Re: mysql-5.1.41

[Tomas Hoger <thoger () redhat com>]

On Thu, 17 Dec 2009 16:28:16 +0100 Sergei Golubchik <serg () mysql com>
wrote:

> > > Name: CVE-2009-4030
> > >
> > > MySQL 5.1.x before 5.1.41 allows local users to bypass certain
> > > privilege checks by calling CREATE TABLE on a MyISAM table with
> > > modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are
> > > originally associated with pathnames without symlinks, and that can
> > > point to tables created at a future time at which a pathname is
> > > modified to contain a symlink to a subdirectory of the MySQL data home
> > > directory, related to incorrect calculation of the
> > > mysql_unpacked_real_data_home value.  NOTE: this vulnerability exists
> > > because of an incomplete fix for CVE-2008-4098 and CVE-2008-2079.
> >
> > This problem is limited to situation where --datadir gets a relative
> > path not starting with '.' and current working directory is not
> > --basedir, right?
>
> You mean the last problem in the bug report ?
> Yes.

The "Fixed a initialization order remark by Serg" fix,  problem pointed
out in your comment dated as "[14 Jul 15:53] Sergei Golubchik".

As when you use full path for --datadir, it's correctly expanded using
realpath.  Relative paths starting with '.' are expected to be resolved
from CWD.  I've not checked path starting with '~', they may be
affected by this problem too.

Thank you for clarifications / confirmations!

-- 
Tomas Hoger / Red Hat Security Response Team