[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 483-1] New mysql packages fix insecure temporary file creation

On Wed, 14 Apr 2004, Martin Schulze wrote:

> CAN-2004-0381
>
>     The script mysqlbug in MySQL allows local users to overwrite
>     arbitrary files via a symlink attack.
>
> CAN-2004-0388
>
>     The script mysqld_multi in MySQL allows local users to overwrite
>     arbitrary files via a symlink attack.
[...]
> For the unstable distribution (sid) these problems will be fixed in
> version 4.0.18-6 of mysql-dfsg.

* mysql unstable (4.0.18-4) changelog says:

  > Aplied fix for unprobable tempfile-symlink security problem in
  > mysqlbug reported by Shaun Colley on bugtraq on 2004-03-24.

  but doesn't mention the CAN numbers.

* mysql in unstable is currently at 4.0.18-5

* mysql's bugreports page doesn't show any open reports mentioning any
  unfixed.

So what's the situation now with mysql in unstable?:

- Is the bug mentioned in the advisory fixed in 4.0.18-5 and so the
  advisory wrong (should say "will be fixed in version 4.0.18-6 of
  mysql-dfsg") ...
- or isn't it fixed at which moment I should open a bugreport against
  mysql?
*t

--
--------------------------------------------------------
  Tomas Pospisek
  http://sourcepole.com -  Linux & Open Source Solutions
--------------------------------------------------------
Reply to: