[USN-96-1] mySQL vulnerabilities

Martin Pitt martin.pitt at canonical.com
Wed Mar 16 08:13:47 UTC 2005


===========================================================
Ubuntu Security Notice USN-96-1		     March 16, 2005
mysql-dfsg vulnerabilities
CAN-2005-0709, CAN-2005-0710, CAN-2005-0711
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

mysql-server

The problem can be corrected by upgrading the affected package to
version 4.0.20-2ubuntu1.4. In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

Stefano Di Paola discovered three privilege escalation flaws in the MySQL
server:

- If an authenticated user had INSERT privileges on the 'mysql' administrative
  database, the CREATE FUNCTION command allowed that user to use libc functions
  to execute arbitrary code with the privileges of the database server (user
  'mysql'). (CAN-2005-0709)

- If an authenticated user had INSERT privileges on the 'mysql' administrative
  database, it was possible to load a library located in an arbitrary directory
  by using INSERT INTO mysql.func instead of CREATE FUNCTION.  This allowed the
  user to execute arbitrary code with the privileges of the database server (user
  'mysql'). (CAN-2005-0710)

- Temporary files belonging to tables created with CREATE TEMPORARY TABLE were
  handled in an insecure way. This allowed any local computer user to overwrite
  arbitrary files with the privileges of the database server. (CAN-2005-0711)

Matt Brubeck discovered that the directory /usr/share/mysql/ was owned and
writable by the database server user 'mysql'. This directory contains scripts
which are usually run by root. This allowed a local attacker who already has
mysql privileges to gain full root access by modifying a script and tricking
root into executing it.

  Source archives:
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.20-2ubuntu1.4.diff.gz
      Size/MD5:   174589 a7bbe440e9d8cbcf41e7dcbf33254ba5
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.20-2ubuntu1.4.dsc
      Size/MD5:      892 8410cb63b79655f10df1c2a797249350
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-dfsg_4.0.20.orig.tar.gz
      Size/MD5:  9760117 f092867f6df2f50b34b8065312b9fb2b

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-common_4.0.20-2ubuntu1.4_all.deb
      Size/MD5:    24600 8cce579993297755f7af60742b0c7738

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient-dev_4.0.20-2ubuntu1.4_amd64.deb
      Size/MD5:  2810480 35a6f5626620f1446a82ba657731c524
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12_4.0.20-2ubuntu1.4_amd64.deb
      Size/MD5:   304662 a4b2c340bcbad53aebe3736b131ab608
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.20-2ubuntu1.4_amd64.deb
      Size/MD5:   422698 5c4fc21698901aa4d895eb8e14b06b54
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.20-2ubuntu1.4_amd64.deb
      Size/MD5:  3577580 ddddf044b09cc3860fbd18939ba4607f

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient-dev_4.0.20-2ubuntu1.4_i386.deb
      Size/MD5:  2773926 c117672f9fed7ab0e3fe1232880f9262
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12_4.0.20-2ubuntu1.4_i386.deb
      Size/MD5:   287600 acd9b30e3e6ef2391cd36c208202b633
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.20-2ubuntu1.4_i386.deb
      Size/MD5:   396652 0e753c494924f6d63a8a2ed772c86daa
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.20-2ubuntu1.4_i386.deb
      Size/MD5:  3486636 aa84280881da8c2fe826df5c30b7905e

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient-dev_4.0.20-2ubuntu1.4_powerpc.deb
      Size/MD5:  3109952 e36cf9560a5d8f345801cacb0c2c2c58
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/libmysqlclient12_4.0.20-2ubuntu1.4_powerpc.deb
      Size/MD5:   308292 a8ddf7818b3d7d4aa280eb862560f5ed
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-client_4.0.20-2ubuntu1.4_powerpc.deb
      Size/MD5:   452118 7037cde3771768530ea54d7565bd4a5e
    http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg/mysql-server_4.0.20-2ubuntu1.4_powerpc.deb
      Size/MD5:  3770076 211d6d9fb5899f80dd216cc76b854148
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20050316/42e0fb91/attachment.pgp>


More information about the ubuntu-security-announce mailing list