Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 708200 (CVE-2020-7221) - <dev-db/mariadb-10.4.12: possible local mysql to root user exploit in mysql_install_db script (CVE-2020-7221)
Summary: <dev-db/mariadb-10.4.12: possible local mysql to root user exploit in mysql_i...
Status: RESOLVED FIXED
Alias: CVE-2020-7221
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://seclists.org/oss-sec/2020/q1/55
Whiteboard: ~1 [cleanup cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-04 11:30 UTC by filip ambroz
Modified: 2020-07-28 19:31 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description filip ambroz 2020-02-04 11:30:10 UTC
The issue stems from the mysql_install_db script mariadb releases ranging from 10.4.7 up and including to 10.4.11.

In a typical MariaDB installation where $user is set to the mysql user this will perform the following sequence of commands as root:
  chown mysql /usr/lib64/mysql/plugin/auth_pam_tool_dir
  chmod 0700 /usr/lib64/mysql/plugin/auth_pam_tool_dir
  chown 0 /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
  chmod 04755 /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool

These steps are executed unconditionally no matter what the current owner and mode of the auth_pam_tool_dir are. If the mysql account is compromised then an attacker can prepare a symlink attack or simply place an arbitrary binary in auth_pam_tool_dir/auth_pam_tool which will gain setuid-root privileges once mysql_install_db is run. This way the mysql user can gain full root privileges easily.
Comment 2 Thomas Deutschmann gentoo-dev Security 2020-02-04 14:46:43 UTC
Gentoo is not affected:

- 10.4.x is not stable within Gentoo.

- Also, Gentoo user will usually use `emerge --config dev-db/mariadb` instead of mysql_install_db.



@ maintainer(s): Please cleanup and drop dev-db/mariadb=10.4.10!
Comment 3 Sam James gentoo-dev Security 2020-04-01 18:14:57 UTC
@maintainer(s): ping
Comment 4 Yury German Gentoo Infrastructure gentoo-dev Security 2020-04-11 21:33:03 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 5 John Helmert III (ajak) 2020-06-23 02:44:49 UTC
Maintainer(s), please cleanup.
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2020-07-28 19:31:26 UTC
tree is clean