Description:
Right now a UDF can be created from any library in any part of the server LD path. This was supposed to be fixed to only allow it from lib/mysql. It is a security issue that you can do this (and has been exploited in the past).

I and Sergei spoke about this, and both of us believed it had been fixed in 5.1. Upon examining the code it has not been fixed. 

How to repeat:
Load any library that the server has access to and declare a function from one of its exportable routines.

Suggested fix:
Fix it so that UDF's can only be loaded from lib/mysql. You will need to update the code in sql_udf.cc to do this. The suggestion is to only fix this in 5.1, since it has behavior changes.

Thank you for a problem report.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/26979

ChangeSet@1.2519, 2007-05-18 16:23:46+05:00, svoj@mysql.com +5 -0
  BUG#28341 - Security issue still in library loading
  
  UDF can be created from any library in any part of the server
  LD_LIBRARY_PATH.
  
  Allow to load udfs only from plugin_dir.
  On windows, refuse to open udf in case it's path contains a slash.
  
  No good test case for this bug because of imperfect error message
  that includes error code and error string when it fails to dlopen a
  library.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/27056

ChangeSet@1.2521, 2007-05-21 11:34:39+05:00, svoj@mysql.com +2 -0
  Addition to fix for
  BUG#28341 - Security issue still in library loading
  
  Added required option files to rpl_udf test.

Pushed into 5.1.19-beta

Noted in 5.1.19 changelog.

Security fix: UDFs are supposed to be loadable only from the plugin
directory, but this restriction was not being enforced.