pkg/29188: mysql{3,4,}-client in pkgsrc-2004Q4 vulnerable

To: pkg-manager%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, pkgsrc-bugs%netbsd.org@localhost
Subject: pkg/29188: mysql{3,4,}-client in pkgsrc-2004Q4 vulnerable
From: alec%thened.net@localhost
Date: Tue, 1 Feb 2005 19:37:00 +0000 (UTC)

>Number:         29188
>Category:       pkg
>Synopsis:       The mysqlaccess script allows local users to overwrite 
>arbitrary files or read temporary files via a symlink attack on temporary 
>files.
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Feb 01 19:37:00 +0000 2005
>Originator:     Alec Berryman
>Release:        NetBSD 2.0
>Environment:
System: NetBSD splinter.bowdoin.edu 2.0 NetBSD 2.0 (GENERIC) #0: Wed Dec 1 
10:58:25 UTC 2004 
builds@build:/big/builds/ab/netbsd-2-0-RELEASE/i386/200411300000Z-obj/big/builds/ab/netbsd-2-0-RELEASE/src/sys/arch/i386/compile/GENERIC
 i386
Architecture: i386
Machine: i386
>Description:
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0004:

        "The mysqlaccess script in MySQL 4.0.23 and earlier, 4.1.x
        before 4.1.10, 5.0.x before 5.0.3, and other versions
        including 3.x, allows local users to overwrite arbitrary files
        or read temporary files via a symlink attack on temporary
        files."

>Fix:

        taken from http://lists.mysql.com/internals/20600, applies
        cleanly to mysql-client, mysql4-client, and mysql3-client

$NetBSD$

--- mysqlaccess.sh.orig 2004-10-23 02:28:44.000000000 -0500
+++ mysqlaccess.sh
@@ -2,7 +2,7 @@
 # ****************************
 package MySQLaccess;
 #use strict;
-use POSIX qw(tmpnam);
+use File::Temp qw(tempfile tmpnam);
 use Fcntl;
 
 BEGIN {
@@ -32,7 +32,6 @@ BEGIN {
        $ACCESS_U_BCK = 'user_backup';   
        $ACCESS_D_BCK = 'db_backup';     
         $DIFF      = '/usr/bin/diff'; 
-        $TMP_PATH  = '/tmp';             #path to writable tmp-directory
         $MYSQLDUMP = '@bindir@/mysqldump';
                                          #path to mysqldump executable
 
@@ -431,7 +430,7 @@ use IPC::Open3;
 # no caching on STDOUT
        $|=1;
 
-       $MYSQL_CNF = POSIX::tmpnam();
+       $MYSQL_CNF = tmpnam();
        %MYSQL_CNF = (client    => { },
                       mysql     => { },
                       mysqldump => { },
@@ -576,8 +575,6 @@ if (!defined($Param{'host'}))      { $Pa
 push(@MySQLaccess::Grant::Error,'not_found_mysql')     if !(-x $MYSQL);
 push(@MySQLaccess::Grant::Error,'not_found_diff')      if !(-x $DIFF);
 push(@MySQLaccess::Grant::Error,'not_found_mysqldump') if !(-x $MYSQLDUMP);
-push(@MySQLaccess::Grant::Error,'not_found_tmp')       if !(-d $TMP_PATH);
-push(@MySQLaccess::Grant::Error,'write_err_tmp')       if !(-w $TMP_PATH);
 if (@MySQLaccess::Grant::Error) {
    MySQLaccess::Report::Print_Error_Messages() ;
    exit 0;
@@ -1776,17 +1773,15 @@ sub Diff_Privileges {
    @before = sort(@before);
    @after  = sort(@after);
 
-   $before = "$MySQLaccess::TMP_PATH/$MySQLaccess::script.before.$$";
-   $after  = "$MySQLaccess::TMP_PATH/$MySQLaccess::script.after.$$";
-   #$after = "/tmp/t0";
-   open(BEFORE,"> $before") ||
-    push(@MySQLaccess::Report::Errors,"Can't open temporary file $before for 
writing");
-   open(AFTER,"> $after") ||
-    push(@MySQLaccess::Report::Errors,"Can't open temporary file $after for 
writing");
-   print BEFORE join("\n",@before);
-   print AFTER  join("\n",@after);
-   close(BEFORE);
-   close(AFTER);
+   ($hb, $before) = tempfile("$MySQLaccess::script.XXXXXX") or
+    push(@MySQLaccess::Report::Errors,"Can't create temporary file: $!");
+   ($ha, $after)  = tempfile("$MySQLaccess::script.XXXXXX") or
+    push(@MySQLaccess::Report::Errors,"Can't create temporary file: $!");
+
+   print $hb join("\n",@before);
+   print $ha join("\n",@after);
+   close $hb;
+   close $ha;
 
    # ----------------------------------
    # compute difference
@@ -1799,8 +1794,8 @@ sub Diff_Privileges {
 
    # ----------------------------------
    # cleanup temp. files
-   unlink(BEFORE);
-   unlink(AFTER);
+   unlink($before);
+   unlink($after);
 
    return \@diffs;
 }
@@ -2315,14 +2310,6 @@ BEGIN {
    => "The diff program <$MySQLaccess::DIFF> could not be found.\n"
      ."+ Check your path, or\n"
      ."+ edit the source of this script to point \$DIFF to the diff program.\n"
- ,'not_found_tmp'
-   => "The temporary directory <$MySQLaccess::TMP_PATH> could not be found.\n"
-     ."+ create this directory (writeable!), or\n"
-     ."+ edit the source of this script to point \$TMP_PATH to the right 
directory.\n"
- ,'write_err_tmp'
-   => "The temporary directory <$MySQLaccess::TMP_PATH> is not writable.\n"
-     ."+ make this directory writeable!, or\n"
-     ."+ edit the source of this script to point \$TMP_PATH to another 
directory.\n"
  ,'Unrecognized_option'
    => "Sorry,\n"
      ."You are using an old version of the mysql-program,\n"

Prev by Date: pkg/29187: pkg_chk does not honor pkgdbdir and pkgdir in mk.conf
Next by Date: Re: pkg/29187
Previous by Thread: pkg/29187: pkg_chk does not honor pkgdbdir and pkgdir in mk.conf
Next by Thread: Re: pkg/29187
Indexes:

Home | Main Index | Thread Index | Old Index