Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 593608

Summary: <dev-db/mariadb-{5.5.51,10.0.27,10.1.17}: general_log_file can be abused (CVE-2016-6662)
Product: Gentoo Security Reporter: Thomas Deutschmann <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: mysql-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://jira.mariadb.org/browse/MDEV-10465
Whiteboard: B1 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 589346, 593584    

Description Thomas Deutschmann gentoo-dev Security 2016-09-12 20:18:37 UTC
Earlier MySQL used to read my.cnf from three locations, in that order:

 - /etc
 - datadir
 - $HOME/.my.cnf

The second is particularly unsafe, because datadir is writable by the
mysqld server, and a user that can connect to MySQL can create my.cnf in
the datadir using SELECT ... OUTFILE. Over time various safety mechanisms
were implemented:

 - mysqld no longer reads my.cnf in the datadir. Still, mysqld_safe.sh does
   and forces the server to, so if the server is started via
   mysqld_safe.sh, my.cnf in the datadir is still used.

 - --secure-file-priv command-line option limits SELECT ... OUTFILE to the
   specified directory, it's recommended to set it outside of datadir

 - SELECT ... OUTFILE creates files that are world-writable and mysqld
   refuses to read my.cnf if it is world-writable.

But as was recently discovered by Dawid Golunski, one can abuse
@@general_log_file variable to create a my.cnf in the datadir, and it will
be not created world-writable, so the both mysqld_safe and mysqld will read
it on startup.
Comment 1 Thomas Deutschmann gentoo-dev Security 2016-09-12 20:47:55 UTC
Arches, please test and mark stable: =dev-db/mariadb-10.0.27
The test suite should pass following the official instructions.
Local timeouts may be expected on resource starved machines. (each test thread can spawn up to 4 server instances)

Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 2 Thomas Deutschmann gentoo-dev Security 2016-09-12 21:10:07 UTC
# Official test instructions:
# USE='embedded extraengine perl openssl static-libs' \
# FEATURES='test userpriv -usersandbox' \
# ebuild mariadb-10.0.27.ebuild \
# digest clean package

# Parallel testing is enabled, auto will try to detect number of cores
# You may set this by hand.
# The default maximum is 8 unless MTR_MAX_PARALLEL is increased
export MTR_PARALLEL="${MTR_PARALLEL:-auto}"
Comment 3 Agostino Sarubbo gentoo-dev 2016-09-13 12:03:33 UTC
amd64 stable
Comment 4 Tobias Klausmann gentoo-dev 2016-09-17 09:52:16 UTC
Stable on alpha.
Comment 5 Jeroen Roovers gentoo-dev 2016-09-18 18:20:47 UTC
Stable for HPPA PPC64.
Comment 6 Markus Meier gentoo-dev 2016-09-27 18:38:08 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-09-29 09:07:00 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-09-29 09:22:49 UTC
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-09-29 12:55:04 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-09-29 13:36:02 UTC
ia64 stable.

Maintainer(s), please cleanup.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2016-10-11 13:46:24 UTC
This issue was resolved and addressed in
 GLSA 201610-06 at https://security.gentoo.org/glsa/201610-06
by GLSA coordinator Aaron Bauman (b-man).
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-10-11 13:48:26 UTC
Reopening for cleanup.  Please cleanup the following packages:

=dev-db/mariadb-10.0.25
=dev-db/mariadb-10.0.26
Comment 13 Brian Evans Gentoo Infrastructure gentoo-dev 2016-10-11 14:17:14 UTC
Cleanup complete
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-10-12 13:28:18 UTC
(In reply to Brian Evans from comment #13)
> Cleanup complete

Thanks, Brian!
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-01-01 13:37:11 UTC
This issue was resolved and addressed in
 GLSA 201701-01 at https://security.gentoo.org/glsa/201701-01
by GLSA coordinator Thomas Deutschmann (whissi).