__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Red Hat Updated MySQL Packages Fix Security Issues and Bugs [RHSA-2004:597-06] October 21, 2004 17:00 GMT Number P-018 [REVISED 27 Oct 2004] [REVISED 28 Oct 2004] [REVISED 12 Nov 2004] [REVISED 12 Aug 2005] ______________________________________________________________________________ PROBLEM: A number of security issues that affect the MySQL server have been reported: 1) "ALTER TABLE...RENAME" checked the CREATE/INSERT rights of the old table instead of the new one - (CAN-2004-0835); 2) A buffer overrun in the mysql_real_connect function - (CAN-2004-0836); 3) Multiple threads ALTERing the same (or different) MERGE tables to change the UNION - (CAN-2004-0837); 4) A user is granted privileges to a database with a name containing an underscore ("_") - (CAN-2004-0957); 5) A temporary file vulnerability in the mysqlbug script - (CAN-2004-0381); 6) A temporary file vulnerability in mysqld_multi - (CAN-2004-0388); 7) A temporary file vulnerability in the mysqlhotcopy script when using the scp method - (CAN-2004-0457). PLATFORM: Red Hat Desktop (v.3) Red Hat Enterprise Linux AS, ES, WS (v. 2.1 and v.3) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor SGI ProPack 3 Service Pack 1 DAMAGE: 1) Could allow attackers to conduct unauthorized activities; 2) Allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malicious DNS server; 3) Allows attackers to cause a denial of service (crash or hang) via multiple threads that simultaneously alter MERGE table UNIONs; 4) When a local user has privileges for a database whose name includes a "_" (underscore), grants privileges to other databases that have similar names, which can allow the user to conduct unauthorized activities. 5) Allows local users to overwrite arbitrary files via a symlink attack on the failed-mysql-bugreport temporary file; 6) Allows local users to overwrite arbitrary files via a symlink attack; 7) Allows local users to overwrite arbitrary files via a symlink attack on temporary files. SOLUTION: Upgrade to the appropriate packages. ______________________________________________________________________________ VULNERABILITY The risk is LOW. The user has to already have an account on the ASSESSMENT: database. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-018.shtml ORIGINAL BULLETIN: Red Hat RHSA-2004:597-06 https://rhn.redhat.com/errata/RHSA-2004-597.html ADDITIONAL LINK: Red Hat RHSA-2004:569-16 https://rhn.redhat.com/errata/RHSA-2004-569.html Red Hat RHSA-2004:611-04 https://rhn.redhat.com/errata/RHSA-2004-611.html SGI Security Advisory #20041004-01-U SGI Advanced Linux Environment 3 Security Update #16 ftp://patches.sgi.com/support/free/security/advisories/20041004-01-U.asc SGI Security Advisory #20041102-01-U SGI Advanced Linux Environment 3 Security Update #17 http://www.sgi.com/support/security/advisories.html Sun Alert ID: 101864 http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-101864-1&searchclause=101864 CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0381 CAN-2004-0388 CAN-2004-0457 CAN-2004-0835 CAN-2004-0836 CAN-2004-0837 CAN-2004-0957 CAN-2004-0004 CAN-2004-0709 ______________________________________________________________________________ REVISION HISTORY: 10/27/2004 - added link to patches for Red Hat Desktop v.3 and Red Hat Enterprise Linux AS, ES, WS v.3, available through RHSA-2004:611-04. 10/28/2004 - Added a link to SGI Security Advisory 20041004-01-U that provides Patch 10112 for SGI ProPack 3 Service Pack 1 addressing this vulnerability. 11/12/2004 - add a link to SGI Security Advisory #20041102-01-U Security Update #17 providing Patch 10117 for SGI ProPack 3 Service Pack 1, addressing this vulnerability. 08/12/2005 - added a link to Sun Alert ID: 101864 [***** Start RHSA-2004:597-06 *****] Updated mysql packages fix security issues and bugs Advisory: RHSA-2004:597-06 Last updated on: 2004-10-20 Affected Products: Red Hat Enterprise Linux AS (v. 2.1) Red Hat Enterprise Linux ES (v. 2.1) Red Hat Enterprise Linux WS (v. 2.1) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor CVEs (cve.mitre.org): CAN-2004-0381 CAN-2004-0388 CAN-2004-0457 CAN-2004-0835 CAN-2004-0836 CAN-2004-0837 CAN-2004-0957 back Security Advisory Details: Updated mysql packages that fix various security issues, as well as a number of bugs, are now available for Red Hat Enterprise Linux 2.1. MySQL is a multi-user, multi-threaded SQL database server. A number security issues that affect the mysql server have been reported: Oleksandr Byelkin discovered that "ALTER TABLE ... RENAME" checked the CREATE/INSERT rights of the old table instead of the new one. