<<< Date Index >>>     <<< Thread Index >>>

[OpenPKG-SA-2005.006] OpenPKG Security Advisory (mysql)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                            The OpenPKG Project
http://www.openpkg.org/security.html              http://www.openpkg.org
openpkg-security@xxxxxxxxxxx                         openpkg@xxxxxxxxxxx
OpenPKG-SA-2005.006                                          20-Apr-2005
________________________________________________________________________

Package:             mysql
Vulnerability:       arbitrary code execution, insecure file creation
OpenPKG Specific:    no

Affected Releases:   Affected Packages:        Corrected Packages:
OpenPKG CURRENT      <= mysql-4.1.10-20050216  >= mysql-4.1.10a-20050311
OpenPKG 2.2          <= mysql-4.0.21-2.2.1     >= mysql-4.0.21-2.2.2

Affected Releases:   Dependent Packages:
OpenPKG CURRENT      apache::with_mod_php_mysql apache::with_mod_auth_mysql
                     bind::with_dlz_mysql exim::with_mysql
                     flowtools::with_mysql jabberd::with_mysql
                     libdbi::with_mysql libgda::with_mysql
                     lighttpd::with_mysql myodbc mysqlcc
                     perl-dbi::with_dbd_mysql php::with_mysql
                     php3::with_mysql php5::with_mysql postfix::with_mysql
                     powerdns::with_mysql proftpd::with_mysql
                     pureftpd::with_mysql ripe-dbase qt::with_mysql
                     rekall::with_mysql sasl::with_mysql
                     sendmail::with_mysql snort::with_mysql
                     tacacs::with_mysql
OpenPKG 2.2          apache::with_mod_php_mysql apache::with_mod_auth_mysql
                     bind::with_dlz_mysql exim::with_mysql
                     jabberd::with_mysql perl-dbi::with_dbd_mysql
                     php::with_mysql postfix::with_mysql proftpd::with_mysql
                     pureftpd::with_mysql qt::with_mysql sasl::with_mysql
                     sendmail::with_mysql snort::with_mysql

Description:
  Several vulnerabilities including insecure handling of temporary files
  and arbitrary code execution have been discovered in the MySQL RDBMS [0].

  Javier Fernandez-Sanguino Pena found that users may overwrite
  arbitrary files or read temporary files via a symlink attack on
  insecurely created temporary files. The Common Vulnerabilities and
  Exposures (CVE) project assigned the identifier CAN-2005-0004 [1] to
  this problem.

  Stefano Di Paola found that users may load forbidden dynamic library
  symbols with dlsym(3) to exploit a problem with user definable
  functions (UDFs) logic and thereby remotely execute arbitrary code.
  The Common Vulnerabilities and Exposures (CVE) project assigned the
  identifier CAN-2005-0709 [2] to this problem.

  Stefano Di Paola also determined that incomplete testing of dynamic
  library pathnames could lead to insecure loading of UDFs from dynamic
  libraries in arbitrary locations, allowing users to remotely execute
  arbitrary code. The Common Vulnerabilities and Exposures (CVE) project
  assigned the identifier CAN-2005-0710 [3] to this problem.

  Stefano Di Paola also discovered that creation of temporary tables
  uses predictable file names, allowing users to overwrite arbitrary
  files via a symlink attack. The Common Vulnerabilities and Exposures
  (CVE) project assigned the identifier CAN-2005-0711 [4] to this
  problem.

  Please check whether you are affected by running "<prefix>/bin/openpkg
  rpm -q mysql". If you have the "mysql" package installed and its
  version is affected (see above), we recommend that you immediately
  upgrade it (see Solution) and its dependent packages (see above). [5][6]

Solution:
  Select the updated source RPM appropriate for your OpenPKG release
  [7], fetch it from the OpenPKG FTP service [8] or a mirror location,
  verify its integrity [9], build a corresponding binary RPM from it
  [5] and update your OpenPKG installation by applying the binary RPM
  [6]. For the most previous release OpenPKG 2.2, perform the following
  operations to permanently fix the security problem.

  $ ftp ftp.openpkg.org
  ftp> bin
  ftp> cd release/2.2/UPD
  ftp> get mysql-4.0.21-2.2.2.src.rpm
  ftp> bye
  $ <prefix>/bin/openpkg rpm -v --checksig mysql-4.0.21-2.2.2.src.rpm
  $ <prefix>/bin/openpkg rpm --rebuild mysql-4.0.21-2.2.2.src.rpm
  $ su -
  # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/mysql-4.0.21-2.2.2.*.rpm

  Additionally, we recommend rebuilding and reinstalling all dependent
  packages (see above) as well [5][6].
________________________________________________________________________

References:
  [0] http://www.mysql.com/
  [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0004
  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0709
  [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0710
  [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0711
  [5] http://www.openpkg.org/tutorial.html#regular-source
  [6] http://www.openpkg.org/tutorial.html#regular-binary
  [7] ftp://ftp.openpkg.org/release/2.2/UPD/mysql-4.0.21-2.2.2.src.rpm
  [8] ftp://ftp.openpkg.org/release/2.2/UPD/
  [9] http://www.openpkg.org/security.html#signature
________________________________________________________________________

For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg@xxxxxxxxxxx>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@xxxxxxxxxxx>

iD8DBQFCZnNZgHWT4GPEy58RAidHAKC3q/jVpH+nwRR+vywKBkPrWF1kVACgtabH
6K1qurV1hlsBureBo3auVIo=
=F5zz
-----END PGP SIGNATURE-----