Mysql woes reloaded

Remember my fun with Mysql?
Got no idea why i didn’t test it more toroughly:

castor:~# ls -l /dev/null
crw-rw-rw- 1 root root 1, 3 Jul 30 17:41 /dev/null
castor:~# echo $MYSQL_HISTFILE
/dev/null
castor:~# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 372 to server version: 5.0.22-Debian_2bpo1-log

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer.
mysql> select version();
+————————-+
| version() |
+————————-+
| 5.0.22-Debian_2bpo1-log |
+————————-+
1 row in set (0.00 sec)
mysql> Bye
castor:~# ls -l /dev/null
-rw——- 1 root root 52 Jul 30 17:43 /dev/null
WTF?!?!? Can anyone tell me what the hell is wrong with those Mysql-people?

Update: I posted a hint on the mysql-website.

Update2: Apparently the bug is well-known as was fixed eons ago. However, Debian Backports still incorporates the old mysql-client-5.0 package which is still vulnerable to this error.
A deleted /dev/null can seriously screw up you whole system; i noticed it because i couldn’t log into Gnome – and my ~/.xsession-errors said “/etc/gdm/Xsession: line 1: /dev/null: access denied” and such…
So i need to apologize to the Mysql-people: It’s not their fault, they already fixed the problem a while ago.

One Response to Mysql woes reloaded

  1. […] A while ago i posted about a security-problem with the current mysql-client package which is included in the Debian-backports repository. I made a comment on the backports-user mailinglist and finally got an reply from the package-maintainer – they’re going to include a fixed version tomorrow. […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: