CVE-2007-2692

Priority
Medium
Description
The mysql_change_db function in MySQL 5.0.x before 5.0.40 and 5.1.x before
5.1.18 does not restore THD::db_access privileges when returning from SQL
SECURITY INVOKER stored routines, which allows remote authenticated users
to gain privileges.
References
Bugs
Notes
 jdstrand> very large complicated patch that requires many changes to the
  source and does not apply cleanly at all to feisty's 5.0.38, let alone
  to edgy and dapper. Trying to backport this fix would more than likely cause
  larger problems than not fixing it. Currently discussing a one-time
  MicroVersionUpdate option. May have to "wont-fix" and give an updated
  pacakge in -backports.
 jdstrand> per pitti et al, too many changes for a MicroVersionUpdate
 jdstrand> patch now in etch (5.0.32-7etch3), but causes several test cases to
  fail on dapper through feisty (TODO: test etch)
 jdstrand> etch patch left out both the test cases and patch to sql/sql_db.cc.
  If add the test cases then etch fails
Assigned-to
jdstrand
Package
Upstream:released (5.0.40)
Patches:
Vendor:debian etch (5.0.32-7etch3)
More Information

Valid XHTML 1.0 Strict

Updated: 2015-07-29 20:29:39 UTC (commit 9756)