MySQL before 5.0.67 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL home data directory. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4097.
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Ubuntu_linux | Canonical | 6.06 (including) | 6.06 (including) |
| Ubuntu_linux | Canonical | 7.10 (including) | 7.10 (including) |
| Ubuntu_linux | Canonical | 8.04 (including) | 8.04 (including) |
| Ubuntu_linux | Canonical | 8.10 (including) | 8.10 (including) |
| Ubuntu_linux | Canonical | 9.04 (including) | 9.04 (including) |
| Ubuntu_linux | Canonical | 9.10 (including) | 9.10 (including) |
| Red Hat Enterprise Linux 4 | RedHat | mysql-0:4.1.22-2.el4_8.3 | * |
| Mysql-dfsg-5.0 | Ubuntu | dapper | * |
| Mysql-dfsg-5.0 | Ubuntu | feisty | * |
| Mysql-dfsg-5.0 | Ubuntu | gutsy | * |
| Mysql-dfsg-5.0 | Ubuntu | hardy | * |
| Mysql-dfsg-5.0 | Ubuntu | intrepid | * |
| Mysql-dfsg-5.0 | Ubuntu | upstream | * |