Commit 858e5626 authored by Venkata Sidagam's avatar Venkata Sidagam

Bug #18045646 LOCAL USER CAN RUN ARBITRARY CODE IN THE CONTEXT OF THE MYSQL SERVER

Description: Using the temporary file vulnerability an
attacker can create a file with arbitrary content at a
location of his choice. This can be used to create the
file /var/lib/mysql/my.cnf, which will be read as a
configuration file by MySQL, because it is located in the
home directory of the mysql user. With this configuration
file, the attacker can specify his own plugin_dir variable,
which then allows him to load arbitrary code via
"INSTALL PLUGIN...".

Analysis: While creating the ".TMD" file we are not checking
if the file is already exits or not in mi_repair() function.
And we are truncating if the ".TMD" file exits and going ahead
This is creating the security breach.

Fix: We need to use O_EXCL flag along with O_RDWR and O_TRUNC
which will make sure if any user creates ".TMD" file, will
fails the repair table with "cannot create ".TMD" file error".
Actually we are initialing "param.tmpfile_createflag" member
with O_RDWR | O_TRUNC | O_EXCL in myisamchk_init(). And we
are modifying it in ha_myisam::repair() to O_RDWR | O_TRUNC.
So, we need to remove the line which is modifying the
"param.tmpfile_createflag".
parent 918837f7
...@@ -1041,7 +1041,6 @@ int ha_myisam::repair(THD *thd, MI_CHECK &param, bool do_optimize) ...@@ -1041,7 +1041,6 @@ int ha_myisam::repair(THD *thd, MI_CHECK &param, bool do_optimize)
param.db_name= table->s->db.str; param.db_name= table->s->db.str;
param.table_name= table->alias; param.table_name= table->alias;
param.tmpfile_createflag = O_RDWR | O_TRUNC;
param.using_global_keycache = 1; param.using_global_keycache = 1;
param.thd= thd; param.thd= thd;
param.tmpdir= &mysql_tmpdir_list; param.tmpdir= &mysql_tmpdir_list;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment