Bug#299065: marked as done (MySQL Privilege Escalation and Command Execution Vulnerabilities)

[Debian Bug Tracking System]

Your message dated Sat, 12 Mar 2005 11:02:22 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#299065: fixed in mysql-dfsg 4.0.24-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 11 Mar 2005 14:50:44 +0000
>From [EMAIL PROTECTED] Fri Mar 11 06:50:43 2005
Return-path: <[EMAIL PROTECTED]>
Received: from baloney.puettmann.net [194.97.54.34] 
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1D9lTP-00006x-00; Fri, 11 Mar 2005 06:50:43 -0800
Received: from ruben by baloney.puettmann.net with local (ID ruben) (Exim 3.36 
#1)
        id 1D9lPs-0004Ea-00
        for [EMAIL PROTECTED]; Fri, 11 Mar 2005 15:47:04 +0100
Date: Fri, 11 Mar 2005 15:47:04 +0100
To: [EMAIL PROTECTED]
Subject: MySQL Privilege Escalation and Command Execution Vulnerabilities
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
        protocol="application/pgp-signature"; boundary="QWpDgw58+k1mSFBj"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
From: Ruben Puettmann <[EMAIL PROTECTED]>
X-Scanner: exiscan *1D9lPs-0004Ea-00*GWJuwzSdm8.* (Puettmann.NeT, Germany)
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-7.0 required=4.0 tests=BAYES_01,HAS_PACKAGE 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 


--QWpDgw58+k1mSFBj
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: mysql-server
Version: 4.0.23-7
Severity: critical
Tags: security


Several vulnerabilities were identified in MySQL, which may be exploited
by local attackers to execute arbitrary commands or obtain elevated
privileges.

- The first flaw is due to an insecure (predictable name) temporary file
  creation with "CREATE TEMPORARY TABLE", which may be exploited by an
  attacker that has "CREATE TEMPORARY TABLE" privileges to conduct symlink
  attacks.

- The second vulnerability is due to an arbitrary library injection
  error and resides in the "udf_init()" function (sql_udf.cc), which may=20
  be exploited by an attacker (with INSERT and DELETE privileges) to
  load/execute a malicious library with MySQL privileges.

- The third flaw occurs when handling specially crafted "CREATE
  FUNCTION" commands, which may be exploited by a malicious user (with
  INSERT and DELETE privileges) to execute arbitrary code with MySQL
  privileges.

For the complete Advisory see:

http://www.k-otik.com/english/advisories/2005/0252





--=20
Ruben Puettmann
[EMAIL PROTECTED]
http://www.puettmann.net

--QWpDgw58+k1mSFBj
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCMa9ngHHssbUmOEIRAij0AKCZkUPy3w+lieBvZx6V63IoSPd6rwCg+VoD
cMyKwbcBsimg6JzExhk04ak=
=TFWg
-----END PGP SIGNATURE-----

--QWpDgw58+k1mSFBj--

---------------------------------------
Received: (at 299065-close) by bugs.debian.org; 12 Mar 2005 16:08:03 +0000
>From [EMAIL PROTECTED] Sat Mar 12 08:08:02 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1DA99m-0007VS-00; Sat, 12 Mar 2005 08:08:02 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
        id 1DA94I-0001UM-00; Sat, 12 Mar 2005 11:02:22 -0500
From: Christian Hammers <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#299065: fixed in mysql-dfsg 4.0.24-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Sat, 12 Mar 2005 11:02:22 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 
X-CrossAssassin-Score: 8

Source: mysql-dfsg
Source-Version: 4.0.24-1

We believe that the bug you reported is fixed in the latest version of
mysql-dfsg, which is due to be installed in the Debian FTP archive:

