110 https://rhn.redhat.com/errata/RHSA-2010-0110.html