[MDEV-9546] mysqlaccess script shows an old version (which was vulnerable to CVE-2005-0004) Created: 2016-02-10  Updated: 2019-10-19  Resolved: 2019-10-19

Status: Closed
Project: MariaDB Server
Component/s: Scripts & Clients
Affects Version/s: 10.1.11
Fix Version/s: 10.2.28, 5.5.66, 10.1.42, 10.3.19, 10.4.9

Type: Bug Priority: Major
Reporter: Quanah Gibson-Mount (Inactive) Assignee: Sergei Golubchik
Resolution: Fixed Votes: 0
Labels: None
Environment:

Linux


 Description   

CVE-2005-0004 was filed in 2005 against mysql for the mysqlaccess script. Scanners report:

-The following file versions were found to be less than 2.07: <path>/bin/mysqlaccess

  • Certain versions of the 'mysqlaccess' program shipped with MySQL are vulnerable to a symlink attack because the temporary files used are easy to predict. As a result, a local attacker can overwrite any file which the calling process has write access to.

Looking at the mysqlaccess shipped in MariaDB 10.1.11 (and earlier), we find:

package MySQLaccess;
 
#use strict;
 
use File::Temp qw(tempfile tmpnam);
 
use Fcntl;
 
 
 
BEGIN {
 
    # ****************************
 
    # static information...
 
    $VERSION     = "2.06, 20 Dec 2000";

So the question is – Is MariaDB actually vulnerable, or has it simply failed to update the version listed in mysqlaccess?

 Comments   
Comment by Quanah Gibson-Mount (Inactive) [ 2016-02-10 ]

Viewing the history (https://github.com/MariaDB/server/commit/4bdf479da07516fa13b63439f756c2d667e7acd6#diff-207f5e197b454fe83cdcf3972bc7b4de), it clearly was fixed.

It would be useful to increment the version shipped in MariaDB so it does not show up as vulnerable. Oracle has apparently failed to do this with MySQL as well.

Comment by Elena Stepanova [ 2016-02-11 ]

Right, the changes are there (in 10.1, 10.0, 5.5, probably in earlier versions as well), but the version is "2.06, 20 Dec 2000", same as in MySQL.

Generated at Thu Feb 08 07:35:29 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.