Multiple cases of insecure use of chmod and chown were found in the MySQL init script:
- In database directory initialization code:
- In code handling error log file creation and permission setting:
The mysql OS user could use these flaws to escalate privileges to root.
Note that the second issue is only exploitable in configurations where log file is stored in a directory writable to the mysql OS user. If log file is stored in the /var/log directory, mysql user is not able to replace it with a link to some other file.
This issue was fixed in MySQL versions 5.5.54, 5.6.35, and 5.7.17. The following related entry can be found in the release notes:
Initialization scripts create the error log file only if the base
directory is /var/log or /var/lib.
MySQL upstream commit:
Does not affect Gentoo. We do not use that script.
Doesn't affect Gentoo, we use dev-db/mysql-init-scripts.