Re: [d-security] Re: mysql update for Woody?
I Cc team@security, maybe my mails really got forgotten.
On Tue, Apr 29, 2003 at 08:35:24PM -0400, Carl Fink wrote:
> > Where did you get the information that said mysql was vulnerable?
> Several places, for one:
Debian woody was vulnerable to this attack. Here excerpts from mails
that I sent to email@example.com at 2003-03-09 and 2003-03-11:
The possible impacts are:
- After a server reload, the daemon then runs as root and the
user is able to create but NOT overwrite files with always
exactly this permissions: "-rw-rw-rw- root root"
- Even without a server reload, the user may introduce (or even
overwrite, didn't check order) configuration options.
Do you think, that this is a security problem grave enough to
fix woody and do a DSA? (I would say yes)
An easy fix that might go to woody:
if [ ! -e /var/lib/mysql/my.cnf ]; then
echo "# for security reasons" > /var/lib/mysql/my.cnf
This way, a faked config file cannot be generated by an attacker as
mysql does not overwrite files with "SELECT .. INTO OUTFILE".
Also backwards compatibility to admins who have a config there remains.
In contradiction to what was stated in another mail Debian's config file
permissions in /etc/mysql/ does not affect this exploit as
/var/lib/mysql was the problem.
> Carl Fink firstname.lastname@example.org
-christian- (debian maintainer of mysql)