Bug 593584 (CVE-2016-6662)

Summary:	[TRACKER] MySQL's general_log_file can be abused (CVE-2016-6662)
Product:	Gentoo Security	Reporter:	Hanno Böck <hanno>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	diddledan, mysql-bugs
Priority:	Normal	Keywords:	Tracker
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html
Whiteboard:	B1 [glsa cve]
Package list:		Runtime testing required:	---
Bug Depends on:	593608, 593610, 593614, 593618
Bug Blocks:

Description Hanno Böck gentoo-dev

2016-09-12 13:49:52 UTC

A security vuln in mysql and forks of it has been posted to oss security today:
http://seclists.org/oss-sec/2016/q3/481
http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html

This looks like a complicated issue. MySQL is not patched upstream yet and it sounds like this won't happen until their patch day end of october.

Mariadb is supposed to be fixed since aug 30 (that'd probably be 10.1.17). I'm unsure if this is fixed in 10.0.x already (which is currently stable in gentoo).

Percona is also affected. We only have testing keywords for percona-server and it's the latest version, so it's probably already okay.

Comment 1 Brian Evans (RETIRED) gentoo-dev

2016-09-12 13:55:25 UTC

As a note on severity in Gentoo, we install but do not use the mysqld_safe script by default.

Instead we call mysqld directly which does not keep root privileges

A user could call this, but our supplied init scripts do not.

Also this is fixed in MariaDB  5.5.51, 10.0.27, 10.1.17

Comment 2 Brian Evans (RETIRED) gentoo-dev

2016-09-12 14:25:06 UTC

(In reply to Brian Evans from comment #1)
> As a note on severity in Gentoo, we install but do not use the mysqld_safe
> script by default.
> 

I have to adjust that, the systemd service does call it.

I have a new version of dev-db/mysql-init-scripts ready which does not

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2016-09-12 18:30:54 UTC

For dev-db/percona-server:

$URL mentions:

> The vulnerabilities were patched by PerconaDB and MariaDB vendors by
> the end of 30th of August.

But no commit could have been identified that such a fix was really released.

Today an upstream bug report (https://bugs.launchpad.net/percona-server/+bug/1622603) was created to ask for clarification.

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2016-09-12 20:14:49 UTC

Transforming this bug report into a tracker bug...

Comment 5 GLSAMaker/CVETool Bot gentoo-dev

2016-11-19 05:19:47 UTC

CVE-2016-6652 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6652):
  SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 (Gosling
  SR6) and 1.10.x before 1.10.4 (Hopper SR4), when used with a repository that
  defines a String query using the @Query annotation, allows attackers to
  execute arbitrary JPQL commands via a sort instance with a function call.

Comment 6 Aaron Bauman (RETIRED) gentoo-dev

2016-11-19 05:27:42 UTC

(In reply to GLSAMaker/CVETool Bot from comment #5)
> CVE-2016-6652 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6652):
>   SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6
> (Gosling
>   SR6) and 1.10.x before 1.10.4 (Hopper SR4), when used with a repository
> that
>   defines a String query using the @Query annotation, allows attackers to
>   execute arbitrary JPQL commands via a sort instance with a function call.

My bad.

Comment 7 GLSAMaker/CVETool Bot gentoo-dev

2017-01-01 13:37:03 UTC

This issue was resolved and addressed in
 GLSA 201701-01 at https://security.gentoo.org/glsa/201701-01
by GLSA coordinator Thomas Deutschmann (whissi).