Bug #28341 Security issue still in library loading
Submitted: 9 May 2007 22:01 Modified: 27 May 2007 18:15
Reporter: Brian Aker Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: User-defined functions ( UDF ) Severity:S1 (Critical)
Version:any OS:Any
Assigned to: Sergey Vojtovich CPU Architecture:Any

[9 May 2007 22:01] Brian Aker
Description:
Right now a UDF can be created from any library in any part of the server LD path. This was supposed to be fixed to only allow it from lib/mysql. It is a security issue that you can do this (and has been exploited in the past).

I and Sergei spoke about this, and both of us believed it had been fixed in 5.1. Upon examining the code it has not been fixed. 

How to repeat:
Load any library that the server has access to and declare a function from one of its exportable routines.

Suggested fix:
Fix it so that UDF's can only be loaded from lib/mysql. You will need to update the code in sql_udf.cc to do this. The suggestion is to only fix this in 5.1, since it has behavior changes.
[10 May 2007 5:52] Valeriy Kravchuk
Thank you for a problem report.
[18 May 2007 12:21] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/26979

ChangeSet@1.2519, 2007-05-18 16:23:46+05:00, svoj@mysql.com +5 -0
  BUG#28341 - Security issue still in library loading
  
  UDF can be created from any library in any part of the server
  LD_LIBRARY_PATH.
  
  Allow to load udfs only from plugin_dir.
  On windows, refuse to open udf in case it's path contains a slash.
  
  No good test case for this bug because of imperfect error message
  that includes error code and error string when it fails to dlopen a
  library.
[21 May 2007 7:31] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/27056

ChangeSet@1.2521, 2007-05-21 11:34:39+05:00, svoj@mysql.com +2 -0
  Addition to fix for
  BUG#28341 - Security issue still in library loading
  
  Added required option files to rpl_udf test.
[24 May 2007 7:05] Bugs System
Pushed into 5.1.19-beta
[27 May 2007 18:15] Paul Dubois
Noted in 5.1.19 changelog.

Security fix: UDFs are supposed to be loadable only from the plugin
directory, but this restriction was not being enforced.