On Fri, Jul 04, 2008 at 02:56:00PM +0200, Tomas Hoger wrote: > Looks like upstream patch is incomplete. Have you already notified > upstream about the problem?
Not yet -- I still need to hand verify it against a pristine upstream; it's reproducible with 5.0.51a from Sid, but the implementation of the path check has changed significantly from the original patch. I'll look into that once I get a workable fix out for etch. > > In terms of exploitability, this allows any user with permissions to > > create tables in a db the ability to read from, write to and delete > > tables from any other database within the same mysql instance. > > Can you possibly explain this a little closer? MySQL should not allow > you to overwrite existing tables via DATA/INDEX DIRECTORY directives. > So you can only get access to tables created in the future, if you can > predict their names. Or have you managed to escalate privileges to > already existing tables using this flaw? Sorry, I was taking the temporal part of the attack as read -- yes, the attack is still based on creating the hostile tables before the victim database does. -- Devin \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2
signature.asc
Description: Digital signature
