The issue stems from the mysql_install_db script mariadb releases ranging from 10.4.7 up and including to 10.4.11.
In a typical MariaDB installation where $user is set to the mysql user this will perform the following sequence of commands as root:
chown mysql /usr/lib64/mysql/plugin/auth_pam_tool_dir
chmod 0700 /usr/lib64/mysql/plugin/auth_pam_tool_dir
chown 0 /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
chmod 04755 /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
These steps are executed unconditionally no matter what the current owner and mode of the auth_pam_tool_dir are. If the mysql account is compromised then an attacker can prepare a symlink attack or simply place an arbitrary binary in auth_pam_tool_dir/auth_pam_tool which will gain setuid-root privileges once mysql_install_db is run. This way the mysql user can gain full root privileges easily.
Gentoo is not affected:
- 10.4.x is not stable within Gentoo.
- Also, Gentoo user will usually use `emerge --config dev-db/mariadb` instead of mysql_install_db.
@ maintainer(s): Please cleanup and drop dev-db/mariadb=10.4.10!
Maintainer(s), please drop the vulnerable version(s).
Maintainer(s), please cleanup.
tree is clean