--Apple-Mail-1-580636551
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset=US-ASCII;
	delsp=yes;
	format=flowed

#########################################################
MySQL mysql_install_db data manipulation
vendor: http://www.mysql.com
advisory: http://www.zataz.net/adviso/mysql-05172005.txt
vendor informed: yes exploit available:no

#########################################################

MySQL contain a security flaw how could
allow a malicious local attacker to inject arbitrary SQL commands
during database creation process.

For exemple : A malicious local attacker could create an mysql account
accessible from local (or everywhere) with ALL privileges on all  
databases;

##########
versions:
##########

MySQL < 4.0.12
MySQL <= 5.0.4

##########
Solution:
##########

For MySQL 4.0.x update to the new version 4.0.12
MySQL 5.0.4 still vulnerable.

#########
timeline:
#########

discovered : 2005-05-07
vendor notified : 2005-05-09
vendor response : 2005-05-09
vendor fix :  2005-05-17
disclosure : 2005-05-17

#####################
Technical details :
#####################

tmp_file=/tmp/mysql_install_db.$$

Then on :

  226     echo "use mysql;" > $tmp_file
  227     cat $tmp_file $fill_help_tables | eval  
"$mysqld_install_cmd_line"
  228     res=$?
  229     rm $tmp_file

#####################
Credits :
#####################

Eric Romang (eromang@zataz.net - ZATAZ)
Thxs to Gentoo Security Team. (Taviso, Sune, jaervosz, etc.)



--Apple-Mail-1-580636551
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=ISO-8859-1

