RHSA-2007:1157

Executive Summary

Summary
Title	mysql security update

Informations
Name	RHSA-2007:1157	First vendor Publication	2007-12-19
Vendor	RedHat	Last vendor Modification	2007-12-19
Severity (Vendor)	Important	Revision	01

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:H/Au:S/C:C/I:C/A:C)
Cvss Base Score	7.1	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	High
Cvss Expoit Score	3.9	Authentification	Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

Updated mysql packages that fix several security issues are now available
for Red Hat Application Stack v1 and v2.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Application Stack v1 for Enterprise Linux AS (v.4) - i386, x86_64
Red Hat Application Stack v1 for Enterprise Linux ES (v.4) - i386, x86_64
Red Hat Application Stack v2 for Enterprise Linux (v.5) - i386, x86_64

3. Problem description:

MySQL is a multi-user, multi-threaded SQL database server. MySQL is a
client/server implementation consisting of a server daemon (mysqld), and
many different client programs and libraries.

A flaw was found in a way MySQL handled symbolic links when database tables
were created with explicit "DATA" and "INDEX DIRECTORY" options. An
authenticated user could create a table that would overwrite tables in
other databases, causing destruction of data or allowing the user to
elevate privileges. (CVE-2007-5969)

A flaw was found in a way MySQL's InnoDB engine handled spatial indexes. An
authenticated user could create a table with spatial indexes, which are not
supported by the InnoDB engine, that would cause the mysql daemon to crash
when used. This issue only causes a temporary denial of service, as the
mysql daemon will be automatically restarted after the crash.
(CVE-2007-5925)

A flaw was found in a way MySQL handled the "DEFINER" view parameter. A
user with the "ALTER VIEW" privilege for a view created by another database
user, could modify that view to get access to any data accessible to the
creator of said view. (CVE-2007-6303)

All mysql users are advised to upgrade to these updated packages, which
contain backported patches to resolve these issues.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

5. Bug IDs fixed (http://bugzilla.redhat.com/):

377451 - CVE-2007-5925 mysql DoS in the InnoDB Engine
397071 - CVE-2007-5969 mysql: possible system table information overwrite using symlinks
420231 - CVE-2007-6303 mysql: DEFINER value of view not altered on ALTER VIEW

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2007-1157.html

CWE : Common Weakness Enumeration

id	Name
CWE-264	Permissions, Privileges, and Access Controls
CWE-20	Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:11390

Oval ID:	oval:org.mitre.oval:def:11390
Title:	The convert_search_mode_to_innobase function in ha_innodb.cc in the InnoDB engine in MySQL 5.1.23-BK and earlier allows remote authenticated users to cause a denial of service (database crash) via a certain CONTAINS operation on an indexed column, which triggers an assertion error.
Description:	The convert_search_mode_to_innobase function in ha_innodb.cc in the InnoDB engine in MySQL 5.1.23-BK and earlier allows remote authenticated users to cause a denial of service (database crash) via a certain CONTAINS operation on an indexed column, which triggers an assertion error.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2007-5925	Version:	5
Platform(s):	Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5	Product(s):
Definition Synopsis:
OS Section: RHEL4, CentOS4, Oracle Linux 4 RHEL4, CentOS4 or Oracle Linux 4 The operating system installed on the system is Red Hat Enterprise Linux 4 AND CentOS Linux 4.x AND Oracle Linux 4.x AND Configuration section mysql is earlier than 0:4.1.20-3.RHEL4.1.el4_6.1 AND mysql-devel is earlier than 0:4.1.20-3.RHEL4.1.el4_6.1 AND mysql-bench is earlier than 0:4.1.20-3.RHEL4.1.el4_6.1 AND mysql-server is earlier than 0:4.1.20-3.RHEL4.1.el4_6.1 OR OS Section: RHEL5, CentOS5, Oracle Linux 5 RHEL5, CentOS5 or Oracle Linux 5 The operating system installed on the system is Red Hat Enterprise Linux 5 AND CentOS Linux 5.x AND Oracle Linux 5.x AND Configuration section mysql is earlier than 0:5.0.22-2.2.el5_1.1 AND mysql-devel is earlier than 0:5.0.22-2.2.el5_1.1 AND mysql-test is earlier than 0:5.0.22-2.2.el5_1.1 AND mysql-bench is earlier than 0:5.0.22-2.2.el5_1.1 AND mysql-server is earlier than 0:5.0.22-2.2.el5_1.1

Definition Id: oval:org.mitre.oval:def:10509

Oval ID:	oval:org.mitre.oval:def:10509
Title:	MySQL Community Server 5.0.x before 5.0.51, Enterprise Server 5.0.x before 5.0.52, Server 5.1.x before 5.1.23, and Server 6.0.x before 6.0.4, when a table relies on symlinks created through explicit DATA DIRECTORY and INDEX DIRECTORY options, allows remote authenticated users to overwrite system table information and gain privileges via a RENAME TABLE statement that changes the symlink to point to an existing file.
Description:	MySQL Community Server 5.0.x before 5.0.51, Enterprise Server 5.0.x before 5.0.52, Server 5.1.x before 5.1.23, and Server 6.0.x before 6.0.4, when a table relies on symlinks created through explicit DATA DIRECTORY and INDEX DIRECTORY options, allows remote authenticated users to overwrite system table information and gain privileges via a RENAME TABLE statement that changes the symlink to point to an existing file.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2007-5969	Version:	5
Platform(s):	Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5	Product(s):
Definition Synopsis:
OS Section: RHEL4, CentOS4, Oracle Linux 4 RHEL4, CentOS4 or Oracle Linux 4 The operating system installed on the system is Red Hat Enterprise Linux 4 AND CentOS Linux 4.x AND Oracle Linux 4.x AND Configuration section mysql is earlier than 0:4.1.20-3.RHEL4.1.el4_6.1 AND mysql-devel is earlier than 0:4.1.20-3.RHEL4.1.el4_6.1 AND mysql-bench is earlier than 0:4.1.20-3.RHEL4.1.el4_6.1 AND mysql-server is earlier than 0:4.1.20-3.RHEL4.1.el4_6.1 OR OS Section: RHEL5, CentOS5, Oracle Linux 5 RHEL5, CentOS5 or Oracle Linux 5 The operating system installed on the system is Red Hat Enterprise Linux 5 AND CentOS Linux 5.x AND Oracle Linux 5.x AND Configuration section mysql is earlier than 0:5.0.22-2.2.el5_1.1 AND mysql-devel is earlier than 0:5.0.22-2.2.el5_1.1 AND mysql-test is earlier than 0:5.0.22-2.2.el5_1.1 AND mysql-bench is earlier than 0:5.0.22-2.2.el5_1.1 AND mysql-server is earlier than 0:5.0.22-2.2.el5_1.1

CPE : Common Platform Enumeration

Type	Description	Count
Application	Mysql Community Server cpe:/a:mysql:community_server:5.0.50 cpe:/a:mysql:community_server:5.0.45 cpe:/a:mysql:community_server:5.0.44 cpe:/a:mysql:community_server:5.0.41	4
Application	Mysql Mysql cpe:/a:mysql:mysql:6.0.3 cpe:/a:mysql:mysql:6.0.2 cpe:/a:mysql:mysql:6.0.1 cpe:/a:mysql:mysql:6.0.0 cpe:/a:mysql:mysql:5.1.23_bk cpe:/a:mysql:mysql:5.1.2 cpe:/a:mysql:mysql:5.1.17 cpe:/a:mysql:mysql:5.1.16 cpe:/a:mysql:mysql:5.1.15 cpe:/a:mysql:mysql:5.1.14 cpe:/a:mysql:mysql:5.1.13 cpe:/a:mysql:mysql:5.1.12 cpe:/a:mysql:mysql:5.1.11 cpe:/a:mysql:mysql:5.1.10 cpe:/a:mysql:mysql:5.1.1 cpe:/a:mysql:mysql:5.0.9 cpe:/a:mysql:mysql:5.0.8 cpe:/a:mysql:mysql:5.0.7 cpe:/a:mysql:mysql:5.0.6 cpe:/a:mysql:mysql:5.0.5.0.21 cpe:/a:mysql:mysql:5.0.5 cpe:/a:mysql:mysql:5.0.4a cpe:/a:mysql:mysql:5.0.41 cpe:/a:mysql:mysql:5.0.4 cpe:/a:mysql:mysql:5.0.3a cpe:/a:mysql:mysql:5.0.37 cpe:/a:mysql:mysql:5.0.33 cpe:/a:mysql:mysql:5.0.3:beta cpe:/a:mysql:mysql:5.0.3 cpe:/a:mysql:mysql:5.0.27 cpe:/a:mysql:mysql:5.0.24 cpe:/a:mysql:mysql:5.0.22.1.0.1 cpe:/a:mysql:mysql:5.0.22 cpe:/a:mysql:mysql:5.0.21 cpe:/a:mysql:mysql:5.0.20a cpe:/a:mysql:mysql:5.0.20 cpe:/a:mysql:mysql:5.0.2 cpe:/a:mysql:mysql:5.0.1a cpe:/a:mysql:mysql:5.0.19 cpe:/a:mysql:mysql:5.0.18 cpe:/a:mysql:mysql:5.0.17a cpe:/a:mysql:mysql:5.0.17 cpe:/a:mysql:mysql:5.0.16a cpe:/a:mysql:mysql:5.0.16 cpe:/a:mysql:mysql:5.0.15a cpe:/a:mysql:mysql:5.0.15 cpe:/a:mysql:mysql:5.0.14 cpe:/a:mysql:mysql:5.0.13 cpe:/a:mysql:mysql:5.0.12 cpe:/a:mysql:mysql:5.0.11 cpe:/a:mysql:mysql:5.0.10a cpe:/a:mysql:mysql:5.0.10 cpe:/a:mysql:mysql:5.0.1 cpe:/a:mysql:mysql:5.0.0.0 cpe:/a:mysql:mysql:5.0.0:alpha cpe:/a:mysql:mysql:5.0.0 cpe:/a:mysql:mysql:5.0	57
Application	Mysql Mysql Enterprise Server cpe:/a:mysql:mysql_enterprise_server:5.0.50	1
Application	Mysql Mysql Server cpe:/a:mysql:mysql_server:6.0.3 cpe:/a:mysql:mysql_server:6.0.2 cpe:/a:mysql:mysql_server:6.0.1 cpe:/a:mysql:mysql_server:6.0 cpe:/a:mysql:mysql_server:5.1.22	5

Open Source Vulnerability Database (OSVDB)

id	Description
51171	MySQL InnoDB convert_search_mode_to_innobase Function DoS
42610	MySQL DEFINER View Value Crafted Statements Remote Privilege Escalation
42608	MySQL RENAME TABLE Symlink System Table Overwrite