Bug 543653 - (CVE-2009-4030) CVE-2009-4030 mysql: Incomplete fix for CVE-2008-2079 / CVE-2008-4098
CVE-2009-4030 mysql: Incomplete fix for CVE-2008-2079 / CVE-2008-4098
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://lists.mysql.com/commits/52326
impact=low,source=internet,reported=2...
: Security
Depends On: 512255 512257 549329 556505 556506 833941
Blocks:
  Show dependency treegraph
 
Reported: 2009-12-02 14:21 EST by Jan Lieskovsky
Modified: 2012-09-25 12:18 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-02-17 04:56:27 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2009-12-02 14:21:25 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4030 to
the following vulnerability:

MySQL 5.1.x before 5.1.41 allows local users to bypass certain
privilege checks by calling CREATE TABLE on a MyISAM table with
modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are
originally associated with pathnames without symlinks, and that can
point to tables created at a future time at which a pathname is
modified to contain a symlink to a subdirectory of the MySQL data home
directory, related to incorrect calculation of the
mysql_unpacked_real_data_home value. NOTE: this vulnerability exists
because of an incomplete fix for CVE-2008-4098 and CVE-2008-2079.

References:
-----------
http://lists.mysql.com/commits/89940
http://www.openwall.com/lists/oss-security/2009/11/19/3
http://marc.info/?l=oss-security&m=125908040022018&w=2
http://www.openwall.com/lists/oss-security/2009/11/24/6
http://marc.info/?l=oss-security&m=125908080222685&w=2
http://bugs.mysql.com/bug.php?id=32167
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-41.html

Upstream patch:
---------------
http://lists.mysql.com/commits/52326
Comment 1 Jan Lieskovsky 2009-12-02 14:24:00 EST
This issue does NOT affect the version of mysql package, as shipped with
Red Hat Enteprise Linux 3.

This issue affects the version of mysql package, as shipped with 
Red Hat Enterprise Linux 4.

This issue does NOT affect the version of mysql package, as shipped with
Red Hat Enteprise Linux 5.

Update: Red Hat Enteprise Linux 5 is affected too, see comment #4 below.
Comment 4 Tomas Hoger 2009-12-16 08:30:46 EST
As far as I can tell, this problem can only occur when mysqld is started with relative path as an argument to --datadir, but not starting with the '.'.  If datadir relative path starts with the '.', it is expected to be treated as relative to current working directory.  If it does not, it's treated as relative to --basedir directory ("/usr" by default RHEL / Fedora packages).  In such case DATA/INDEX DIRECTORY argument will be compared to "CWD/datadir_path" instead of the intended "basedir_path/datadir_path", resulting in a not working protection.

By default, mysqld is started with --basedir=/usr and --datadir=/var/lib/mysql .  It is unlikely to be changed to --datadir=relative_path_not_starting_with_dot given the basedir default.  Hence it's limited to certain non-default and rather unlikely setups.

(In reply to comment #1)
> This issue affects the version of mysql package, as shipped with 
> Red Hat Enterprise Linux 4.
> 
> This issue does NOT affect the version of mysql package, as shipped with
> Red Hat Enteprise Linux 5.

This info is not correct, problem exists in the latest Red Hat Enterprise Linux 5 MySQL packages (mysql-5.0.77-3.el5) too.
Comment 5 Tomas Hoger 2009-12-21 05:41:34 EST
The patch is committed in upstream 5.1 bazaar branch:
http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.1/revision/1810.3967.4

but *not* included in 5.1.41 tarballs.
Comment 8 Mac 2010-01-04 10:11:06 EST
Will there be a fix for Red Hat Enterprise Linux 4 & 5?
Comment 9 Tomas Hoger 2010-01-04 10:47:51 EST
Fix may appear in the future updates.  As explained above, this has no impact on the default or typical configuration, only unlikely setups are affected.

If you don't need to use symlinks, you can configure MySQL to not create them using skip-symbolic-links.
Comment 13 errata-xmlrpc 2010-02-16 11:05:45 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0109 https://rhn.redhat.com/errata/RHSA-2010-0109.html
Comment 14 errata-xmlrpc 2010-02-16 11:27:51 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0110 https://rhn.redhat.com/errata/RHSA-2010-0110.html

Note You need to log in before you can comment on or make changes to this bug.