Ubuntu 4.10 : mysql-dfsg vulnerabilities (USN-96-1)

Ubuntu Security Notice (C) 2005-2013 Canonical, Inc. / NASL script (C) 2006-2013 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing one or more security-related patches.

Description :

Stefano Di Paola discovered three privilege escalation flaws in the
MySQL server :

- If an authenticated user had INSERT privileges on the
'mysql' administrative database, the CREATE FUNCTION
command allowed that user to use libc functions to
execute arbitrary code with the privileges of the
database server (user 'mysql'). (CAN-2005-0709)

- If an authenticated user had INSERT privileges on the
'mysql' administrative database, it was possible to load
a library located in an arbitrary directory by using
INSERT INTO mysql.func instead of CREATE FUNCTION. This
allowed the user to execute arbitrary code with the
privileges of the database server (user 'mysql').
(CAN-2005-0710)

- Temporary files belonging to tables created with CREATE
TEMPORARY TABLE were handled in an insecure way. This
allowed any local computer user to overwrite arbitrary
files with the privileges of the database server.
(CAN-2005-0711)

Matt Brubeck discovered that the directory /usr/share/mysql/ was owned
and writable by the database server user 'mysql'. This directory
contains scripts which are usually run by root. This allowed a local
attacker who already has mysql privileges to gain full root access by
modifying a script and tricking root into executing it.

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 4.6
(CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P)

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 20722 ()

Bugtraq ID:

CVE ID: CVE-2005-0709
CVE-2005-0710
CVE-2005-0711