[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] mysql-5.1.41
From:       Tomas Hoger <thoger () redhat ! com>
Date:       2009-12-17 16:01:59
Message-ID: 20091217170159.3593e2af () redhat ! com
[Download RAW message or body]

On Thu, 17 Dec 2009 16:28:16 +0100 Sergei Golubchik <serg@mysql.com>
wrote:

> > > Name: CVE-2009-4030
> > > 
> > > MySQL 5.1.x before 5.1.41 allows local users to bypass certain
> > > privilege checks by calling CREATE TABLE on a MyISAM table with
> > > modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are
> > > originally associated with pathnames without symlinks, and that can
> > > point to tables created at a future time at which a pathname is
> > > modified to contain a symlink to a subdirectory of the MySQL data home
> > > directory, related to incorrect calculation of the
> > > mysql_unpacked_real_data_home value.  NOTE: this vulnerability exists
> > > because of an incomplete fix for CVE-2008-4098 and CVE-2008-2079.
> > 
> > This problem is limited to situation where --datadir gets a relative
> > path not starting with '.' and current working directory is not
> > --basedir, right?
> 
> You mean the last problem in the bug report ?
> Yes.

The "Fixed a initialization order remark by Serg" fix,  problem pointed
out in your comment dated as "[14 Jul 15:53] Sergei Golubchik".

As when you use full path for --datadir, it's correctly expanded using
realpath.  Relative paths starting with '.' are expected to be resolved
from CWD.  I've not checked path starting with '~', they may be
affected by this problem too.

Thank you for clarifications / confirmations!

-- 
Tomas Hoger / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]