[OpenPKG-SA-2005.006] OpenPKG Security Advisory (mysql)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
openpkg-security@xxxxxxxxxxx openpkg@xxxxxxxxxxx
OpenPKG-SA-2005.006 20-Apr-2005
________________________________________________________________________
Package: mysql
Vulnerability: arbitrary code execution, insecure file creation
OpenPKG Specific: no
Affected Releases: Affected Packages: Corrected Packages:
OpenPKG CURRENT <= mysql-4.1.10-20050216 >= mysql-4.1.10a-20050311
OpenPKG 2.2 <= mysql-4.0.21-2.2.1 >= mysql-4.0.21-2.2.2
Affected Releases: Dependent Packages:
OpenPKG CURRENT apache::with_mod_php_mysql apache::with_mod_auth_mysql
bind::with_dlz_mysql exim::with_mysql
flowtools::with_mysql jabberd::with_mysql
libdbi::with_mysql libgda::with_mysql
lighttpd::with_mysql myodbc mysqlcc
perl-dbi::with_dbd_mysql php::with_mysql
php3::with_mysql php5::with_mysql postfix::with_mysql
powerdns::with_mysql proftpd::with_mysql
pureftpd::with_mysql ripe-dbase qt::with_mysql
rekall::with_mysql sasl::with_mysql
sendmail::with_mysql snort::with_mysql
tacacs::with_mysql
OpenPKG 2.2 apache::with_mod_php_mysql apache::with_mod_auth_mysql
bind::with_dlz_mysql exim::with_mysql
jabberd::with_mysql perl-dbi::with_dbd_mysql
php::with_mysql postfix::with_mysql proftpd::with_mysql
pureftpd::with_mysql qt::with_mysql sasl::with_mysql
sendmail::with_mysql snort::with_mysql
Description:
Several vulnerabilities including insecure handling of temporary files
and arbitrary code execution have been discovered in the MySQL RDBMS [0].
Javier Fernandez-Sanguino Pena found that users may overwrite
arbitrary files or read temporary files via a symlink attack on
insecurely created temporary files. The Common Vulnerabilities and
Exposures (CVE) project assigned the identifier CAN-2005-0004 [1] to
this problem.
Stefano Di Paola found that users may load forbidden dynamic library
symbols with dlsym(3) to exploit a problem with user definable
functions (UDFs) logic and thereby remotely execute arbitrary code.
The Common Vulnerabilities and Exposures (CVE) project assigned the
identifier CAN-2005-0709 [2] to this problem.
Stefano Di Paola also determined that incomplete testing of dynamic
library pathnames could lead to insecure loading of UDFs from dynamic
libraries in arbitrary locations, allowing users to remotely execute
arbitrary code. The Common Vulnerabilities and Exposures (CVE) project
assigned the identifier CAN-2005-0710 [3] to this problem.
Stefano Di Paola also discovered that creation of temporary tables
uses predictable file names, allowing users to overwrite arbitrary
files via a symlink attack. The Common Vulnerabilities and Exposures
(CVE) project assigned the identifier CAN-2005-0711 [4] to this
problem.
Please check whether you are affected by running "<prefix>/bin/openpkg
rpm -q mysql". If you have the "mysql" package installed and its
version is affected (see above), we recommend that you immediately
upgrade it (see Solution) and its dependent packages (see above). [5][6]
Solution:
Select the updated source RPM appropriate for your OpenPKG release
[7], fetch it from the OpenPKG FTP service [8] or a mirror location,
verify its integrity [9], build a corresponding binary RPM from it
[5] and update your OpenPKG installation by applying the binary RPM
[6]. For the most previous release OpenPKG 2.2, perform the following
operations to permanently fix the security problem.
$ ftp ftp.openpkg.org
ftp> bin
ftp> cd release/2.2/UPD
ftp> get mysql-4.0.21-2.2.2.src.rpm
ftp> bye
$ <prefix>/bin/openpkg rpm -v --checksig mysql-4.0.21-2.2.2.src.rpm
$ <prefix>/bin/openpkg rpm --rebuild mysql-4.0.21-2.2.2.src.rpm
$ su -
# <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/mysql-4.0.21-2.2.2.*.rpm
Additionally, we recommend rebuilding and reinstalling all dependent
packages (see above) as well [5][6].
________________________________________________________________________
References:
[0] http://www.mysql.com/
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0004
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0709
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0710
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0711
[5] http://www.openpkg.org/tutorial.html#regular-source
[6] http://www.openpkg.org/tutorial.html#regular-binary
[7] ftp://ftp.openpkg.org/release/2.2/UPD/mysql-4.0.21-2.2.2.src.rpm
[8] ftp://ftp.openpkg.org/release/2.2/UPD/
[9] http://www.openpkg.org/security.html#signature
________________________________________________________________________
For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg@xxxxxxxxxxx>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.
________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@xxxxxxxxxxx>
iD8DBQFCZnNZgHWT4GPEy58RAidHAKC3q/jVpH+nwRR+vywKBkPrWF1kVACgtabH
6K1qurV1hlsBureBo3auVIo=
=F5zz
-----END PGP SIGNATURE-----