From b9c03d41e492984bdea2da923eac1e62cf5264f7 Mon Sep 17 00:00:00 2001 From: Venkata Sidagam Date: Thu, 8 May 2014 14:41:01 +0530 Subject: [PATCH] Bug #18045646 LOCAL USER CAN RUN ARBITRARY CODE IN THE CONTEXT OF THE MYSQL SERVER Description: Using the temporary file vulnerability an attacker can create a file with arbitrary content at a location of his choice. This can be used to create the file /var/lib/mysql/my.cnf, which will be read as a configuration file by MySQL, because it is located in the home directory of the mysql user. With this configuration file, the attacker can specify his own plugin_dir variable, which then allows him to load arbitrary code via "INSTALL PLUGIN...". Analysis: While creating the ".TMD" file we are not checking if the file is already exits or not in mi_repair() function. And we are truncating if the ".TMD" file exits and going ahead This is creating the security breach. Fix: We need to use O_EXCL flag along with O_RDWR and O_TRUNC which will make sure if any user creates ".TMD" file, will fails the repair table with "cannot create ".TMD" file error". Actually we are initialing "param.tmpfile_createflag" member with O_RDWR | O_TRUNC | O_EXCL in myisamchk_init(). And we are modifying it in ha_myisam::repair() to O_RDWR | O_TRUNC. So, we need to remove the line which is modifying the "param.tmpfile_createflag". --- storage/myisam/ha_myisam.cc | 1 - 1 file changed, 1 deletion(-) diff --git a/storage/myisam/ha_myisam.cc b/storage/myisam/ha_myisam.cc index 72a29cd8130..602a0ae6cc1 100644 --- a/storage/myisam/ha_myisam.cc +++ b/storage/myisam/ha_myisam.cc @@ -1041,7 +1041,6 @@ int ha_myisam::repair(THD *thd, MI_CHECK ¶m, bool do_optimize) param.db_name= table->s->db.str; param.table_name= table->alias; - param.tmpfile_createflag = O_RDWR | O_TRUNC; param.using_global_keycache = 1; param.thd= thd; param.tmpdir= &mysql_tmpdir_list;