708200 – (CVE-2020-7221) <dev-db/mariadb-10.4.12: possible local mysql to root user exploit in mysql_install_db script (CVE-2020-7221)

Bug 708200 (CVE-2020-7221) - <dev-db/mariadb-10.4.12: possible local mysql to root user exploit in mysql_install_db script (CVE-2020-7221)

Summary: <dev-db/mariadb-10.4.12: possible local mysql to root user exploit in mysql_i...

Status:	RESOLVED FIXED

Alias:	CVE-2020-7221

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://seclists.org/oss-sec/2020/q1/55
Whiteboard:	~1 [cleanup cve]
Keywords:

Depends on:
Blocks:

Reported:	2020-02-04 11:30 UTC by filip ambroz
Modified:	2020-07-28 19:31 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description filip ambroz 2020-02-04 11:30:10 UTC

The issue stems from the mysql_install_db script mariadb releases ranging from 10.4.7 up and including to 10.4.11.

In a typical MariaDB installation where $user is set to the mysql user this will perform the following sequence of commands as root:
  chown mysql /usr/lib64/mysql/plugin/auth_pam_tool_dir
  chmod 0700 /usr/lib64/mysql/plugin/auth_pam_tool_dir
  chown 0 /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
  chmod 04755 /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool

These steps are executed unconditionally no matter what the current owner and mode of the auth_pam_tool_dir are. If the mysql account is compromised then an attacker can prepare a symlink attack or simply place an arbitrary binary in auth_pam_tool_dir/auth_pam_tool which will gain setuid-root privileges once mysql_install_db is run. This way the mysql user can gain full root privileges easily.

Comment 1 filip ambroz 2020-02-04 11:33:15 UTC

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7221

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2020-02-04 14:46:43 UTC

Gentoo is not affected:

- 10.4.x is not stable within Gentoo.

- Also, Gentoo user will usually use `emerge --config dev-db/mariadb` instead of mysql_install_db.



@ maintainer(s): Please cleanup and drop dev-db/mariadb=10.4.10!

Comment 3 Sam James archtester

2020-04-01 18:14:57 UTC

@maintainer(s): ping

Comment 4 Yury German Gentoo Infrastructure

2020-04-11 21:33:03 UTC

Maintainer(s), please drop the vulnerable version(s).

Comment 5 John Helmert III archtester

2020-06-23 02:44:49 UTC

Maintainer(s), please cleanup.

Comment 6 Aaron Bauman (RETIRED) gentoo-dev

2020-07-28 19:31:26 UTC

tree is clean