[MDEV-8269] Correct fix for Bug #20181776 :- ACCESS CONTROL DOESN'T MATCH MOST SPECIFIC HOST WHEN IT CONTAINS WILDCARD Created: 2015-06-04 Updated: 2019-06-17 Resolved: 2019-06-17 |
|
| Status: | Closed |
| Project: | MariaDB Server |
| Component/s: | Authentication and Privilege System |
| Affects Version/s: | 5.5, 10.0, 10.1, 10.2 |
| Fix Version/s: | 10.4.6 |
| Type: | Bug | Priority: | Major |
| Reporter: | Sergei Golubchik | Assignee: | Sergei Golubchik |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | upstream | ||
| Issue Links: |
|
||||||||||||
| Sprint: | 5.5.48-0 | ||||||||||||
| Description |
|
According to the manual, for the purpose of account matching for incoming connections user accounts are sorted in the order from most specific (no wildcards), to least specific (only wildcards). This is done in the get_sort() function. But elements that have wildcards and only differ in the length of the tail are considered equal, that is the order of "%.bar" and "%.foo.bar" is undefined. Same for "www.%.com" and "www.%.host.com". Although in both cases the second host name is more specific and should be sorted first. There is an attempt of fixing it upstream, but it's very incomplete |
| Comments |
| Comment by Otto Kekäläinen [ 2015-10-30 ] |
|
Debian tracks at https://security-tracker.debian.org/tracker/CVE-2015-4737 the CVE presumably assigned for this issue by Oracle |
| Comment by Otto Kekäläinen [ 2016-01-23 ] |
|
In further investigation there was no solid proof that the CVE-2015-4737 indeed is this issue nor that Oracle has got any CVE for this issue at all. Please comment here if https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4737 ever updates the decription or it something else yields more information. |