NSFOCUS绿盟科技

首页 -> 安全研究

安全研究

安全漏洞

MySQL MYSQLD_Multi以不安全方式创建临时文件漏洞

发布日期：2004-04-14
更新日期：2004-04-26

受影响系统：

MySQL AB MySQL 4.1.0-alpha
MySQL AB MySQL 4.1.0
MySQL AB MySQL 4.0.9
MySQL AB MySQL 4.0.8
MySQL AB MySQL 4.0.7
MySQL AB MySQL 4.0.6
MySQL AB MySQL 4.0.5a
MySQL AB MySQL 4.0.5
MySQL AB MySQL 4.0.4
MySQL AB MySQL 4.0.3
MySQL AB MySQL 4.0.2
MySQL AB MySQL 4.0.18
MySQL AB MySQL 4.0.15
MySQL AB MySQL 4.0.14
MySQL AB MySQL 4.0.13
MySQL AB MySQL 4.0.12
MySQL AB MySQL 4.0.11
MySQL AB MySQL 4.0.10
MySQL AB MySQL 4.0.1
MySQL AB MySQL 4.0.0
MySQL AB MySQL 3.23.9
MySQL AB MySQL 3.23.8
MySQL AB MySQL 3.23.57
MySQL AB MySQL 3.23.56
MySQL AB MySQL 3.23.55
MySQL AB MySQL 3.23.54
MySQL AB MySQL 3.23.53a
MySQL AB MySQL 3.23.53
MySQL AB MySQL 3.23.52
MySQL AB MySQL 3.23.51
MySQL AB MySQL 3.23.50
MySQL AB MySQL 3.23.48
MySQL AB MySQL 3.23.47
MySQL AB MySQL 3.23.46
MySQL AB MySQL 3.23.45
MySQL AB MySQL 3.23.44
MySQL AB MySQL 3.23.43
MySQL AB MySQL 3.23.42
MySQL AB MySQL 3.23.41
MySQL AB MySQL 3.23.40
MySQL AB MySQL 3.23.4
MySQL AB MySQL 3.23.39
MySQL AB MySQL 3.23.38
MySQL AB MySQL 3.23.37
MySQL AB MySQL 3.23.36
MySQL AB MySQL 3.23.34
MySQL AB MySQL 3.23.31
MySQL AB MySQL 3.23.30
MySQL AB MySQL 3.23.3
MySQL AB MySQL 3.23.29
MySQL AB MySQL 3.23.28 gamma
MySQL AB MySQL 3.23.28
MySQL AB MySQL 3.23.27
MySQL AB MySQL 3.23.26
MySQL AB MySQL 3.23.25
MySQL AB MySQL 3.23.24
MySQL AB MySQL 3.23.23
MySQL AB MySQL 3.23.2
MySQL AB MySQL 3.23.10
MySQL AB MySQL 3.22.32
MySQL AB MySQL 3.22.30
MySQL AB MySQL 3.22.29
MySQL AB MySQL 3.22.28
MySQL AB MySQL 3.22.27
MySQL AB MySQL 3.22.26
MySQL AB MySQL 3.20.32a
MySQL AB MySQL 3.23.49
- Debian Linux 3.0
- RedHat Linux 7.3

描述：

BUGTRAQ  ID: 10142
CVE(CAN) ID: CVE-2004-0388

MySQL是一款开放源代码关系型数据库系统。

mysqld_multi脚本不安全建立临时文件，本地攻击者利用这个漏洞通过符号链接攻击破坏系统文件或提升权限。

目前没有详细漏洞细节提供。

<*来源：Debian Security Advisory

  链接：http://www.debian.org/security/2004/dsa-483
        http://www.linux-mandrake.com/en/security/2004/2004-034.php
*>

建议：

厂商补丁：

Debian
------
http://www.debian.org/security/2004/dsa-483

MandrakeSoft
------------
MandrakeSoft已经为此发布了一个安全公告（MDKSA-2004:034）以及相应补丁:
MDKSA-2004:034：Updated MySQL packages fix temporary file insecurities
链接：http://www.linux-mandrake.com/en/security/2004/2004-034.php

补丁下载：

Updated Packages:

