The issue stems from the mysql_install_db script mariadb releases ranging from 10.4.7 up and including to 10.4.11. In a typical MariaDB installation where $user is set to the mysql user this will perform the following sequence of commands as root: chown mysql /usr/lib64/mysql/plugin/auth_pam_tool_dir chmod 0700 /usr/lib64/mysql/plugin/auth_pam_tool_dir chown 0 /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool chmod 04755 /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool These steps are executed unconditionally no matter what the current owner and mode of the auth_pam_tool_dir are. If the mysql account is compromised then an attacker can prepare a symlink attack or simply place an arbitrary binary in auth_pam_tool_dir/auth_pam_tool which will gain setuid-root privileges once mysql_install_db is run. This way the mysql user can gain full root privileges easily.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7221
Gentoo is not affected: - 10.4.x is not stable within Gentoo. - Also, Gentoo user will usually use `emerge --config dev-db/mariadb` instead of mysql_install_db. @ maintainer(s): Please cleanup and drop dev-db/mariadb=10.4.10!
@maintainer(s): ping
Maintainer(s), please drop the vulnerable version(s).
Maintainer(s), please cleanup.
tree is clean