Debian Bug report logs - #732306
mysql-5.5: installation creates database test and sets up insecure database permissions

version graph

Package: mysql-5.5; Maintainer for mysql-5.5 is Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Mon, 16 Dec 2013 15:12:02 UTC

Severity: serious

Tags: security

Found in version 5.5.17-1

Fixed in versions 5.5.33+dfsg-0+wheezy1, mysql-5.5/5.5.35+dfsg-1

Done: James Page <jamespage@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, hias@horus.com, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#732306; Package mysql-5.5. (Mon, 16 Dec 2013 15:12:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, hias@horus.com, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Mon, 16 Dec 2013 15:12:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mysql-5.5: installation creates database test and sets up insecure database permissions
Date: Mon, 16 Dec 2013 16:09:25 +0100
Package: mysql-5.5
Version: 5.5.17-1
Severity: serious
Tags: security

[Opening this as serious, as stable will be fixed trough a
wheezy-security upload, and nees also be addressed for jessie]

Matthias Reichl reported the following issue with the mysql-5.5
package:

----cut---------cut---------cut---------cut---------cut---------cut-----
mysql-server-5.5 ships with the upstream mysql_install_db script
which creates a database "test" and sets up permissions that
allow anonymous access, without a password, from localhost to
the "test" database and any databases starting with "test_" that
users might have created after installing mysql-server.

mysql> select Host, User, Db from mysql.db;
+------+------+---------+
| Host | User | Db      |
+------+------+---------+
| %    |      | test    |
| %    |      | test\_% |
+------+------+---------+

MySQL documentation recommends dropping these permissions and
the "test" database.
http://dev.mysql.com/doc/refman/5.5/en/default-privileges.html ,
section "Securing Test Databases".

mysql-server-5.1 in squeeze didn't setup these permissions and
didn't create the test database, the debian patches
33_scripts__mysql_create_system_tables__no_test.dpatch and
41_scripts__mysql_install_db.sh__no_test.dpatch removed the code
from /usr/bin/mysql_install_db and /usr/share/mysql/mysql_system_tables.sql .

Please re-add these patches to mysql-server-5.5 and include some code
in the pre/postinst script to remove these permissions and the
"test" database on current installations.
----cut---------cut---------cut---------cut---------cut---------cut-----

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#732306; Package mysql-5.5. (Mon, 16 Dec 2013 15:39:21 GMT) Full text and rfc822 format available.

Acknowledgement sent to Rene Engelhard <rene@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Mon, 16 Dec 2013 15:39:21 GMT) Full text and rfc822 format available.

Message #10 received at 732306@bugs.debian.org (full text, mbox):

From: Rene Engelhard <rene@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>, 732306@bugs.debian.org
Subject: Re: [debian-mysql] Bug#732306: mysql-5.5: installation creates database test and sets up insecure database permissions
Date: Mon, 16 Dec 2013 16:35:11 +0100
On Mon, Dec 16, 2013 at 04:09:25PM +0100, Salvatore Bonaccorso wrote:
[...]
> allow anonymous access, without a password, from localhost to
> the "test" database and any databases starting with "test_" that
> users might have created after installing mysql-server.
[..]
> MySQL documentation recommends dropping these permissions and
> the "test" database.
> http://dev.mysql.com/doc/refman/5.5/en/default-privileges.html ,
> section "Securing Test Databases".
> 
> mysql-server-5.1 in squeeze didn't setup these permissions and
> didn't create the test database, the debian patches
> 33_scripts__mysql_create_system_tables__no_test.dpatch and
> 41_scripts__mysql_install_db.sh__no_test.dpatch removed the code
> from /usr/bin/mysql_install_db and /usr/share/mysql/mysql_system_tables.sql .
> 
> Please re-add these patches to mysql-server-5.5 and include some code


> in the pre/postinst script to remove these permissions and the
> "test" database on current installations.

I don't think we should do that.

What if people *do* have a real-world test db on some test system? A
DROP DATABASE would then simply be dataloss.
(Never understimate "weird" paths/names (learned that myself the hard way
once)

One could argue about the permission thing, but then again, if it's some
test-system with a test database....