<HTML><BODY style=3D"word-wrap: break-word; -khtml-nbsp-mode: space; =
-khtml-line-break: after-white-space; "><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
">#########################################################</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">MySQL mysql_install_db data manipulation</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">vendor: <A =
href=3D"http://www.mysql.com">http://www.mysql.com</A></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">advisory:<A =
href=3D"http://lostmon.blogspot.com/2005/04/"> =
http://www.zataz.</A>net/adviso/mysql-05172005.txt</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">vendor informed: yes exploit available:no</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 12px/normal Helvetica; =
min-height: 17px; "><BR></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
">#########################################################</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>MySQL contain a security =
flaw how could</DIV><DIV>allow a malicious local attacker to inject =
arbitrary SQL commands</DIV><DIV>during database creation =
process.</DIV><DIV><BR class=3D"khtml-block-placeholder"></DIV><DIV>For =
exemple : A malicious local attacker could create an mysql =
account</DIV><DIV>accessible from local (or everywhere) with ALL =
privileges on all databases;</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
">##########</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">versions:</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">##########</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><BR =
class=3D"khtml-block-placeholder"></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">MySQL=A0&lt; =
4.0.12</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">MySQL &lt;=3D 5.0.4</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><BR class=3D"khtml-block-placeholder"></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">##########</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
">Solution:</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">##########</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><BR class=3D"khtml-block-placeholder"></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">For MySQL 4.0.x update to the new version =
4.0.12</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">MySQL 5.0.4 still =
vulnerable.</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; "><BR =
class=3D"khtml-block-placeholder"></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
">#########</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">timeline:</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">#########</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><BR =
class=3D"khtml-block-placeholder"></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">discovered : =
2005-05-07</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">vendor notified : =
2005-05-09</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">vendor response =
:=A02005-05-09</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">vendor fix =
:=A0=A02005-05-17</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">disclosure =
:=A02005-05-17</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; "><BR =
class=3D"khtml-block-placeholder"></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
">#####################</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Technical =
details :</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">#####################</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><BR class=3D"khtml-block-placeholder"></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><FONT class=3D"Apple-style-span" face=3D"Verdana" =
size=3D"3"><SPAN class=3D"Apple-style-span" style=3D"font-size: =
11.7px;">tmp_file=3D/tmp/mysql_install_db.$$</SPAN></FONT></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 11.7px/normal Verdana; =
min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT =
class=3D"Apple-style-span" face=3D"Verdana" size=3D"3"><SPAN =
class=3D"Apple-style-span" style=3D"font-size: 11.7px;">Then on =
:</SPAN></FONT></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
11.7px/normal Verdana; min-height: 14px; "><BR></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><FONT class=3D"Apple-style-span" face=3D"Verdana" =
size=3D"3"><SPAN class=3D"Apple-style-span" style=3D"font-size: =
11.7px;">=A0</SPAN></FONT><FONT class=3D"Apple-style-span" =
face=3D"Verdana" size=3D"3"><SPAN class=3D"Apple-style-span" =
style=3D"font-size: 11.7px;">226 </SPAN></FONT><FONT =
class=3D"Apple-style-span" face=3D"Verdana" size=3D"3"><SPAN =
class=3D"Apple-style-span" style=3D"font-size: 11.7px;">=A0 =A0 =
</SPAN></FONT><FONT class=3D"Apple-style-span" face=3D"Verdana" =
size=3D"3"><SPAN class=3D"Apple-style-span" style=3D"font-size: =
11.7px;">echo "use mysql;" &gt; $tmp_file</SPAN></FONT></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><FONT class=3D"Apple-style-span" face=3D"Verdana" =
size=3D"3"><SPAN class=3D"Apple-style-span" style=3D"font-size: =
11.7px;">=A0</SPAN></FONT><FONT class=3D"Apple-style-span" =
face=3D"Verdana" size=3D"3"><SPAN class=3D"Apple-style-span" =
style=3D"font-size: 11.7px;">227 </SPAN></FONT><FONT =
class=3D"Apple-style-span" face=3D"Verdana" size=3D"3"><SPAN =
class=3D"Apple-style-span" style=3D"font-size: 11.7px;">=A0 =A0 =
</SPAN></FONT><FONT class=3D"Apple-style-span" face=3D"Verdana" =
size=3D"3"><SPAN class=3D"Apple-style-span" style=3D"font-size: =
11.7px;">cat $tmp_file $fill_help_tables | eval =
"$mysqld_install_cmd_line"</SPAN></FONT></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT =
class=3D"Apple-style-span" face=3D"Verdana" size=3D"3"><SPAN =
class=3D"Apple-style-span" style=3D"font-size: =
11.7px;">=A0</SPAN></FONT><FONT class=3D"Apple-style-span" =
face=3D"Verdana" size=3D"3"><SPAN class=3D"Apple-style-span" =
style=3D"font-size: 11.7px;">228 </SPAN></FONT><FONT =
class=3D"Apple-style-span" face=3D"Verdana" size=3D"3"><SPAN =
class=3D"Apple-style-span" style=3D"font-size: 11.7px;">=A0 =A0 =
</SPAN></FONT><FONT class=3D"Apple-style-span" face=3D"Verdana" =
size=3D"3"><SPAN class=3D"Apple-style-span" style=3D"font-size: =
11.7px;">res=3D$?</SPAN></FONT></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT =
class=3D"Apple-style-span" face=3D"Verdana" size=3D"3"><SPAN =
class=3D"Apple-style-span" style=3D"font-size: =
11.7px;">=A0</SPAN></FONT><FONT class=3D"Apple-style-span" =
face=3D"Verdana" size=3D"3"><SPAN class=3D"Apple-style-span" =
style=3D"font-size: 11.7px;">229 </SPAN></FONT><FONT =
class=3D"Apple-style-span" face=3D"Verdana" size=3D"3"><SPAN =
class=3D"Apple-style-span" style=3D"font-size: 11.7px;">=A0 =A0 =
</SPAN></FONT><FONT class=3D"Apple-style-span" face=3D"Verdana" =
size=3D"3"><SPAN class=3D"Apple-style-span" style=3D"font-size: =
11.7px;">rm $tmp_file</SPAN></FONT></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><FONT =
class=3D"Apple-style-span" face=3D"Verdana" size=3D"3"><SPAN =
class=3D"Apple-style-span" style=3D"font-size: 11.7px;"><BR =
class=3D"khtml-block-placeholder"></SPAN></FONT></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">#####################</DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
">Credits=A0:</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">#####################</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><FONT class=3D"Apple-style-span" face=3D"Verdana" =
size=3D"3"><SPAN class=3D"Apple-style-span" style=3D"font-size: =
11.7px;"><BR class=3D"khtml-block-placeholder"></SPAN></FONT></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">Eric Romang (<A =
href=3D"mailto:eromang@zataz.net">eromang@zataz.net</A> - =
ZATAZ)</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">Thxs to Gentoo Security Team. =
(Taviso, Sune, jaervosz, etc.)</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><BR =
class=3D"khtml-block-placeholder"></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><BR =
class=3D"khtml-block-placeholder"></DIV></BODY></HTML>=

--Apple-Mail-1-580636551--