From openpkg@openpkg.org Wed Apr 20 15:19:59 2005 From: OpenPKG To: bugtraq@securityfocus.com Date: Wed, 20 Apr 2005 17:21:22 +0200 Subject: [OpenPKG-SA-2005.006] OpenPKG Security Advisory (mysql) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2005.006 20-Apr-2005 ________________________________________________________________________ Package: mysql Vulnerability: arbitrary code execution, insecure file creation OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= mysql-4.1.10-20050216 >= mysql-4.1.10a-20050311 OpenPKG 2.2 <= mysql-4.0.21-2.2.1 >= mysql-4.0.21-2.2.2 Affected Releases: Dependent Packages: OpenPKG CURRENT apache::with_mod_php_mysql apache::with_mod_auth_mysql bind::with_dlz_mysql exim::with_mysql flowtools::with_mysql jabberd::with_mysql libdbi::with_mysql libgda::with_mysql lighttpd::with_mysql myodbc mysqlcc perl-dbi::with_dbd_mysql php::with_mysql php3::with_mysql php5::with_mysql postfix::with_mysql powerdns::with_mysql proftpd::with_mysql pureftpd::with_mysql ripe-dbase qt::with_mysql rekall::with_mysql sasl::with_mysql sendmail::with_mysql snort::with_mysql tacacs::with_mysql OpenPKG 2.2 apache::with_mod_php_mysql apache::with_mod_auth_mysql bind::with_dlz_mysql exim::with_mysql jabberd::with_mysql perl-dbi::with_dbd_mysql php::with_mysql postfix::with_mysql proftpd::with_mysql pureftpd::with_mysql qt::with_mysql sasl::with_mysql sendmail::with_mysql snort::with_mysql Description: Several vulnerabilities including insecure handling of temporary files and arbitrary code execution have been discovered in the MySQL RDBMS [0]. Javier Fernandez-Sanguino Pena found that users may overwrite arbitrary files or read temporary files via a symlink attack on insecurely created temporary files. The Common Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2005-0004 [1] to this problem. Stefano Di Paola found that users may load forbidden dynamic library symbols with dlsym(3) to exploit a problem with user definable functions (UDFs) logic and thereby remotely execute arbitrary code. The Common Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2005-0709 [2] to this problem. Stefano Di Paola also determined that incomplete testing of dynamic library pathnames could lead to insecure loading of UDFs from dynamic libraries in arbitrary locations, allowing users to remotely execute arbitrary code. The Common Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2005-0710 [3] to this problem. Stefano Di Paola also discovered that creation of temporary tables uses predictable file names, allowing users to overwrite arbitrary files via a symlink attack. The Common Vulnerabilities and Exposures (CVE) project assigned the identifier CAN-2005-0711 [4] to this problem. Please check whether you are affected by running "/bin/openpkg rpm -q mysql". If you have the "mysql" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and its dependent packages (see above). [5][6] Solution: Select the updated source RPM appropriate for your OpenPKG release [7], fetch it from the OpenPKG FTP service [8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [5] and update your OpenPKG installation by applying the binary RPM [6]. For the most previous release OpenPKG 2.2, perform the following operations to permanently fix the security problem. $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.2/UPD ftp> get mysql-4.0.21-2.2.2.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig mysql-4.0.21-2.2.2.src.rpm $ /bin/openpkg rpm --rebuild mysql-4.0.21-2.2.2.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/mysql-4.0.21-2.2.2.*.rpm Additionally, we recommend rebuilding and reinstalling all dependent packages (see above) as well [5][6]. ________________________________________________________________________ References: [0] http://www.mysql.com/ [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0004 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0709 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0710 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0711 [5] http://www.openpkg.org/tutorial.html#regular-source [6] http://www.openpkg.org/tutorial.html#regular-binary [7] ftp://ftp.openpkg.org/release/2.2/UPD/mysql-4.0.21-2.2.2.src.rpm [8] ftp://ftp.openpkg.org/release/2.2/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFCZnNZgHWT4GPEy58RAidHAKC3q/jVpH+nwRR+vywKBkPrWF1kVACgtabH 6K1qurV1hlsBureBo3auVIo= =F5zz -----END PGP SIGNATURE-----