Bug #18897 Events: unauthorized action possible with alter event rename
Submitted: 7 Apr 2006 18:01 Modified: 28 Jun 2006 7:04
Reporter: Peter Gulutzan Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Stored Routines Severity:S3 (Non-critical)
Version:5.1.9-beta-debug OS:Linux (SUSE 10.0)
Assigned to: Andrey Hristov CPU Architecture:Any

[7 Apr 2006 18:01] Peter Gulutzan
Description:
ALTER EVENT ... RENAME TO database1 . event_name
allows me to put an event in database1, even though I
have no privileges for database1.

How to repeat:
Assume the existence of two databases, database1 and database2.

As user root, say:

GRANT EVENT ON database1.* TO carmen@localhost;

As carmen@localhost, after USE database1, say:

mysql> create event ee on schedule every 1 second do set @a=5;
Query OK, 1 row affected (0.00 sec)

mysql> alter event ee rename to database2.ee;
Query OK, 1 row affected (0.00 sec)
[7 Apr 2006 18:16] MySQL Verification Team
Thank you for the bug report.
[5 May 2006 11:30] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/6006
[5 May 2006 11:34] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/6007
[15 Jun 2006 17:18] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/7714
[23 Jun 2006 15:03] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/8147
[23 Jun 2006 15:29] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/8150
[27 Jun 2006 16:18] Andrey Hristov
Hi,
the fix will appear in 5.1.12
Moving an event between databases is possible since the very beginning. Until 5.1.11 (incl.) the user hasn't been checked whether she posses EVENT_ACL on the target database. In addition if there was no current database and the following was executed there was a crash :
ALTER EVENT db1.xyz RENAME TO xyz;
[28 Jun 2006 7:04] Jon Stephens
Thank you for your bug report. This issue has been committed to our source repository of that product and will be incorporated into the next release.

Documented bugfix in 5.1.12 changelog. Closed.