libmysqlclient12-dev_4.0.24-1_i386.deb
  to pool/main/m/mysql-dfsg/libmysqlclient12-dev_4.0.24-1_i386.deb
libmysqlclient12_4.0.24-1_i386.deb
  to pool/main/m/mysql-dfsg/libmysqlclient12_4.0.24-1_i386.deb
mysql-client_4.0.24-1_i386.deb
  to pool/main/m/mysql-dfsg/mysql-client_4.0.24-1_i386.deb
mysql-common_4.0.24-1_all.deb
  to pool/main/m/mysql-dfsg/mysql-common_4.0.24-1_all.deb
mysql-dfsg_4.0.24-1.diff.gz
  to pool/main/m/mysql-dfsg/mysql-dfsg_4.0.24-1.diff.gz
mysql-dfsg_4.0.24-1.dsc
  to pool/main/m/mysql-dfsg/mysql-dfsg_4.0.24-1.dsc
mysql-dfsg_4.0.24.orig.tar.gz
  to pool/main/m/mysql-dfsg/mysql-dfsg_4.0.24.orig.tar.gz
mysql-server_4.0.24-1_i386.deb
  to pool/main/m/mysql-dfsg/mysql-server_4.0.24-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Hammers <[EMAIL PROTECTED]> (supplier of updated mysql-dfsg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu,  3 Mar 2005 02:37:03 +0100
Source: mysql-dfsg
Binary: libmysqlclient12 mysql-client libmysqlclient12-dev mysql-server 
mysql-common
Architecture: source i386 all
Version: 4.0.24-1
Distribution: unstable
Urgency: high
Maintainer: Christian Hammers <[EMAIL PROTECTED]>
Changed-By: Christian Hammers <[EMAIL PROTECTED]>
Description: 
 libmysqlclient12 - mysql database client library
 libmysqlclient12-dev - mysql database development files
 mysql-client - mysql database client binaries
 mysql-common - mysql database common files (e.g. /etc/mysql/my.cnf)
 mysql-server - mysql database server binaries
Closes: 208364 285044 294347 297772 298875 299029 299031 299065
Changes: 
 mysql-dfsg (4.0.24-1) unstable; urgency=high
 .
   * SECURITY:
     - The following security related updates are addressed:
       CAN-2005-XXX (temporary file creation with "CREATE TEMPORARY TABLE")
       CAN-2005-XXX (arbitrary library injection in udf_init())
       CAN-2005-XXX (arbitrary code execution via "CREATE FUNCTION")
       Closes: #299029, #299031, #299065
   * New Upstream Release.
     - Fixes some server crash conditions.
     - Upstream includes fix for TMPDIR overriding my.cnf tmpdir setting
       Closes: #294347
     - Fixes InnoDB error message. Closes: #298875
     - Fixes resouce limiting. Closes: #285044
   * Improved checking whether or not the server is alive in the init script
     which should make it possible to run several mysqld instances in
     different chroot environments. Closes: #297772
   * Added -O3 and --with-mysqld-ldflags=-all-static as MySQL recommends to
     build the server binary statically in order to gain about 13% more
     performance (thanks to Marcin Kowalski).
   * Added patch to let mysqld_safe react to signals (thanks to Erich
     Schubert). Closes: #208364
   * (Thanks to Sean Finney for doing a great share of work for this release!)
Files: 
 12b90f580654516bf10ab2b41837da87 923 misc optional mysql-dfsg_4.0.24-1.dsc
 aed8f335795a359f32492159e3edfaa3 9923794 misc optional 
mysql-dfsg_4.0.24.orig.tar.gz
 ce1ea63eb78125376d25349885716015 89833 misc optional 
mysql-dfsg_4.0.24-1.diff.gz
 1457cadc641b1e5f4fb5810552358077 32588 misc optional 
mysql-common_4.0.24-1_all.deb
 6cbe2bf04614275350f87757cb6dc4ab 294422 libs optional 
libmysqlclient12_4.0.24-1_i386.deb
 fa2268a36ee7facac2e04bb77ae6237a 2920808 libdevel extra 
libmysqlclient12-dev_4.0.24-1_i386.deb
 4daf728749d91ab2e6eab4fd53dbc92e 413298 misc optional 
mysql-client_4.0.24-1_i386.deb
 df87ce5f1b2ea3216927302bec4cb398 3813564 misc optional 
mysql-server_4.0.24-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iEYEARECAAYFAkIzB3AACgkQkR9K5oahGOaxKwCgrxK9mjqjlD/Sa2zSbs/lpFz3
+JoAnROIGkn9Bxp5z4ORJmBTudTcJUFL
=hnUM
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]