Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 593584 (CVE-2016-6662) - [TRACKER] MySQL's general_log_file can be abused (CVE-2016-6662)
Summary: [TRACKER] MySQL's general_log_file can be abused (CVE-2016-6662)
Status: RESOLVED FIXED
Alias: CVE-2016-6662
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://legalhackers.com/advisories/My...
Whiteboard: B1 [glsa cve]
Keywords: Tracker
Depends on: 593608 593610 593614 593618
Blocks:
  Show dependency tree
 
Reported: 2016-09-12 13:49 UTC by Hanno Böck
Modified: 2017-01-01 13:37 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2016-09-12 13:49:52 UTC
A security vuln in mysql and forks of it has been posted to oss security today:
http://seclists.org/oss-sec/2016/q3/481
http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html

This looks like a complicated issue. MySQL is not patched upstream yet and it sounds like this won't happen until their patch day end of october.

Mariadb is supposed to be fixed since aug 30 (that'd probably be 10.1.17). I'm unsure if this is fixed in 10.0.x already (which is currently stable in gentoo).

Percona is also affected. We only have testing keywords for percona-server and it's the latest version, so it's probably already okay.
Comment 1 Brian Evans (RETIRED) gentoo-dev 2016-09-12 13:55:25 UTC
As a note on severity in Gentoo, we install but do not use the mysqld_safe script by default.

Instead we call mysqld directly which does not keep root privileges

A user could call this, but our supplied init scripts do not.

Also this is fixed in MariaDB  5.5.51, 10.0.27, 10.1.17
Comment 2 Brian Evans (RETIRED) gentoo-dev 2016-09-12 14:25:06 UTC
(In reply to Brian Evans from comment #1)
> As a note on severity in Gentoo, we install but do not use the mysqld_safe
> script by default.
> 

I have to adjust that, the systemd service does call it.

I have a new version of dev-db/mysql-init-scripts ready which does not
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2016-09-12 18:30:54 UTC
For dev-db/percona-server:

$URL mentions:

> The vulnerabilities were patched by PerconaDB and MariaDB vendors by
> the end of 30th of August.

But no commit could have been identified that such a fix was really released.

Today an upstream bug report (https://bugs.launchpad.net/percona-server/+bug/1622603) was created to ask for clarification.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2016-09-12 20:14:49 UTC
Transforming this bug report into a tracker bug...
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2016-11-19 05:19:47 UTC
CVE-2016-6652 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6652):
  SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 (Gosling
  SR6) and 1.10.x before 1.10.4 (Hopper SR4), when used with a repository that
  defines a String query using the @Query annotation, allows attackers to
  execute arbitrary JPQL commands via a sort instance with a function call.
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2016-11-19 05:27:42 UTC
(In reply to GLSAMaker/CVETool Bot from comment #5)
> CVE-2016-6652 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6652):
>   SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6
> (Gosling
>   SR6) and 1.10.x before 1.10.4 (Hopper SR4), when used with a repository
> that
>   defines a String query using the @Query annotation, allows attackers to
>   execute arbitrary JPQL commands via a sort instance with a function call.

My bad.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2017-01-01 13:37:03 UTC
This issue was resolved and addressed in
 GLSA 201701-01 at https://security.gentoo.org/glsa/201701-01
by GLSA coordinator Thomas Deutschmann (whissi).