MySQL handler is vulnerable to malicious identifiers

Because MySQL allows databases and tables names to include arbitrary unicode characters, a malicous actor could obtain root execution on the system running the MySQL handler.

This is mitigated by the fact that database and/or table creation privileges are required for this to be exploited. Filesystem privileges might also be required, since the proof-of-concept I was able to produce is unable to execute a full command-line which includes spaces. But this could possibly be bypassed by some shell-foo I'm not currently privy to.

The Debian security team's evaluation of this issue is that the previous embargo on this issue is counter-productive due to the low estimated impact, hence this new public issue.

This specific issue was discovered and discussed while discussing a seperate, unrelated issue. See this discussion thread for context.