Regards,

Rene



Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#732306; Package mysql-5.5. (Mon, 16 Dec 2013 15:45:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Mon, 16 Dec 2013 15:45:04 GMT) Full text and rfc822 format available.

Message #15 received at 732306@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Rene Engelhard <rene@debian.org>
Cc: 732306@bugs.debian.org
Subject: Re: [debian-mysql] Bug#732306: mysql-5.5: installation creates database test and sets up insecure database permissions
Date: Mon, 16 Dec 2013 16:42:20 +0100
[Message part 1 (text/plain, inline)]
Hi Rene,

On Mon, Dec 16, 2013 at 04:35:11PM +0100, Rene Engelhard wrote:
> On Mon, Dec 16, 2013 at 04:09:25PM +0100, Salvatore Bonaccorso wrote:
> [...]
> > allow anonymous access, without a password, from localhost to
> > the "test" database and any databases starting with "test_" that
> > users might have created after installing mysql-server.
> [..]
> > MySQL documentation recommends dropping these permissions and
> > the "test" database.
> > http://dev.mysql.com/doc/refman/5.5/en/default-privileges.html ,
> > section "Securing Test Databases".
> > 
> > mysql-server-5.1 in squeeze didn't setup these permissions and
> > didn't create the test database, the debian patches
> > 33_scripts__mysql_create_system_tables__no_test.dpatch and
> > 41_scripts__mysql_install_db.sh__no_test.dpatch removed the code
> > from /usr/bin/mysql_install_db and /usr/share/mysql/mysql_system_tables.sql .
> > 
> > Please re-add these patches to mysql-server-5.5 and include some code
> 
> 
> > in the pre/postinst script to remove these permissions and the
> > "test" database on current installations.
> 
> I don't think we should do that.
> 
> What if people *do* have a real-world test db on some test system? A
> DROP DATABASE would then simply be dataloss.
> (Never understimate "weird" paths/names (learned that myself the hard way
> once)
> 
> One could argue about the permission thing, but then again, if it's some
> test-system with a test database....

Indeed, this will not be done, apologies for having that in the
bugreport. In de advisory I will write:

> Existing databases and permissions are not touched. Please refer to
> the NEWS file provided with this update for further information.

So the update will not touch existing permissions and databases.

Regards,
Salvatore
[signature.asc (application/pgp-signature, inline)]

Marked as fixed in versions 5.5.33+dfsg-0+wheezy1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 16 Dec 2013 16:27:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>:
Bug#732306; Package mysql-5.5. (Mon, 16 Dec 2013 16:33:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>. (Mon, 16 Dec 2013 16:33:07 GMT) Full text and rfc822 format available.

Message #22 received at 732306@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 732306@bugs.debian.org
Subject: Re: Bug#732306: mysql-5.5: installation creates database test and sets up insecure database permissions
Date: Mon, 16 Dec 2013 17:31:15 +0100
[Message part 1 (text/plain, inline)]
Hi

Attached are the slightly adjusted patches applied to the
wheezy-security upload (needed also to disable three further tests,
see debian/changelog).

Probably this can also be fixed without having to disable the three
additional tests tough.

Hope this helps for the further update.

Regards,
Salvatore
[33_scripts__mysql_create_system_tables__no_test.patch (text/x-diff, attachment)]
[41_scripts__mysql_install_db.sh__no_test.patch (text/x-diff, attachment)]
[50_mysql-test__db_test.patch (text/x-diff, attachment)]

Added tag(s) pending. Request was from James Downing Page <jamespage@moszumanska.debian.org> to control@bugs.debian.org. (Fri, 17 Jan 2014 16:00:26 GMT) Full text and rfc822 format available.

Reply sent to James Page <jamespage@debian.org>:
You have taken responsibility. (Sat, 18 Jan 2014 22:21:25 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 18 Jan 2014 22:21:25 GMT) Full text and rfc822 format available.

Message #29 received at 732306-close@bugs.debian.org (full text, mbox):

From: James Page <jamespage@debian.org>
To: 732306-close@bugs.debian.org
Subject: Bug#732306: fixed in mysql-5.5 5.5.35+dfsg-1
Date: Sat, 18 Jan 2014 22:20:03 +0000
Source: mysql-5.5
Source-Version: 5.5.35+dfsg-1

We believe that the bug you reported is fixed in the latest version of
mysql-5.5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 732306@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Page <jamespage@debian.org> (supplier of updated mysql-5.5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 18 Jan 2014 21:38:18 +0000
Source: mysql-5.5
Binary: libmysqlclient18 libmysqld-pic libmysqld-dev libmysqlclient-dev mysql-common mysql-client-5.5 mysql-server-core-5.5 mysql-server-5.5 mysql-server mysql-client mysql-testsuite-5.5 mysql-source-5.5
Architecture: source all amd64
Version: 5.5.35+dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
Changed-By: James Page <jamespage@debian.org>
Description: 
 libmysqlclient-dev - MySQL database development files
 libmysqlclient18 - MySQL database client library
 libmysqld-dev - MySQL embedded database development files
 libmysqld-pic - PIC version of MySQL embedded server development files
 mysql-client - MySQL database client (metapackage depending on the latest versio
 mysql-client-5.5 - MySQL database client binaries
 mysql-common - MySQL database common files, e.g. /etc/mysql/my.cnf
 mysql-server - MySQL database server (metapackage depending on the latest versio
 mysql-server-5.5 - MySQL database server binaries and system database setup
 mysql-server-core-5.5 - MySQL database server binaries
 mysql-source-5.5 - MySQL source
 mysql-testsuite-5.5 - MySQL testsuite
Closes: 711600 732306
Changes: 
 mysql-5.5 (5.5.35+dfsg-1) unstable; urgency=low
 .
   [ Clint Byrum ]
   * Drop creation of insecure database permissions (Closes: #732306):
     - d/p/33_scripts__mysql_create_system_tables__no_test.patch,
       d/p/41_scripts__mysql_install_db.sh__no_test.patch,
       d/p/50_mysql-test__db_test.patch: Restored from mysql-5.1
       package, inadvertently dropped in 5.5 transition. This
       removes the global anonymous access to the database which
       is a security concern.
 .
   [ James Page ]
   * New upstream release:
     - d/p/fix-racey-rpltests.patch: Dropped - no longer required.
     - d/p/50_mysql-test__db_test.patch: Add extra permissions to
       mysql-run-tests.pl for test_% accounts, fixing failing tests.
     - d/p/*: Refreshed patches.
     - SECURITY UPDATE:
       http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
       - CVE-2013-5891
       - CVE-2013-5908
       - CVE-2014-0386
       - CVE-2014-0393
       - CVE-2014-0401
       - CVE-2014-0402
       - CVE-2014-0412
       - CVE-2014-0420
       - CVE-2014-0437
   * Sync changes from NMU 5.5.33+dfsg-0+wheezy1:
     - d/NEWS: Add NEWS file to document changes needed to existing databases
       to drop insecure database permissions.
     - SECURITY UPDATE: Insecure creation of the credential file debian.cnf.
       - d/mysql-server-5.5.postinst: Set umask to 066 before creating
         debian.cnf file (Closes: #711600).
       - CVE-2013-2162
     - d/copyright: Update copyright years for upstream files.
   * d/control: Update VCS field for new git location.
   * d/control: Add myself to Uploaders.
   * d/*: Wrap and sort.
   * d/control: Bumped Standards-Version, no changes.
Checksums-Sha1: 
 a88795a262a449b6aa60dad2a09a256df756bf18 2954 mysql-5.5_5.5.35+dfsg-1.dsc
 ede7015b698bef5ede4c59a7a9d428b2a679ac77 21707804 mysql-5.5_5.5.35+dfsg.orig.tar.gz
 4465d07fe84783f5d3ffde67f8575bc151f3d0bc 230288 mysql-5.5_5.5.35+dfsg-1.debian.tar.xz
 af34ac61271d377e7d53abf7b528eb6930be384c 84470 mysql-common_5.5.35+dfsg-1_all.deb
 f3d02067bd71cf26e9756f8ab53b105fb58dfc5e 82720 mysql-server_5.5.35+dfsg-1_all.deb
 cd38aff42365c60139b34d7c379c520e3c2099a2 82596 mysql-client_5.5.35+dfsg-1_all.deb
 5d8398958dd1624be5736c04912e3120b65b5ba2 679070 libmysqlclient18_5.5.35+dfsg-1_amd64.deb
 a62972bc7defb8491c0a1b2d82788fa746c32422 3168336 libmysqld-pic_5.5.35+dfsg-1_amd64.deb
 5156f5a82edeeed26433d0776f4a1b3bc713c55b 3168400 libmysqld-dev_5.5.35+dfsg-1_amd64.deb
 c8ac5fe33f91928a14a6c2ff8a57aff38e5fde37 949164 libmysqlclient-dev_5.5.35+dfsg-1_amd64.deb
 e7cb1c6914aac77f65b39e651eac4a2955f85c3c 1843556 mysql-client-5.5_5.5.35+dfsg-1_amd64.deb
 6ab771bcd0ab4db209fd557e844a0007fd592edc 3784472 mysql-server-core-5.5_5.5.35+dfsg-1_amd64.deb
 1c83b933b2a2b9227a8ecbf62a5cb770173c38bc 2031168 mysql-server-5.5_5.5.35+dfsg-1_amd64.deb
 c82ab5ed2f7bf34322dd7cef7518828213f7eb02 4343536 mysql-testsuite-5.5_5.5.35+dfsg-1_amd64.deb
 3286f2e933418bebb4f21e1d5a319b649475d645 22830820 mysql-source-5.5_5.5.35+dfsg-1_amd64.deb
Checksums-Sha256: 
 613c90c08ee106f883f50e7b36fe7c19f0661c39d8ee9568db9eb11788af050d 2954 mysql-5.5_5.5.35+dfsg-1.dsc
 46f28f6907438f2abf97dfbf1124f1c0568d4c60fc370664755cf51c5dae664a 21707804 mysql-5.5_5.5.35+dfsg.orig.tar.gz
 9c3da35cce0d3cc68af6552a20d381b571db05b29a53463986b2bb89e4fc560c 230288 mysql-5.5_5.5.35+dfsg-1.debian.tar.xz
 36af86baac51e9d55997dfa03982d66858c4481e7a790ce9a12ce6df2f4fc790 84470 mysql-common_5.5.35+dfsg-1_all.deb
 b88528aaf1cb14765f311e40160f27a57acd95f7436d3d50b1aef382c97c2ad0 82720 mysql-server_5.5.35+dfsg-1_all.deb
 5909264f4315695e34610ff54c02258ca02e3e5876bfe4d4004906e30db4fb22 82596 mysql-client_5.5.35+dfsg-1_all.deb
 caae3218d8be3efa92ce520a92a7b2ec85b6184e16f45162e72023c0646c6f28 679070 libmysqlclient18_5.5.35+dfsg-1_amd64.deb
 68b9e4ac56ec5b2548e16f2dd6fbabf18d0cf9a128cbe7ad11797a31f6ce1cb3 3168336 libmysqld-pic_5.5.35+dfsg-1_amd64.deb
 cee07ea9fea27692bda9dd86ab9b456d4f36303e79ab2e6ac48bda01b696d2c2 3168400 libmysqld-dev_5.5.35+dfsg-1_amd64.deb
 4b6aa4dba8d12fde4979dee122833d1c360f3b7406683837977dfaa4eb44333e 949164 libmysqlclient-dev_5.5.35+dfsg-1_amd64.deb
