Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 624816 (CVE-2017-3265) - <dev-db/mysql-{5.5.56,5.6.35}: unsafe chmod/chown use in init script (CVE-2017-3265)
Summary: <dev-db/mysql-{5.5.56,5.6.35}: unsafe chmod/chown use in init script (CVE-201...
Status: RESOLVED INVALID
Alias: CVE-2017-3265
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B1 []
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-12 23:24 UTC by Volkan
Modified: 2017-07-13 13:00 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Volkan 2017-07-12 23:24:39 UTC
Multiple cases of insecure use of chmod and chown were found in the MySQL init script:

- In database directory initialization code:
https://github.com/mysql/mysql-server/blob/mysql-5.6.34/packaging/rpm-oel/mysql.init#L97

- In code handling error log file creation and permission setting:
https://github.com/mysql/mysql-server/blob/mysql-5.6.34/packaging/rpm-oel/mysql.init#L73

The mysql OS user could use these flaws to escalate privileges to root.

Note that the second issue is only exploitable in configurations where log file is stored in a directory writable to the mysql OS user.  If log file is stored in the /var/log directory, mysql user is not able to replace it with a link to some other file.

This issue was fixed in MySQL versions 5.5.54, 5.6.35, and 5.7.17.  The following related entry can be found in the release notes:

  Initialization scripts create the error log file only if the base
  directory is /var/log or /var/lib.

http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-54.html
http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-35.html
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-17.html

MySQL upstream commit:

https://github.com/mysql/mysql-server/commit/53230ba274a37fa13d65e802c6ef3766cd0c6d91#diff-5fccc3d0e109e8f9ad0653728bd1d975
Comment 1 Brian Evans (RETIRED) gentoo-dev 2017-07-12 23:36:06 UTC
Does not affect Gentoo.  We do not use that script.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-07-12 23:40:09 UTC
Doesn't affect Gentoo, we use dev-db/mysql-init-scripts.