Subject: pkg/29188: mysql{3,4,}-client in pkgsrc-2004Q4 vulnerable
To: None <pkg-manager@netbsd.org, gnats-admin@netbsd.org,>
From: None <alec@thened.net>
List: pkgsrc-bugs
Date: 02/01/2005 19:37:00
>Number:         29188
>Category:       pkg
>Synopsis:       The mysqlaccess script allows local users to overwrite arbitrary files or read temporary files via a symlink attack on temporary files.
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Feb 01 19:37:00 +0000 2005
>Originator:     Alec Berryman
>Release:        NetBSD 2.0
>Environment:
System: NetBSD splinter.bowdoin.edu 2.0 NetBSD 2.0 (GENERIC) #0: Wed Dec 1 10:58:25 UTC 2004 builds@build:/big/builds/ab/netbsd-2-0-RELEASE/i386/200411300000Z-obj/big/builds/ab/netbsd-2-0-RELEASE/src/sys/arch/i386/compile/GENERIC i386
Architecture: i386
Machine: i386
>Description:
	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0004:

        "The mysqlaccess script in MySQL 4.0.23 and earlier, 4.1.x
        before 4.1.10, 5.0.x before 5.0.3, and other versions
        including 3.x, allows local users to overwrite arbitrary files
        or read temporary files via a symlink attack on temporary
        files."

>Fix:

        taken from http://lists.mysql.com/internals/20600, applies
        cleanly to mysql-client, mysql4-client, and mysql3-client

$NetBSD$

--- mysqlaccess.sh.orig	2004-10-23 02:28:44.000000000 -0500
+++ mysqlaccess.sh
@@ -2,7 +2,7 @@
 # ****************************
 package MySQLaccess;
 #use strict;
-use POSIX qw(tmpnam);
+use File::Temp qw(tempfile tmpnam);
 use Fcntl;
 
 BEGIN {
@@ -32,7 +32,6 @@ BEGIN {
 	$ACCESS_U_BCK = 'user_backup';   
 	$ACCESS_D_BCK = 'db_backup';     
         $DIFF      = '/usr/bin/diff'; 
-        $TMP_PATH  = '/tmp';             #path to writable tmp-directory
         $MYSQLDUMP = '@bindir@/mysqldump';
                                          #path to mysqldump executable
 
@@ -431,7 +430,7 @@ use IPC::Open3;
 # no caching on STDOUT
 	$|=1;
 
-	$MYSQL_CNF = POSIX::tmpnam();
+	$MYSQL_CNF = tmpnam();
 	%MYSQL_CNF = (client    => { },
                       mysql     => { },
                       mysqldump => { },
@@ -576,8 +575,6 @@ if (!defined($Param{'host'}))      { $Pa
 push(@MySQLaccess::Grant::Error,'not_found_mysql')     if !(-x $MYSQL);
 push(@MySQLaccess::Grant::Error,'not_found_diff')      if !(-x $DIFF);
 push(@MySQLaccess::Grant::Error,'not_found_mysqldump') if !(-x $MYSQLDUMP);
-push(@MySQLaccess::Grant::Error,'not_found_tmp')       if !(-d $TMP_PATH);
-push(@MySQLaccess::Grant::Error,'write_err_tmp')       if !(-w $TMP_PATH);
 if (@MySQLaccess::Grant::Error) {
    MySQLaccess::Report::Print_Error_Messages() ;
    exit 0;
@@ -1776,17 +1773,15 @@ sub Diff_Privileges {
    @before = sort(@before);
    @after  = sort(@after);
 
-   $before = "$MySQLaccess::TMP_PATH/$MySQLaccess::script.before.$$";
-   $after  = "$MySQLaccess::TMP_PATH/$MySQLaccess::script.after.$$";
-   #$after = "/tmp/t0";
-   open(BEFORE,"> $before") ||
-    push(@MySQLaccess::Report::Errors,"Can't open temporary file $before for writing");
-   open(AFTER,"> $after") ||
-    push(@MySQLaccess::Report::Errors,"Can't open temporary file $after for writing");
-   print BEFORE join("\n",@before);
-   print AFTER  join("\n",@after);
-   close(BEFORE);
-   close(AFTER);
+   ($hb, $before) = tempfile("$MySQLaccess::script.XXXXXX") or
+    push(@MySQLaccess::Report::Errors,"Can't create temporary file: $!");
+   ($ha, $after)  = tempfile("$MySQLaccess::script.XXXXXX") or
+    push(@MySQLaccess::Report::Errors,"Can't create temporary file: $!");
+
+   print $hb join("\n",@before);
+   print $ha join("\n",@after);
+   close $hb;
+   close $ha;
 
    # ----------------------------------
    # compute difference
@@ -1799,8 +1794,8 @@ sub Diff_Privileges {
 
    # ----------------------------------
    # cleanup temp. files
-   unlink(BEFORE);
-   unlink(AFTER);
+   unlink($before);
+   unlink($after);
 
    return \@diffs;
 }
@@ -2315,14 +2310,6 @@ BEGIN {
    => "The diff program <$MySQLaccess::DIFF> could not be found.\n"
      ."+ Check your path, or\n"
      ."+ edit the source of this script to point \$DIFF to the diff program.\n"
- ,'not_found_tmp'
-   => "The temporary directory <$MySQLaccess::TMP_PATH> could not be found.\n"
-     ."+ create this directory (writeable!), or\n"
-     ."+ edit the source of this script to point \$TMP_PATH to the right directory.\n"
- ,'write_err_tmp'
-   => "The temporary directory <$MySQLaccess::TMP_PATH> is not writable.\n"
-     ."+ make this directory writeable!, or\n"
-     ."+ edit the source of this script to point \$TMP_PATH to another directory.\n"
  ,'Unrecognized_option'
    => "Sorry,\n"
      ."You are using an old version of the mysql-program,\n"