Multiple cases of insecure use of chmod and chown were found in the MySQL init script: - In database directory initialization code: https://github.com/mysql/mysql-server/blob/mysql-5.6.34/packaging/rpm-oel/mysql.init#L97 - In code handling error log file creation and permission setting: https://github.com/mysql/mysql-server/blob/mysql-5.6.34/packaging/rpm-oel/mysql.init#L73 The mysql OS user could use these flaws to escalate privileges to root. Note that the second issue is only exploitable in configurations where log file is stored in a directory writable to the mysql OS user. If log file is stored in the /var/log directory, mysql user is not able to replace it with a link to some other file. This issue was fixed in MySQL versions 5.5.54, 5.6.35, and 5.7.17. The following related entry can be found in the release notes: Initialization scripts create the error log file only if the base directory is /var/log or /var/lib. http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-54.html http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-35.html http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-17.html MySQL upstream commit: https://github.com/mysql/mysql-server/commit/53230ba274a37fa13d65e802c6ef3766cd0c6d91#diff-5fccc3d0e109e8f9ad0653728bd1d975
Does not affect Gentoo. We do not use that script.
Doesn't affect Gentoo, we use dev-db/mysql-init-scripts.