Gentoo Logo

MySQL: Privilege bypass

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200809-04 / mysql
Release Date September 04, 2008
Latest Revision September 04, 2008: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
dev-db/mysql < 5.0.60-r1 >= 5.0.60-r1 All supported architectures

Related bugreports: #220399

Synopsis

A vulnerability in MySQL might allow users to bypass privileges and gain access to other databases.

2.  Impact Information

Background

MySQL is a popular multi-threaded, multi-user SQL server.

Description

Sergei Golubchik reported that MySQL imposes no restrictions on the specification of "DATA DIRECTORY" or "INDEX DIRECTORY" in SQL "CREATE TABLE" statements.

Impact

An authenticated remote attacker could create MyISAM tables, specifying DATA or INDEX directories that contain future table files by other database users, or existing table files in the MySQL data directory, gaining access to those tables.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All MySQL users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/mysql-5.0.60-r1"

4.  References

Print

Page updated September 04, 2008

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.