Bug 593608

Summary:	<dev-db/mariadb-{5.5.51,10.0.27,10.1.17}: general_log_file can be abused (CVE-2016-6662)
Product:	Gentoo Security	Reporter:	Thomas Deutschmann (RETIRED) <whissi>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	mysql-bugs
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://jira.mariadb.org/browse/MDEV-10465
Whiteboard:	B1 [glsa cve]
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	589346, 593584

Description Thomas Deutschmann (RETIRED) gentoo-dev

2016-09-12 20:18:37 UTC

Earlier MySQL used to read my.cnf from three locations, in that order:

 - /etc
 - datadir
 - $HOME/.my.cnf

The second is particularly unsafe, because datadir is writable by the
mysqld server, and a user that can connect to MySQL can create my.cnf in
the datadir using SELECT ... OUTFILE. Over time various safety mechanisms
were implemented:

 - mysqld no longer reads my.cnf in the datadir. Still, mysqld_safe.sh does
   and forces the server to, so if the server is started via
   mysqld_safe.sh, my.cnf in the datadir is still used.

 - --secure-file-priv command-line option limits SELECT ... OUTFILE to the
   specified directory, it's recommended to set it outside of datadir

 - SELECT ... OUTFILE creates files that are world-writable and mysqld
   refuses to read my.cnf if it is world-writable.

But as was recently discovered by Dawid Golunski, one can abuse
@@general_log_file variable to create a my.cnf in the datadir, and it will
be not created world-writable, so the both mysqld_safe and mysqld will read
it on startup.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2016-09-12 20:47:55 UTC

Arches, please test and mark stable: =dev-db/mariadb-10.0.27
The test suite should pass following the official instructions.
Local timeouts may be expected on resource starved machines. (each test thread can spawn up to 4 server instances)

Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2016-09-12 21:10:07 UTC

# Official test instructions:
# USE='embedded extraengine perl openssl static-libs' \
# FEATURES='test userpriv -usersandbox' \
# ebuild mariadb-10.0.27.ebuild \
# digest clean package

# Parallel testing is enabled, auto will try to detect number of cores
# You may set this by hand.
# The default maximum is 8 unless MTR_MAX_PARALLEL is increased
export MTR_PARALLEL="${MTR_PARALLEL:-auto}"

Comment 3 Agostino Sarubbo gentoo-dev

2016-09-13 12:03:33 UTC

amd64 stable

Comment 4 Tobias Klausmann (RETIRED) gentoo-dev

2016-09-17 09:52:16 UTC

Stable on alpha.

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev

2016-09-18 18:20:47 UTC

Stable for HPPA PPC64.

Comment 6 Markus Meier gentoo-dev

2016-09-27 18:38:08 UTC

arm stable

Comment 7 Agostino Sarubbo gentoo-dev

2016-09-29 09:07:00 UTC

x86 stable

Comment 8 Agostino Sarubbo gentoo-dev

2016-09-29 09:22:49 UTC

sparc stable

Comment 9 Agostino Sarubbo gentoo-dev

2016-09-29 12:55:04 UTC

ppc stable

Comment 10 Agostino Sarubbo gentoo-dev

2016-09-29 13:36:02 UTC

ia64 stable.

Maintainer(s), please cleanup.

Comment 11 GLSAMaker/CVETool Bot gentoo-dev

2016-10-11 13:46:24 UTC

This issue was resolved and addressed in
 GLSA 201610-06 at https://security.gentoo.org/glsa/201610-06
by GLSA coordinator Aaron Bauman (b-man).

Comment 12 Aaron Bauman (RETIRED) gentoo-dev

2016-10-11 13:48:26 UTC

Reopening for cleanup.  Please cleanup the following packages:

=dev-db/mariadb-10.0.25
=dev-db/mariadb-10.0.26

Comment 13 Brian Evans (RETIRED) gentoo-dev

2016-10-11 14:17:14 UTC

Cleanup complete

Comment 14 Aaron Bauman (RETIRED) gentoo-dev

2016-10-12 13:28:18 UTC

(In reply to Brian Evans from comment #13)
> Cleanup complete

Thanks, Brian!

Comment 15 GLSAMaker/CVETool Bot gentoo-dev

2017-01-01 13:37:11 UTC

This issue was resolved and addressed in
 GLSA 201701-01 at https://security.gentoo.org/glsa/201701-01
by GLSA coordinator Thomas Deutschmann (whissi).