Mysql insecure temporary file creation with CREATE TEMPORARY TABLE privilege escalation

Message-Id: <20050311092325.38EB7B72BC@anton>
Date: Fri, 11 Mar 2005 10:23:25 +0100
From: Moritz Muehlenhoff <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: Mysql insecure temporary file creation with CREATE TEMPORARY TABLE privilege
 escalation

Package: mysql-dfsg
Version: unavailable; reported 2005-03-11
Severity: grave
Tags: security

Stefano Di Paola discovered that MySQL is vulnerable to a symlink attack
if an authenticated user has CREATE TEMPORARY TABLE privileges on any
existent database.

There does not seem to be a CVE assignment yet.
The full advisory can be found at:
http://archives.neohapsis.com/archives/vulnwatch/2005-q1/0082.html

The advisory claims that MySQL has released a fix, and new upstream
releases (4.0.24 and 4.1.10a), which haven't appeared on mysql.com
yet.

Cheers,
         Moritz

-- System Information:
Debian Release: 3.0
Architecture: i386
Kernel: Linux anton 2.4.29-univention.1 #1 SMP Thu Jan 27 17:08:46 CET 2005 i686
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro

Message-ID: <email address hidden>
Date: Fri, 11 Mar 2005 11:02:33 +0100
From: Christian Hammers <email address hidden>
To: Moritz Muehlenhoff <email address hidden>,
 <email address hidden>
Subject: Re: Bug#299029: Mysql insecure temporary file creation with CREATE
 TEMPORARY TABLE privilege escalation

--Signature=_Fri__11_Mar_2005_11_02_33_+0100_G4rwPzr9GNaF1HeQ
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Hello Moritz

On 2005-03-11 Moritz Muehlenhoff wrote:
> Stefano Di Paola discovered that MySQL is vulnerable to a symlink attack
...

Thank you very much for bringing these issues to my attention, I will
upload a fixed version as soon as I find patches.

bye,

-christian-

--Signature=_Fri__11_Mar_2005_11_02_33_+0100_G4rwPzr9GNaF1HeQ
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCMWy7kR9K5oahGOYRAgrFAJ0ZKUZtruaOnqc7+2CvHwUGYVaXEwCgpvTW
n/HJL9Jzoo1C0pHkTTg6WzM=
=1nLy
-----END PGP SIGNATURE-----

--Signature=_Fri__11_Mar_2005_11_02_33_+0100_G4rwPzr9GNaF1HeQ--

Message-ID: <email address hidden>
Date: Fri, 11 Mar 2005 11:12:04 +0100
From: <email address hidden> (Moritz Mühlenhoff)
To: <email address hidden>
Subject: This applies to MySQL 4.1 as well

clone 299029 -1
reassign -1 mysql-dfsg-4.1
clone 299030 -2
reassign -2 mysql-dfsg-4.1
clone 299031 -3
reassign -3 mysql-dfsg-4.1
thanks
--
Moritz Muehlenhoff <email address hidden> fon: +49 421 22 232- 0
Development Linux for Your Business fax: +49 421 22 232-99
Univention GmbH http://www.univention.de/ mobil: +49 175 22 999 23

Message-Id: <email address hidden>
Date: Sat, 12 Mar 2005 11:02:22 -0500
From: Christian Hammers <email address hidden>
To: <email address hidden>
Subject: Bug#299029: fixed in mysql-dfsg 4.0.24-1

Source: mysql-dfsg
Source-Version: 4.0.24-1

We believe that the bug you reported is fixed in the latest version of
mysql-dfsg, which is due to be installed in the Debian FTP archive:

