Bug #53804 serious flaws in the alter database .. upgrade data directory name command
Submitted: 19 May 2010 13:35 Modified: 14 Oct 2010 15:24
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: DDL Severity:S1 (Critical)
Version:5.1.46, 5.1.48-bzr, 5.6.99-m4 OS:Any
Assigned to: Gleb Shchepa CPU Architecture:Any
Tags: DoS
Triage: Needs Triage: D1 (Critical)

[19 May 2010 13:35] Shane Bester
Description:
a user with privileges to run alter database can render entire datadir unusable by causing server to move it into a new sub directory. (binlogs, general log, all data).

How to repeat:
alter database `#mysql50#:` upgrade data directory name;
alter database `#mysql50#.` upgrade data directory name; #crashes debug server

#now look at the datadir...
[19 May 2010 13:41] Geert Vanderkelen
Verified on Mac using 5.1.46.
[19 May 2010 13:50] Shane Bester
alter database `#mysql50#../` upgrade data directory name;

will move parent of datadir!
[28 May 2010 6:15] Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20100524190136-egaq7e8zgkwb9aqi) (version source revid:alik@sun.com-20100524190136-egaq7e8zgkwb9aqi) (pib:16)
[28 May 2010 6:42] Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20100524190941-nuudpx60if25wsvx) (version source revid:alik@sun.com-20100524190409-5w4l7mje1wk1c90l) (merge vers: 6.0.14-alpha) (pib:16)
[28 May 2010 7:10] Bugs System
Pushed into 5.5.5-m3 (revid:alik@sun.com-20100524185725-c8k5q7v60i5nix3t) (version source revid:alexey.kopytov@sun.com-20100523204118-0tl3goawu658rxh6) (merge vers: 5.5.5-m3) (pib:16)
[2 Jun 2010 8:50] Bugs System
Pushed into 5.1.48 (revid:georgi.kodinov@oracle.com-20100602084411-2yu607bslbmgufl3) (version source revid:mattias.jonsson@sun.com-20100523160833-4jo3kb82hd4jhr39) (merge vers: 5.1.47) (pib:16)
[11 Jun 2010 5:17] Shane Bester
see also bug #54414
[15 Jun 2010 5:52] Sveta Smirnova
Bug #54414 was marked as duplicate of this one.
[18 Jun 2010 0:05] Paul Dubois
Noted in 5.1.48, 5.5.5, 6.0.14 changelogs.

MySQL incorrectly processed ALTER DATABASE `#mysql50#<special>`
UPGRADE DATA DIRECTORY NAME where <special> was ., .., or a sequence
starting with ./ or ../. It used the server data directory (that
contains other regular databases) as the database directory.
[28 Jun 2010 7:01] Sveta Smirnova
There is duplicate bug #54830

Maybe make this fixed bug open as we have 2 public duplicates already?
[6 Jul 2010 19:05] Paul Dubois
Noted in 5.1.46sp1 changelog.
[8 Jul 2010 18:54] Bugs System
Pushed into 5.1.49 (revid:sunanda.menon@sun.com-20100708184626-16el4v8gjjci6m1r) (version source revid:sunanda.menon@sun.com-20100708184626-16el4v8gjjci6m1r) (merge vers: 5.1.49) (pib:16)
[13 Jul 2010 13:27] Alexandre Couturier
Hello everybody,
Everyone can tell me which MySQL release are affected by the ALTER DATABASE bug ?
Just the 5.x or all release from 3.x to 5.1.47

Thanks you for your answer
[14 Jul 2010 4:07] Edward Yang
While this is marked a critical security bug, for most MySQL installations the behavior is innocuous: non-administrative users usually only get *.* privileges granted on specific databases, but running ALTER DATABASE `mytable` UPGRADE DATA DIRECTORY, while auth'ed, will not do anything interesting (since there is no #mysql50# prefix). So unless you've explicitly granted *.* privileges to one of the misbehaving database names, or you're worried about users with * privileges DOSing your server (which, if you are, you have much bigger problems), no action is necessary.
[18 Jul 2010 22:23] Gleb Shchepa
[13 Jul 15:27] Alexandre Couturier
> Hello everybody,
> Everyone can tell me which MySQL release are affected by the ALTER DATABASE bug ?
> Just the 5.x or all release from 3.x to 5.1.47

Alexandre,

Please look at the "Version:" line at this page header for minimal affected version numbers:

Version:	5.1.46, 5.1.48-bzr, 5.6.99-m4

I.e. 5.0 is not affected, only 5.1+
[4 Aug 2010 8:11] Bugs System
Pushed into mysql-trunk 5.6.1-m4 (revid:alik@ibmvm-20100804080001-bny5271e65xo34ig) (version source revid:alik@sun.com-20100731075120-qz9z8c25zum2wgmm) (merge vers: 5.6.99-m4) (pib:18)
[4 Aug 2010 8:27] Bugs System
Pushed into mysql-trunk 5.6.1-m4 (revid:alik@ibmvm-20100804081533-c1d3rbipo9e8rt1s) (version source revid:alik@sun.com-20100731075120-qz9z8c25zum2wgmm) (merge vers: 5.6.99-m4) (pib:18)
[4 Aug 2010 9:05] Bugs System
Pushed into mysql-next-mr (revid:alik@ibmvm-20100804081630-ntapn8bf9pko9vj3) (version source revid:alik@sun.com-20100731075120-qz9z8c25zum2wgmm) (pib:20)
[4 Aug 2010 22:46] Paul Dubois
Bug does not appear in any released 5.6.x version.
[14 Oct 2010 8:39] Bugs System
Pushed into mysql-5.1-telco-7.0 5.1.51-ndb-7.0.20 (revid:martin.skold@mysql.com-20101014082627-jrmy9xbfbtrebw3c) (version source revid:martin.skold@mysql.com-20101014082627-jrmy9xbfbtrebw3c) (merge vers: 5.1.51-ndb-7.0.20) (pib:21)
[14 Oct 2010 8:54] Bugs System
Pushed into mysql-5.1-telco-6.3 5.1.51-ndb-6.3.39 (revid:martin.skold@mysql.com-20101014083757-5qo48b86d69zjvzj) (version source revid:martin.skold@mysql.com-20101014083757-5qo48b86d69zjvzj) (merge vers: 5.1.51-ndb-6.3.39) (pib:21)
[14 Oct 2010 9:11] Bugs System
Pushed into mysql-5.1-telco-6.2 5.1.51-ndb-6.2.19 (revid:martin.skold@mysql.com-20101014084420-y54ecj85j5we27oa) (version source revid:martin.skold@mysql.com-20101014084420-y54ecj85j5we27oa) (merge vers: 5.1.51-ndb-6.2.19) (pib:21)
[14 Oct 2010 15:24] Jon Stephens
Already documented as noted; no new changelog entries required. setting back to Closed state.