Re: [d-security] Re: mysql update for Woody?
Hello
I Cc team@security, maybe my mails really got forgotten.
On Tue, Apr 29, 2003 at 08:35:24PM -0400, Carl Fink wrote:
> > Where did you get the information that said mysql was vulnerable?
>
> Several places, for one:
>
> http://www.linuxsecurity.com/advisories/trustix_advisory-2990.html
Debian woody was vulnerable to this attack. Here excerpts from mails
that I sent to team@security.debian.org at 2003-03-09 and 2003-03-11:
...
The possible impacts are:
- After a server reload, the daemon then runs as root and the
user is able to create but NOT overwrite files with always
exactly this permissions: "-rw-rw-rw- root root"
- Even without a server reload, the user may introduce (or even
overwrite, didn't check order) configuration options.
...
Do you think, that this is a security problem grave enough to
fix woody and do a DSA? (I would say yes)
...
An easy fix that might go to woody:
debian/mysql-server.postinst:
if [ ! -e /var/lib/mysql/my.cnf ]; then
echo "# for security reasons" > /var/lib/mysql/my.cnf
fi
This way, a faked config file cannot be generated by an attacker as
mysql does not overwrite files with "SELECT .. INTO OUTFILE".
Also backwards compatibility to admins who have a config there remains.
...
In contradiction to what was stated in another mail Debian's config file
permissions in /etc/mysql/ does not affect this exploit as
/var/lib/mysql was the problem.
> Carl Fink carlf@dm.net
bye,
-christian- (debian maintainer of mysql)
Reply to: