Bug #25578 CREATE TABLE LIKE does not require any privileges on source table.
Submitted: 12 Jan 2007 12:22 Modified: 7 Jun 2007 18:31
Reporter: Dmitri Lenev
Status: Closed
Category:Server Severity:S3 (Non-critical)
Version:4.1.23-bk, 5.0.34-bk, 5.1.15-bk OS:Linux (SUSE 10.0/Any)
Assigned to: Dmitri Lenev Target Version:

[12 Jan 2007 12:22] Dmitri Lenev 
Description:
CREATE TABLE LIKE does not require any privileges on source table.

Altough documentation does not say explicitly that it should require any privileges on
source table this IMO still should be considered as a bug,
as such behavior allows to circumvent privilege checks in SHOW CREATE TABLE/I_S tables.

How to repeat:
# Here is the script for MySQL's test suite which demonstrates problem
create database mysqltest;
use mysqltest;
create table t1 (i int);
# Connect as anonymous user (which has rights on 'test' database)
connect (user1,localhost,,,);
connection user1;
use test;
# As expected error is emitted
--error 1044
show create table mysqltest.t1;
create table t1 like mysqltest.t1;
# Oops... we have circumvented privilege check...
show create table t1;
[31 Jan 2007 22:06] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/19127

ChangeSet@1.2379, 2007-02-01 00:05:29+03:00, dlenev@mockturtle.local +14 -0
  Tentative fix for bugs #18950 "create table like does not obtain
  LOCK_open", #23667 "CREATE TABLE LIKE is not isolated from alteration
  by other connections" and bug #25578 "CREATE TABLE LIKE does not
  require any privileges on source table".
  
  Concurrent execution of CREATE TABLE LIKE statement and DDL statements
  on source table or DML/DDL statements on its target table could result
  in various errors in these statements and wrong order of statements in
  binlog.  
  
  This problems was caused by incomplete protection/table-locking against
  concurrent statements implemented in mysql_create_like_table() routine.
  
  This fix simply implements such protection in proper way:
  
  We keep source table open during whole operation and place copying
  of .frm file, call to ha_create_table() and writing to binlog into
  one critical section protected by LOCK_open mutex. While former
  gives us protection against concurrent DDL on source table; the latter
  protects from DDL and DML on target table.
  
  It also removes some duplicated code from mysql_create_like_table().
  
  Questions for reviewers are marked by QQ.
[1 Jun 2007 21:20] Bugs System 
Pushed into 5.0.44
[1 Jun 2007 21:25] Bugs System 
Pushed into 5.1.20-beta
[7 Jun 2007 18:31] Jon Stephens 
Thank you for your bug report. This issue has been committed to our source repository of
that product and will be incorporated into the next release.

If necessary, you can access the source repository and build the latest available version,
including the bug fix. More information about accessing the source trees is available at

    http://dev.mysql.com/doc/en/installing-source.html

Documented security fix in 5.0.44 and 5.1.20 changelogs.
[20 Jul 2007 18:12] Paul DuBois 
CVE number has been assigned:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3781