libmysqlclient12-dev_4.0.24-1_i386.deb
  to pool/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-1_i386.deb
libmysqlclient12_4.0.24-1_i386.deb
  to pool/main/m/mysql-dfsg/libmysqlclient12_4.0.24-1_i386.deb
mysql-client_4.0.24-1_i386.deb
  to pool/main/m/mysql-dfsg/mysql-client_4.0.24-1_i386.deb
mysql-common_4.0.24-1_all.deb
  to pool/main/m/mysql-dfsg/mysql-common_4.0.24-1_all.deb
mysql-dfsg_4.0.24-1.diff.gz
  to pool/main/m/mysql-dfsg/mysql-dfsg_4.0.24-1.diff.gz
mysql-dfsg_4.0.24-1.dsc
  to pool/main/m/mysql-dfsg/mysql-dfsg_4.0.24-1.dsc
mysql-dfsg_4.0.24.orig.tar.gz
  to pool/main/m/mysql-dfsg/mysql-dfsg_4.0.24.orig.tar.gz
mysql-server_4.0.24-1_i386.deb
  to pool/main/m/mysql-dfsg/mysql-server_4.0.24-1_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Hammers <email address hidden> (supplier of updated mysql-dfsg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 3 Mar 2005 02:37:03 +0100
Source: mysql-dfsg
Binary: libmysqlclient12 mysql-client libmysqlclient12-dev mysql-server mysql-common
Architecture: source i386 all
Version: 4.0.24-1
Distribution: unstable
Urgency: high
Maintainer: Christian Hammers <email address hidden>
Changed-By: Christian Hammers <email address hidden>
Description:
 libmysqlclient12 - mysql database client library
 libmysqlclient12-dev - mysql database development files
 mysql-client - mysql database client binaries
 mysql-common - mysql database common files (e.g. /etc/mysql/my.cnf)
 mysql-server - mysql database server binaries
Closes: 208364 285044 294347 297772 298875 299029 299031 299065
Changes:
 mysql-dfsg (4.0.24-1) unstable; urgency=high
 .
   * SECURITY:
     - The following security related updates are addressed:
       CAN-2005-XXX (temporary file creation with "CREATE TEMPORARY TABLE")
       CAN-2005-XXX (arbitrary library injection in udf_init())
       CAN-2005-XXX (arbitrary code execution via "CREATE FUNCTION")
       Closes: #299029, #299031, #299065
   * New Upstream Release.
     - Fixes some server crash conditions.
     - Upstream includes fix for TMPDIR overriding my.cnf tmpdir setting
       Closes: #294347
     - Fixes InnoDB error message. Closes: #298875
     - Fixes resouce limiting. Closes: #285044
   * Improved checking whether or not the server is alive in the init script
     which should make it possible to run ...

Message-Id: <email address hidden>
Date: Sat, 12 Mar 2005 13:02:39 -0500
From: Christian Hammers <email address hidden>
To: <email address hidden>
Subject: Bug#299029: fixed in mysql-dfsg-4.1 4.1.10a-1

Source: mysql-dfsg-4.1
Source-Version: 4.1.10a-1

We believe that the bug you reported is fixed in the latest version of
mysql-dfsg-4.1, which is due to be installed in the Debian FTP archive:

libmysqlclient14-dev_4.1.10a-1_i386.deb
  to pool/main/m/mysql-dfsg-4.1/libmysqlclient14-dev_4.1.10a-1_i386.deb
libmysqlclient14_4.1.10a-1_i386.deb
  to pool/main/m/mysql-dfsg-4.1/libmysqlclient14_4.1.10a-1_i386.deb
mysql-client-4.1_4.1.10a-1_i386.deb
  to pool/main/m/mysql-dfsg-4.1/mysql-client-4.1_4.1.10a-1_i386.deb
mysql-common-4.1_4.1.10a-1_all.deb
  to pool/main/m/mysql-dfsg-4.1/mysql-common-4.1_4.1.10a-1_all.deb
mysql-dfsg-4.1_4.1.10a-1.diff.gz
  to pool/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.10a-1.diff.gz
mysql-dfsg-4.1_4.1.10a-1.dsc
  to pool/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.10a-1.dsc
mysql-dfsg-4.1_4.1.10a.orig.tar.gz
  to pool/main/m/mysql-dfsg-4.1/mysql-dfsg-4.1_4.1.10a.orig.tar.gz
mysql-server-4.1_4.1.10a-1_i386.deb
  to pool/main/m/mysql-dfsg-4.1/mysql-server-4.1_4.1.10a-1_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Hammers <email address hidden> (supplier of updated mysql-dfsg-4.1 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 3 Mar 2005 02:36:39 +0100
Source: mysql-dfsg-4.1
Binary: libmysqlclient14-dev mysql-common-4.1 libmysqlclient14 mysql-server-4.1 mysql-client-4.1
Architecture: source i386 all
Version: 4.1.10a-1
Distribution: unstable
Urgency: high
Maintainer: Christian Hammers <email address hidden>
Changed-By: Christian Hammers <email address hidden>
Description:
 libmysqlclient14 - mysql database client library
 libmysqlclient14-dev - mysql database development files
 mysql-client-4.1 - mysql database client binaries
 mysql-common-4.1 - mysql database common files (e.g. /etc/mysql/my.cnf)
 mysql-server-4.1 - mysql database server binaries
Closes: 208364 285044 294347 297772 298447 298875 299029 299031 299065
Changes:
 mysql-dfsg-4.1 (4.1.10a-1) unstable; urgency=high
 .
   * SECURITY:
     - The following security related updates are addressed:
       CAN-2005-XXX (temporary file creation with "CREATE TEMPORARY TABLE")
       CAN-2005-XXX (arbitrary library injection in udf_init())
       CAN-2005-XXX (arbitrary code execution via "CREATE FUNCTION")
       Closes: #299029, #299031, #299065
   * New Upstream Release.
     - Fixes some server crash conditions.
     - Upstream includes fix for TMPDIR overriding my.cnf tmpdir setting
       Closes: #294347
     - Fixes InnoDB error message. Closes: #298875
     - Fixe...

This bug has been marked as a duplicate of bug 13818.