#########################################################
MySQL mysql_install_db data manipulation

Vendor: http://www.mysql.com
Advisory: http://www.zataz.net/adviso/mysql-05172005.txt
Vendor informed: yes
Exploit available:no
Impact : low
Exploitation : low

#########################################################

MySQL contain a security flaw how could
allow a malicious local attacker to inject arbitrary SQL commands
during database creation process.

For exemple : A malicious local attacker could create an mysql account
accessible from local (or everywhere) with ALL privileges on all databases;

##########
Versions:
##########

MySQL < 4.1.12 > 4.1.x
MySQL <= 5.0.4

##########
Solution:
##########

For MySQL 4.1.x update to the new version 4.1.12
MySQL 5.0.4 still vulnerable.

#########
Timeline:
#########

Discovered : 2005-05-07
Vendor notified : 2005-05-09
Vendor response : 2005-05-09
Vendor fix :  2005-05-17
Disclosure : 2005-05-17

#####################
Technical details :
#####################

tmp_file=/tmp/mysql_install_db.$$

Then on :

 226     echo "use mysql;" > $tmp_file
 227     cat $tmp_file $fill_help_tables | eval "$mysqld_install_cmd_line"
 228     res=$?
 229     rm $tmp_file

#####################
Credits :
#####################

Eric Romang (eromang@zataz.net - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, tigger, etc.)