 6fd7f374ab755a9456cc58a14f2f0a229a12ef1818e0cd22d425d2bd3ce9b291 1843556 mysql-client-5.5_5.5.35+dfsg-1_amd64.deb
 18edcd67733279928491fb0e69be52cc7bcf73a89d28c04046f855786ca24312 3784472 mysql-server-core-5.5_5.5.35+dfsg-1_amd64.deb
 182464883dcfc4ffff3266e21f348401ca7c41a436914ca22b83459d45f280a4 2031168 mysql-server-5.5_5.5.35+dfsg-1_amd64.deb
 6573c412542f9ee96a6a0cc566523f395a2aeda0f7dd0cfb8d020497dd3e287e 4343536 mysql-testsuite-5.5_5.5.35+dfsg-1_amd64.deb
 bbd337244f0a55d1707654357acbcbdbf29ada03211e8737df7c0b45025d9da7 22830820 mysql-source-5.5_5.5.35+dfsg-1_amd64.deb
Files: 
 1b001d677be74465db2be9fb1b3fc533 2954 database optional mysql-5.5_5.5.35+dfsg-1.dsc
 56f833052b579b7d4a2b16326cda6990 21707804 database optional mysql-5.5_5.5.35+dfsg.orig.tar.gz
 684ab6c22754f363c5915d26777d5376 230288 database optional mysql-5.5_5.5.35+dfsg-1.debian.tar.xz
 fa2e7c65f352c198ac53f059a49f2fc1 84470 database optional mysql-common_5.5.35+dfsg-1_all.deb
 5afdcbb3181c2d5d27333b19ed65f705 82720 database optional mysql-server_5.5.35+dfsg-1_all.deb
 0f6cadb759d6b60fe2fe06148275cc36 82596 database optional mysql-client_5.5.35+dfsg-1_all.deb
 56511175968616f253db6fda495fc6f1 679070 libs optional libmysqlclient18_5.5.35+dfsg-1_amd64.deb
 0cfd6ccac4cb1de752e43464ddec525f 3168336 libdevel optional libmysqld-pic_5.5.35+dfsg-1_amd64.deb
 348c7caa679c7a2ae40268057ba80d25 3168400 libdevel optional libmysqld-dev_5.5.35+dfsg-1_amd64.deb
 2d977839265fbce12634c9e3a5d4341a 949164 libdevel optional libmysqlclient-dev_5.5.35+dfsg-1_amd64.deb
 459879450295a67353072914264fd430 1843556 database optional mysql-client-5.5_5.5.35+dfsg-1_amd64.deb
 8d0494c03876fffe631937b7787cc597 3784472 database optional mysql-server-core-5.5_5.5.35+dfsg-1_amd64.deb
 17bddb8053fb75cbcee90e1962bdd2a8 2031168 database optional mysql-server-5.5_5.5.35+dfsg-1_amd64.deb
 45787d76cbc0be19b4cbbc7ecd50c623 4343536 database optional mysql-testsuite-5.5_5.5.35+dfsg-1_amd64.deb
 c49924146473bfee13f25d1ee577b0c2 22830820 database optional mysql-source-5.5_5.5.35+dfsg-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCAAGBQJS2vyWAAoJEL/srsug59jD/k4P/0MGyjheKz/h9OURmWgAe3Ow
+Z3Fi4iAjm6JwXfUo2vvdd3A/yx4J1nZl+skjwaEBLzqgteNHF7uCPRyLB+gUorg
oVJ/IxpGr2onEgH9B6cfhjfl3uKrAZlULgkOVPbHLfEQ8ZzQp5lrjJ/hAbDK6Scf
Rm6mLEhbpl1VVHH45T792l/oo/X9YOinTdRrPPWFzfsjMEB+fskTcpNFMiSl6VjB
BUXZa2gZq9aUWDJiPuiaVXnsFDX0Ow9rJrXHe5epPZPzC9HXFqnvf1y/ZQMwiWcs
MADnyULDFb6Uyj+iDTnkA3xoeRTYfMm6Je8m66Kc5kjtqXbJ76rASY7yRCDQJBL/
UbRFdUzzCfuO37Qqts7CcPgiCgC3baH1z0fPf2Otukq15Z5sQNayB3/5hK3iPUeR
Ba0hE6HE2uv1NLK/9F9p/8345a8M8sXMi31Ikq7cooNXJK7vfR5E+D+2lRkv8jVl
FjbWJoRJbzy4aylkTE7ODOLr0ucqi8+HR5RQoZwfho84gNK8uF7XiE2599g3L1iS
1jrvzXMXtx/qMp9AXMDJ1MyXFsB76PdxS19ERnsdiBYDoUtEI5NMsd0TxrXAAmLN
Q6VlgooHXzi5pJATim9xwRVL7RxgKGJFAAReQVUsMVhlVi8F6q+5oLBug09FHR8b
cx/TXRz1e7SOTR9/E4L2
=ldt+
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 09 Mar 2014 07:25:44 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 07:04:04 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.