Mandrakelinux 10.0:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/libmysql12-4.0.18-1.1.100mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/libmysql12-devel-4.0.18-1.1.100mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/MySQL-4.0.18-1.1.100mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/MySQL-Max-4.0.18-1.1.100mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/MySQL-bench-4.0.18-1.1.100mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/MySQL-client-4.0.18-1.1.100mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/MySQL-common-4.0.18-1.1.100mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/SRPMS/MySQL-4.0.18-1.1.100mdk.src.rpm

Corporate Server 2.1:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/libmysql10-3.23.56-1.5.C21mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/libmysql10-devel-3.23.56-1.5.C21mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/MySQL-3.23.56-1.5.C21mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/MySQL-Max-3.23.56-1.5.C21mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/MySQL-bench-3.23.56-1.5.C21mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/MySQL-client-3.23.56-1.5.C21mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/SRPMS/MySQL-3.23.56-1.5.C21mdk.src.rpm

Corporate Server 2.1/x86_64:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/RPMS/libmysql10-3.23.56-1.5.C21mdk.x86_64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/RPMS/libmysql10-devel-3.23.56-1.5.C21mdk.x86_64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/RPMS/MySQL-3.23.56-1.5.C21mdk.x86_64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/RPMS/MySQL-Max-3.23.56-1.5.C21mdk.x86_64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/RPMS/MySQL-bench-3.23.56-1.5.C21mdk.x86_64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/RPMS/MySQL-client-3.23.56-1.5.C21mdk.x86_64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/SRPMS/MySQL-3.23.56-1.5.C21mdk.src.rpm

Mandrakelinux 9.1:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/libmysql12-4.0.11a-5.2.91mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/libmysql12-devel-4.0.11a-5.2.91mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/MySQL-4.0.11a-5.2.91mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/MySQL-Max-4.0.11a-5.2.91mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/MySQL-bench-4.0.11a-5.2.91mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/MySQL-client-4.0.11a-5.2.91mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/MySQL-common-4.0.11a-5.2.91mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/SRPMS/MySQL-4.0.11a-5.2.91mdk.src.rpm

Mandrakelinux 9.1/PPC:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/libmysql12-4.0.11a-5.2.91mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/libmysql12-devel-4.0.11a-5.2.91mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/MySQL-4.0.11a-5.2.91mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/MySQL-Max-4.0.11a-5.2.91mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/MySQL-bench-4.0.11a-5.2.91mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/MySQL-client-4.0.11a-5.2.91mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/MySQL-common-4.0.11a-5.2.91mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/SRPMS/MySQL-4.0.11a-5.2.91mdk.src.rpm

Mandrakelinux 9.2:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/RPMS/libmysql12-4.0.15-1.1.92mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/RPMS/libmysql12-devel-4.0.15-1.1.92mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/RPMS/MySQL-4.0.15-1.1.92mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/RPMS/MySQL-Max-4.0.15-1.1.92mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/RPMS/MySQL-bench-4.0.15-1.1.92mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/RPMS/MySQL-client-4.0.15-1.1.92mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/RPMS/MySQL-common-4.0.15-1.1.92mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/SRPMS/MySQL-4.0.15-1.1.92mdk.src.rpm

Mandrakelinux 9.2/AMD64:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/9.2/RPMS/MySQL-4.0.15-1.1.92mdk.amd64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/9.2/RPMS/MySQL-Max-4.0.15-1.1.92mdk.amd64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/9.2/RPMS/MySQL-bench-4.0.15-1.1.92mdk.amd64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/9.2/RPMS/MySQL-client-4.0.15-1.1.92mdk.amd64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/9.2/RPMS/MySQL-common-4.0.15-1.1.92mdk.amd64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/9.2/SRPMS/MySQL-4.0.15-1.1.92mdk.src.rpm
_______________________________________________________________________

上述升级软件还可以在下列地址中的任意一个镜像ftp服务器上下载：
http://www.mandrakesecure.net/en/ftp.php

浏览次数：3335
严重程度：0（网友投票）

本安全漏洞由绿盟科技翻译整理，版权所有，未经许可，不得转载
绿盟科技给您安全的保障

关于我们: 公司介绍; 公司荣誉; 公司新闻

联系我们: 公司总部; 分支机构; 海外机构

快速链接: 绿盟云; 绿盟威胁情报中心NTI; 技术博客