Bug 1378936 (CVE-2016-5616, CVE-2016-6663)
Summary: | CVE-2016-5616 CVE-2016-6663 mysql: race condition while setting stats during MyISAM table repair (CPU Oct 2016) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | apevec, avibelli, ayoung, byte, carnil, cdonnell, chrisw, cperry, crrobins, cvsbot-xmlrpc, databases-maint, dciabrin, fdinitto, gsterlin, hhorak, jbalunas, jjoyce, jorton, jschluet, jshepherd, jstanek, kbasil, lhh, lpeer, markmc, mbayer, mburns, mmuzila, mschorm, praiskup, rbryant, rrajasek, sardella, sclewis, slinaber, srevivo, tdecacqu, tkirby |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | mysql 5.5.52, mysql 5.6.33, mysql 5.7.15, mariadb 5.5.52, mariadb 10.1.18, mariadb 10.0.28 | Doc Type: | If docs needed, set a value |
Doc Text: |
A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-08 02:59:03 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1393306, 1393309, 1393313, 1393314, 1397309, 1397310, 1429974, 1429975 | ||
Bug Blocks: | 1375204, 1386598 |
Description
Tomas Hoger
2016-09-23 14:35:00 UTC
This issue is now listed as fixed in MariaDB versions 5.5.52 and 10.1.18: https://mariadb.com/kb/en/mariadb/mariadb-5552-release-notes/ https://mariadb.com/kb/en/mariadb/mariadb-10118-release-notes/ According to MariaDB upstream, the CVE is for race condition issue fixed in this commit: https://github.com/MariaDB/server/commit/347eeefbfc658c8531878218487d729f4e020805 Corresponding MySQL commit is: https://github.com/mysql/mysql-server/commit/4e5473862e6852b0f3802b0cd0c6fa10b5253291 and it was applied in MySQL versions 5.5.52, 5.6.33, and 5.7.15. We also believe that Oracle decided to assign a duplicate CVE id for this issue - CVE-2016-5616 tracked via bug 1386562. Also see bug 1386562 comment 4 for information on how this issue is mitigated by the default configuration of MySQL/MariaDB packages as shipped in Red Hat products. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Via RHSA-2016:2131 https://rhn.redhat.com/errata/RHSA-2016-2131.html References: http://seclists.org/fulldisclosure/2016/Nov/4 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2595 https://rhn.redhat.com/errata/RHSA-2016-2595.html (In reply to Tomas Hoger from comment #4) > We also believe that Oracle decided to assign a duplicate CVE id for this > issue - CVE-2016-5616 tracked via bug 1386562. The original flaw reporter has now also confirmed that the CVE-2016-5616 is a duplicate id for the issue that originally got CVE-2016-6663. His advisory also notes that the setting of symbolic-links = 0 (which is used by default in all MySQL and MariaDB packages for Red Hat Enterprise Linux 6 and later) mitigates this issue. External References: https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.txt *** Bug 1386562 has been marked as a duplicate of this bug. *** (In reply to Tomas Hoger from comment #4) > Also see bug 1386562 comment 4 for information on how this issue is > mitigated by the default configuration of MySQL/MariaDB packages as shipped > in Red Hat products. Copying the whole text of bug 1386562 comment 4 here, as bug 1386562 was closed as duplicate of this bug. -- The only change in MyISAM sub-component of MySQL in the listed versions is: https://github.com/mysql/mysql-server/commit/4e5473862e6852b0f3802b0cd0c6fa10b5253291 To exploit this flaw, attacker needs to have a local shell access on the server running MySQL server, and have write access to the data directory used to store database files. The data directory is normally only writeable to the mysql system user, who has full control over database files anyway. However, MyISAM engine allows users creating database tables to specify location where data files are stored using DATA DIRECTORY and INDEX DIRECTORY clauses for CREATE TABLE. That way, database files can be stored in any directory writeable to a local user. The DATA DIRECTORY and INDEX DIRECTORY clause is only applied when mysqld is running with symlink support enabled. The symlinks support is controlled via symbolic-links configuration directive and --symbolic-links / --skip-symbolic-links command line options. The default configuration of all MySQL and MariaDB packages on Red Hat Enterprise Linux 6 and later is to disable symlink support - symbolic-links=0 setting is used in the default my.cnf. With this setting, only mysql system user should be able to exploit this flaw. The mysql packages on Red Hat Enterprise Linux 5 have symlink support enabled by default, however, Red Hat has been recommending disabling symlink support since 2010: https://rhn.redhat.com/errata/RHSA-2010-0109.html This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Via RHSA-2016:2749 https://rhn.redhat.com/errata/RHSA-2016-2749.html This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Via RHSA-2016:2928 https://rhn.redhat.com/errata/RHSA-2016-2928.html This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2016:2927 https://rhn.redhat.com/errata/RHSA-2016-2927.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:0184 https://rhn.redhat.com/errata/RHSA-2017-0184.html |