Hello On 2006-08-08 Moritz Muehlenhoff wrote: > Christian Hammers wrote: > > MySQL today announced a new upstream version for mysql-server-4.1 that > > fixes a security problem: > > > > Security fix: If a user has access to MyISAM table t, that user can > > create a MERGE table m that accesses t. However, if the user's > > privileges on t are subsequently revoked, the user can continue to > > access t by doing so through m. If this behavior is undesirable, you > > can start the server with the new --skip-merge option to disable the > > MERGE storage engine. > > http://bugs.mysql.com/bug.php?id=15195 > > > > The bug affects > > 3.23 woody > > 4.0 sarge > > 4.1 sarge > > 5.0 unstable > > although in 3.23 and 4.0 it's even more unlikely as merge tables > > couldn't even span databases i.e. table based rights would have to be > > revoked. > > > > Does this justify a DSA? If so, can you register a CVE id? > > Sorry for the late reply. My intuition tells me that the transferred > privileges should be revoked, does the documentation indicate the same? > However, if the fix only consists of an option to disable MERGE completely > I don't think this solves the problem properly. If that's the case it > should rather be documented as being problematic, so that it can be > used appropriately.
The online manual documents this security issue quite well but from the wording I guess that it has been updated while fixing the bug :) Debian never shipped that manual as it is not DFSG-clean. Oh and we only shipped 4.1.11, not 4.1.21. Given that upstream did not fix the problem cleanly and merge tables are rarely used I would also opt for not fixing the problem. Would make a DSA that only document a problem but not fix it make sense? The current docs: "You can use SELECT, DELETE, UPDATE, and (as of MySQL 4.0) INSERT on MERGE tables. You must have SELECT, UPDATE, and DELETE privileges on the MyISAM tables that you map to a MERGE table. Note: The use of MERGE tables entails the following security issue: If a user has access to MyISAM table t, that user can create a MERGE table m that accesses t. However, if the user's privileges on t are subsequently revoked, the user can continue to access t by doing so through m. If this behavior is undesirable, you can start the server with the new --skip-merge option to disable the MERGE storage engine. This option is available as of MySQL 4.1.21." bye, -christian- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
