CVE-2007-2692

Priority
Medium
Description
The mysql_change_db function in MySQL 5.0.x before 5.0.40 and 5.1.x before
5.1.18 does not restore THD::db_access privileges when returning from SQL
SECURITY INVOKER stored routines, which allows remote authenticated users
to gain privileges.
References
Bugs
Notes
jdstrand> very large complicated patch that requires many changes to the
source and does not apply cleanly at all to feisty's 5.0.38, let alone
to edgy and dapper. Trying to backport this fix would more than likely cause
larger problems than not fixing it. Currently discussing a one-time
MicroVersionUpdate option. May have to "wont-fix" and give an updated
pacakge in -backports.
jdstrand> per pitti et al, too many changes for a MicroVersionUpdate
jdstrand> patch now in etch (5.0.32-7etch3), but causes several test cases to
fail on dapper through feisty (TODO: test etch)
jdstrand> etch patch left out both the test cases and patch to sql/sql_db.cc.
If add the test cases then etch fails
Assigned-to
jdstrand
Package
Upstream:released (5.0.40)
Ubuntu 8.04 LTS (Hardy Heron):released (5.0.45-1ubuntu2)
Patches:
Vendor:debian etch (5.0.32-7etch3)
More Information

Valid XHTML 1.0 Strict

Updated: 2012-06-01 15:17:54 UTC (commit 5347)