Bug 71788 (CVE-2005-0711)

Summary: VUL-0: CVE-2005-0711: Please update MySQL 4.1.10 to 4.1.10a before releasing SUSE Linux 9.3
Product: [Novell Products] SUSE Security Incidents Reporter: Lenz Grimmer <lgrimmer>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P5 - None CC: aj, meissner, security-team
Version: unspecifiedKeywords: security
Target Milestone: ---   
Hardware: All   
OS: All   
URL: http://dev.mysql.com/doc/mysql/en/news-4-1-10.html
Whiteboard: CVE-2005-0711: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)
Found By: Third Party Developer/Partner Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Lenz Grimmer 2005-03-09 11:52:12 UTC 
Hi, shortly after 4.1.10 was released, we were informed of several security
vulnerabilites (insecure temp file name handling, issues on how User Defined
Functions are handled). We have created fixes for these and applied them on top
of 4.1.10, it will be released as 4.1.10a by tomorrow. The advisories for these
flaws should hit Bugtraq by the end of this day, we plan to update our Download
pages by tomorrow morning (the mirrors need some time for seeding). Please
update MySQL to 4.1.10a before finalizing 9.3, if possible. I have placed the
sources used for this release to the following location:

ftp://ftp.mysql.com/pub/mysql/download/mysql-4.1.10a.tar.gz
MD5 checksum: 6a4a6a5b3d0a42a9a271b2b8867bde82

The patches applied can be reviewed here:

http://mysql.bkbits.net:8080/mysql-4.1/cset@1.1346.810.1?nav=index.html|ChangeSet@-1d
http://mysql.bkbits.net:8080/mysql-4.1/cset@1.1346.810.2?nav=index.html|ChangeSet@-1d

If it's too late for doing it for the 9.3 release, please consider providing YOU
packages ASAP. Thanks!

BTW: 4.0 is affected by this one as well, so you may need to publish Updates for
distributions that used MySQL 4.0 (4.0.24 will include the fixes and is also
scheduled for publishing by tomorrow)
Comment 1 Andreas Jaeger 2005-03-10 05:39:29 UTC 
Michal, please do the update.
Comment 2 Michal Čihař 2005-03-10 11:24:04 UTC 
Updated.
Comment 3 Lenz Grimmer 2005-03-10 12:05:14 UTC 
Thanks a lot! Keep up the good work.
Comment 4 Marcus Meissner 2005-03-14 14:37:34 UTC 
please port the patch to the older mysqls ...  
 
(the create function one is needed, the tmprace one optional)
Comment 5 Michal Čihař 2005-03-14 15:11:44 UTC 
Just to make it clear:

By create function you refer to uninitialised create_flags?

By tmprace you mean creating tables with O_EXCL|O_NOFOLLOW?
Comment 6 Marcus Meissner 2005-03-14 15:15:18 UTC 
the create function fixes ... most of those are in the first bitkeeper URL, 
all entries with:"--allow_suspicious_udfs" inside. 
 
The second bk url is just a bugfix for the first one I think. 
 
the latter (table creation) if it is easy to port.
Comment 7 Ludwig Nussel 2005-03-17 09:53:28 UTC 
"MySQL fails to properly validate input for authenticated users with 
INSERT and DELETE privileges (CAN-2005-0709 and CAN-2005-0710). 
Furthermore MySQL uses predictable filenames when creating temporary 
files with CREATE TEMPORARY TABLE (CAN-2005-0711)."
Comment 8 Michal Čihař 2005-03-17 10:23:39 UTC 
Ludwig: That is yet another issue?
Comment 9 Ludwig Nussel 2005-03-17 10:41:32 UTC 
That's what gentoo wrote in their advisory. The CAN descriptions sounded like  
the issues discussed here to me. You can look up the CAN numbers at  
http://cve.mitre.org/, e.g.  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0711
Comment 10 Michal Čihař 2005-03-17 10:49:54 UTC 
CAN issues looks like this issue, but I have no idea where they found "INSERT
and DELETE privileges"...
Comment 11 Michal Čihař 2005-03-17 13:01:47 UTC 
Packages submited.
Comment 12 Andreas Jaeger 2005-03-18 08:53:07 UTC 
Then let's close this.
Comment 13 Marcus Meissner 2005-03-18 09:06:52 UTC 
please do not close security bugs before we finished the update process
Comment 14 Ludwig Nussel 2005-03-18 13:17:43 UTC 
swamp id 661
Comment 15 Ludwig Nussel 2005-03-18 13:33:48 UTC 
is only the "mysql" package affected or subpackages as well?
Comment 16 Michal Čihař 2005-03-18 13:40:13 UTC 
mysql-Max is affected as well.
Comment 17 Ludwig Nussel 2005-03-18 14:09:00 UTC 
thanks, patchinfo submitted
Comment 18 Marcus Meissner 2005-03-24 17:17:52 UTC 
updates and advisory released
Comment 19 Thomas Biege 2009-10-13 21:10:44 UTC 
CVE-2005-0711: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)