A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
The following packages are affected:
The problem can be corrected by upgrading the affected package to version 4.0.20-2ubuntu1.4. In general, a standard system upgrade is sufficient to effect the necessary changes.
Stefano Di Paola discovered three privilege escalation flaws in the MySQL server:
- If an authenticated user had INSERT privileges on the 'mysql' administrative database, the CREATE FUNCTION command allowed that user to use libc functions to execute arbitrary code with the privileges of the database server (user 'mysql'). (CAN-2005-0709)
- If an authenticated user had INSERT privileges on the 'mysql' administrative database, it was possible to load a library located in an arbitrary directory by using INSERT INTO mysql.func instead of CREATE FUNCTION. This allowed the user to execute arbitrary code with the privileges of the database server (user 'mysql'). (CAN-2005-0710)
- Temporary files belonging to tables created with CREATE TEMPORARY TABLE were handled in an insecure way. This allowed any local computer user to overwrite arbitrary files with the privileges of the database server. (CAN-2005-0711)
Matt Brubeck discovered that the directory /usr/share/mysql/ was owned and writable by the database server user 'mysql'. This directory contains scripts which are usually run by root. This allowed a local attacker who already has mysql privileges to gain full root access by modifying a script and tricking root into executing it.