thr3ads.net - Secure testing team - [Secure-testing-team] Bug#480292: CVE-2008-2079: mysql allows local users to bypass certain privilege checks [May 2008]

If this information is useful, please help other people find it:
Share via:

Steffen Joeris

2008-May-09 11:02 UTC

[Secure-testing-team] Bug#480292: CVE-2008-2079: mysql allows local users to bypass certain privilege checks

Package: mysql-server-5.0
Severity: grave
Tags: security
Justification: user security hole

Hi

The following CVE(0) has been issued against mysql.

CVE-2008-2079:

MySQL 4.1.x before 4.1.24, 5.0.x before 5.0.60, 5.1.x before 5.1.24, and
6.0.x before 6.0.5 allows local users to bypass certain privilege checks
by calling CREATE TABLE on a MyISAM table with modified (1) DATA
DIRECTORY or (2) INDEX DIRECTORY arguments that are within the MySQL
home data directory, which can point to tables that are created in the
future.

Please mention the CVE id in your changelog, if you fix the issue by an
upload.

The mysql bugreport can be found here(1).


Cheers
Steffen

(0): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2079

(1): http://bugs.mysql.com/bug.php?id=32167

Secure testing team - May 2008 - Bug#480292: CVE-2008-2079: mysql allows local users to bypass certain privilege checks

[Secure-testing-team] Bug#480292: CVE-2008-2079: mysql allows local users to bypass certain privilege checks