USN-96-1: mySQL vulnerabilities

Publication date

16 March 2005

Overview

mySQL vulnerabilities

Releases


Details

Stefano Di Paola discovered three privilege escalation flaws in the MySQL
server:

  • If an authenticated user had INSERT privileges on the ‘mysql’ administrative
    database, the CREATE FUNCTION command allowed that user to use libc functions
    to execute arbitrary code with the privileges of the database server (user
    ‘mysql’). (CAN-2005-0709)

  • If an authenticated user had INSERT privileges on the ‘mysql’ administrative
    database, it was possible to load a library located in an arbitrary directory
    by using INSERT INTO mysql.func instead of CREATE FUNCTION. This allowed the
    user to execute arbitrary code with the privileges of the database server (user
    ‘mysql’). (CAN-2005-0710)

  • Temporary files belonging to tables created with CREATE TEMPORARY TABLE were
    handled in an insecure way. This allowed any local computer user to overwrite
    arbitrary files with the privileges of the database server....

Stefano Di Paola discovered three privilege escalation flaws in the MySQL
server:

  • If an authenticated user had INSERT privileges on the ‘mysql’ administrative
    database, the CREATE FUNCTION command allowed that user to use libc functions
    to execute arbitrary code with the privileges of the database server (user
    ‘mysql’). (CAN-2005-0709)

  • If an authenticated user had INSERT privileges on the ‘mysql’ administrative
    database, it was possible to load a library located in an arbitrary directory
    by using INSERT INTO mysql.func instead of CREATE FUNCTION. This allowed the
    user to execute arbitrary code with the privileges of the database server (user
    ‘mysql’). (CAN-2005-0710)

  • Temporary files belonging to tables created with CREATE TEMPORARY TABLE were
    handled in an insecure way. This allowed any local computer user to overwrite
    arbitrary files with the privileges of the database server. (CAN-2005-0711)

Matt Brubeck discovered that the directory /usr/share/mysql/ was owned and
writable by the database server user ‘mysql’. This directory contains scripts
which are usually run by root. This allowed a local attacker who already has
mysql privileges to gain full root access by modifying a script and tricking
root into executing it.


Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
4.10 warty mysql-server – 

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.


Have additional questions?

Talk to a member of the team ›