| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 2 Dec 2012 20:25:22 +0100
From: Sergei Golubchik <serg@...monty.org>
To: oss-security@...ts.openwall.com
Cc: Kurt Seifried <kseifried@...hat.com>,
king cope <isowarez.isowarez.isowarez@...glemail.com>,
full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
todd@...ketstormsecurity.org, submit@...sec.com,
Mitre CVE assign department <cve-assign@...re.org>,
Steven Christey <coley@...re.org>, security@...iadb.org, security@...ql.com,
Ritwik Ghoshal <ritwik.ghoshal@...cle.com>, moderators@...db.org
Subject: Re: [oss-security] Re: [Full-disclosure] MySQL (Linux) Stack based
buffer overrun PoC Zeroday
Hi, Huzaifa!
Here's the vendor's reply:
On Dec 02, Huzaifa Sidhpurwala wrote:
>
> * CVE-2012-5611 MySQL (Linux) Stack based buffer overrun PoC Zeroday
> http://seclists.org/fulldisclosure/2012/Dec/4
> https://bugzilla.redhat.com/show_bug.cgi?id=882599
A duplicate of CVE-2012-5579
Already fixed in all stable MariaDB version.
> * CVE-2012-5612 MySQL (Linux) Heap Based Overrun PoC Zeroday
> http://seclists.org/fulldisclosure/2012/Dec/5
> https://bugzilla.redhat.com/show_bug.cgi?id=882600
Acknowledged.
https://mariadb.atlassian.net/browse/MDEV-3908
> * CVE-2012-5613 MySQL (Linux) Database Privilege Elevation Zeroday
> Exploit
> http://seclists.org/fulldisclosure/2012/Dec/6
> https://bugzilla.redhat.com/show_bug.cgi?id=882606
Not a bug. MySQL manual specifies many times very explicitly:
===
* Do not grant the `FILE' privilege to nonadministrative users. Any
user that has this privilege can write a file anywhere in the file
system with the privileges of the *Note `mysqld': mysqld. daemon.
To make this a bit safer, files generated with *Note `SELECT ...
INTO OUTFILE': select. do not overwrite existing files and are
writable by everyone.
The `FILE' privilege may also be used to read any file that is
world-readable or accessible to the Unix user that the server runs
as. With this privilege, you can read any file into a database
table. This could be abused, for example, by using *Note `LOAD
DATA': load-data. to load `/etc/passwd' into a table, which then
can be displayed with *Note `SELECT': select.
===
You should exercise particular caution in granting the `FILE'
and administrative privileges:
* The `FILE' privilege can be abused to read into a database table
any files that the MySQL server can read on the server host. This
includes all world-readable files and files in the server's data
directory. The table can then be accessed using *Note `SELECT':
select. to transfer its contents to the client host.
===
Additionally, MySQL (and MariaDB) provides a --secure-file-priv
option that allows to restrict all FILE operations to a specific
directory.
Thus, CVE-2012-5613 is not a bug, but a result of a misconfiguration,
much like an anonymous ftp upload access to the $HOME of the ftp user.
> * CVE-2012-5614 MySQL Denial of Service Zeroday PoC
> http://seclists.org/fulldisclosure/2012/Dec/7
> https://bugzilla.redhat.com/show_bug.cgi?id=882607
Acknowledged.
https://mariadb.atlassian.net/browse/MDEV-3910
> * CVE-2012-5615 MySQL Remote Preauth User Enumeration Zeroday
> http://seclists.org/fulldisclosure/2012/Dec/9
> https://bugzilla.redhat.com/show_bug.cgi?id=882608
This is hardly a "zeroday" issue, it was known for, like, ten years.
But I'll see what we can do here.
https://mariadb.atlassian.net/browse/MDEV-3909
Regards,
Sergei
MariaDB Security Coordinator
Powered by blists - more mailing lists