Bug #23675 Partitions: possible security breach via alter
Submitted: 26 Oct 2006 17:10 Modified: 11 Apr 2007 2:28
Reporter: Peter Gulutzan Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Partitions Severity:S3 (Non-critical)
Version:5.1.13-beta-debug OS:Linux (SUSE 10.0 / 64-bit)
Assigned to: Alexey Botchkov

[26 Oct 2006 17:10] Peter Gulutzan
Description:
If user 'molly' has ALTER privilege on table1, she can discover what is
in table1 even though she has no SELECT privileges. For example she says:
ALTER TABLE table1 PARTITION BY LIST (column1) (PARTITION x VALUES IN (0));
MySQL helpfully returns an error message:
"Table has no partition for value 18".
So now Molly knows there is a row where column1 = 18.

It is arguable that this is not a partition-specific bug, since
users with ALTER privileges have always been able to discover
some information about the value range. I argue that this is
more serious because it's easier to get exact values.

How to repeat:
As user root, say:

mysql> create table tu (s1 int);
Query OK, 0 rows affected (0.00 sec)

mysql> insert into tu values (1);
Query OK, 1 row affected (0.00 sec)

mysql> grant alter on tu to molly@localhost;
Query OK, 0 rows affected (0.01 sec)

As user molly@localhost, say:

mysql> select * from tu;
ERROR 1142 (42000): SELECT command denied to user 'molly'@'localhost' for table 'tu'
mysql> alter table tu partition by list (s1) (partition p1 values in (1));
Query OK, 1 row affected (0.05 sec)
Records: 1  Duplicates: 0  Warnings: 0

mysql> alter table tu partition by list (s1) (partition p1 values in (2));
ERROR 1513 (HY000): Table has no partition for value 1
[30 Oct 2006 14:11] Miguel Solorzano
Thank you for the bug report. Verified on Suse 10 32-bit.

mysql> create table tu (s1 int);
Query OK, 0 rows affected (0.00 sec)

mysql> insert into tu values (1);
Query OK, 1 row affected (0.00 sec)

mysql> grant alter on dx.tu to molly@localhost;
Query OK, 0 rows affected (0.00 sec)

mysql> select * from tu;
ERROR 1142 (42000): SELECT command denied to user 'molly'@'localhost' for table 'tu'
mysql> alter table tu partition by list (s1) (partition p1 values in (1));
Query OK, 1 row affected (0.02 sec)
Records: 1  Duplicates: 0  Warnings: 0

mysql> alter table tu partition by list (s1) (partition p1 values in (2));
ERROR 1513 (HY000): Table has no partition for value 1
mysql>
[12 Mar 2007 19:07] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/21765

ChangeSet@1.2477, 2007-03-12 23:07:30+04:00, holyfoot@mysql.com +7 -0
  Bug #23675 Partitions: possible security breach via alter
  
  Now we select error message depending on user acess rights
[4 Apr 2007 10:02] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/23764

ChangeSet@1.2506, 2007-04-04 14:01:47+05:00, holyfoot@mysql.com +7 -0
   Bug #23675 Partitions: possible security breach via alter
  now we return different error message if user doesn't have
  SELECT grants
[9 Apr 2007 12:41] Bugs System
Pushed into 5.1.18-beta
[11 Apr 2007 2:28] Jon Stephens
Thank you for your bug report. This issue has been committed to our source repository of that product and will be incorporated into the next release.

If necessary, you can access the source repository and build the latest available version, including the bug fix. More information about accessing the source trees is available at

    http://dev.mysql.com/doc/en/installing-source.html

Documented as security fix in 5.1.18 changelog.