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0835 to this issue. Lukasz Wojtow discovered a buffer overrun in the mysql_real_connect function. In order to exploit this issue an attacker would need to force the use of a malicious DNS server (CAN-2004-0836). Dean Ellis discovered that multiple threads ALTERing the same (or different) MERGE tables to change the UNION could cause the server to crash or stall (CAN-2004-0837). Sergei Golubchik discovered that if a user is granted privileges to a database with a name containing an underscore ("_"), the user also gains the ability to grant privileges to other databases with similar names (CAN-2004-0957). Additionally, the following minor temporary file vulnerabilities were discovered: - Stan Bubroski and Shaun Colley found a temporary file vulnerability in the mysqlbug script (CAN-2004-0381). - A temporary file vulnerability was discovered in mysqld_multi (CAN-2004-0388). - Jeroen van Wolffelaar discovered an temporary file vulnerability in the mysqlhotcopy script when using the scp method (CAN-2004-0457). All users of mysql should upgrade to these updated packages, which resolve these issues and also include fixes for a number of small bugs. Updated packages: Red Hat Enterprise Linux AS (v. 2.1) -------------------------------------------------------------------------------- SRPMS: mysql-3.23.58-1.72.1.src.rpm 1a6ad34678d35aa5c1bfba0ff7290c44 i386: mysql-3.23.58-1.72.1.i386.rpm a33c7efe12e0a4b0dade197a823a5e42 mysql-devel-3.23.58-1.72.1.i386.rpm 3b0621721b68c67f3d73681c9fbade09 mysql-server-3.23.58-1.72.1.i386.rpm 63280ad1d2b39d5865a209e2822cec5e ia64: mysql-3.23.58-1.72.1.ia64.rpm 73b97bae08854a6bbd25a8ad0e057666 mysql-devel-3.23.58-1.72.1.ia64.rpm 709aff64529b31c9dc3ade3017509d44 mysql-server-3.23.58-1.72.1.ia64.rpm 311db47abcc5cc79b094804c5b3912f4 Red Hat Enterprise Linux ES (v. 2.1) -------------------------------------------------------------------------------- SRPMS: mysql-3.23.58-1.72.1.src.rpm 1a6ad34678d35aa5c1bfba0ff7290c44 i386: mysql-3.23.58-1.72.1.i386.rpm a33c7efe12e0a4b0dade197a823a5e42 mysql-devel-3.23.58-1.72.1.i386.rpm 3b0621721b68c67f3d73681c9fbade09 mysql-server-3.23.58-1.72.1.i386.rpm 63280ad1d2b39d5865a209e2822cec5e Red Hat Enterprise Linux WS (v. 2.1) -------------------------------------------------------------------------------- SRPMS: mysql-3.23.58-1.72.1.src.rpm 1a6ad34678d35aa5c1bfba0ff7290c44 i386: mysql-3.23.58-1.72.1.i386.rpm a33c7efe12e0a4b0dade197a823a5e42 mysql-devel-3.23.58-1.72.1.i386.rpm 3b0621721b68c67f3d73681c9fbade09 mysql-server-3.23.58-1.72.1.i386.rpm 63280ad1d2b39d5865a209e2822cec5e Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor -------------------------------------------------------------------------------- SRPMS: mysql-3.23.58-1.72.1.src.rpm 1a6ad34678d35aa5c1bfba0ff7290c44 ia64: mysql-3.23.58-1.72.1.ia64.rpm 73b97bae08854a6bbd25a8ad0e057666 mysql-devel-3.23.58-1.72.1.ia64.rpm 709aff64529b31c9dc3ade3017509d44 mysql-server-3.23.58-1.72.1.ia64.rpm 311db47abcc5cc79b094804c5b3912f4 (The unlinked packages above are only available from the Red Hat Network) Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ Bugs fixed: (see bugzilla for more information) 112693 - mysqlhotcopy of local Fedora DB broken after upgrade from RH9 113960 - [PATCH] Bug fix + enhancement for mysql_setpermission 115165 - botched string concat ? 124352 - Cannot drop databases 129409 - linking with 'mysql --libs' doesent seem to work correctly. 130348 - CAN-2004-0457 mysqlhotcopy insecure temporary file vulnerability 135372 - CAN-2004-0835 MySQL flaws (CAN-2004-0836, CAN-2004-0837, CAN-2004-0957) References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0381 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0388 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0457 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0835 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0836 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0837 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0957 -------------------------------------------------------------------------------- The listed packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/solutions/security/news/publickey/#key You can verify each package and see who signed it with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum filename The Red Hat security contact is security@redhat.com. More contact details at http://www.redhat.com/solutions/security/news/contact.html [***** End RHSA-2004:597-06 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-008: Microsoft Security Update for Microsoft Windows (840987) P-009: Microsoft Excel Vulnerability Could Allow Remote Code Execution P-010: Microsoft Compressed (Zipped) Folders Vulnerability P-011: Microsoft Vulnerability in NetDDE Could Allow Remote Code Execution (841533) P-012: Microsoft Vulnerability in NNTP Could Allow Remote Code Execution (883935) P-013: Macromedia JRun Server Vulnerabilities P-014: CUPS Information Leak P-015: Libtiff Vulnerabilities P-016: Sun FTP Daemon of Heimdal is Vulnerable to Race Conditions P-017: Sun Security Vulnerability When Using LDAP in Conjunction with RBAC