Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 593608 - <dev-db/mariadb-{5.5.51,10.0.27,10.1.17}: general_log_file can be abused (CVE-2016-6662)
Summary: <dev-db/mariadb-{5.5.51,10.0.27,10.1.17}: general_log_file can be abused (CVE...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa cve]
Depends on:
Blocks: CVE-2016-3477, CVE-2016-3521, CVE-2016-3615, CVE-2016-5440 CVE-2016-6662
  Show dependency tree
Reported: 2016-09-12 20:18 UTC by Thomas Deutschmann (RETIRED)
Modified: 2017-01-01 13:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2016-09-12 20:18:37 UTC
Earlier MySQL used to read my.cnf from three locations, in that order:

 - /etc
 - datadir
 - $HOME/.my.cnf

The second is particularly unsafe, because datadir is writable by the
mysqld server, and a user that can connect to MySQL can create my.cnf in
the datadir using SELECT ... OUTFILE. Over time various safety mechanisms
were implemented:

 - mysqld no longer reads my.cnf in the datadir. Still, does
   and forces the server to, so if the server is started via, my.cnf in the datadir is still used.

 - --secure-file-priv command-line option limits SELECT ... OUTFILE to the
   specified directory, it's recommended to set it outside of datadir

 - SELECT ... OUTFILE creates files that are world-writable and mysqld
   refuses to read my.cnf if it is world-writable.

But as was recently discovered by Dawid Golunski, one can abuse
@@general_log_file variable to create a my.cnf in the datadir, and it will
be not created world-writable, so the both mysqld_safe and mysqld will read
it on startup.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-09-12 20:47:55 UTC
Arches, please test and mark stable: =dev-db/mariadb-10.0.27
The test suite should pass following the official instructions.
Local timeouts may be expected on resource starved machines. (each test thread can spawn up to 4 server instances)

Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-09-12 21:10:07 UTC
# Official test instructions:
# USE='embedded extraengine perl openssl static-libs' \
# FEATURES='test userpriv -usersandbox' \
# ebuild mariadb-10.0.27.ebuild \
# digest clean package

# Parallel testing is enabled, auto will try to detect number of cores
# You may set this by hand.
# The default maximum is 8 unless MTR_MAX_PARALLEL is increased
Comment 3 Agostino Sarubbo gentoo-dev 2016-09-13 12:03:33 UTC
amd64 stable
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2016-09-17 09:52:16 UTC
Stable on alpha.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2016-09-18 18:20:47 UTC
Stable for HPPA PPC64.
Comment 6 Markus Meier gentoo-dev 2016-09-27 18:38:08 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-09-29 09:07:00 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-09-29 09:22:49 UTC
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-09-29 12:55:04 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-09-29 13:36:02 UTC
ia64 stable.

Maintainer(s), please cleanup.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2016-10-11 13:46:24 UTC
This issue was resolved and addressed in
 GLSA 201610-06 at
by GLSA coordinator Aaron Bauman (b-man).
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2016-10-11 13:48:26 UTC
Reopening for cleanup.  Please cleanup the following packages:

Comment 13 Brian Evans (RETIRED) gentoo-dev 2016-10-11 14:17:14 UTC
Cleanup complete
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2016-10-12 13:28:18 UTC
(In reply to Brian Evans from comment #13)
> Cleanup complete

Thanks, Brian!
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-01-01 13:37:11 UTC
This issue was resolved and addressed in
 GLSA 201701-01 at
by GLSA coordinator Thomas Deutschmann (whissi).