TITLE: MySQL MERGE Table Privilege Revoke Bypass

SECUNIA ADVISORY ID: SA21259

VERIFY ADVISORY: http://secunia.com/advisories/21259/

CRITICAL: Not critical

IMPACT: Security Bypass

WHERE: >From local network

SOFTWARE:
MySQL 5.x - http://secunia.com/product/8355/
MySQL 4.x - http://secunia.com/product/404/
MySQL 3.x - http://secunia.com/product/99/

DESCRIPTION: Peter Gulutzan has reported a vulnerability in MySQL, which can be exploited by malicious users to bypass certain security restrictions.

The vulnerability is caused due to a design error in the user privilege verification for MERGE tables. This can be exploited to keep access to a table via an in advance created MERGE table even after the privileges has been revoked for the table.

SOLUTION:
MySQL 4.1.x: Update to version 4.1.21.
MySQL 5.x: The vulnerability has been fixed in the CVS repository and will also be fixed in the upcoming 5.0.24 version.
Grant only trusted users access to the database.
NOTE: The vulnerability has been fixed by introducing the "--skip-merge" command line option which disables the MERGE storage engine.

PROVIDED AND/OR DISCOVERED BY: Peter Gulutzan

ORIGINAL ADVISORY: MySQL:
http://dev.mysql.com/doc/refman/4.1/en/news-4-1-21.html
http://dev.mysql.com/doc/refman/5.0/en/news-5-0-24.html