Bug 1414133 (CVE-2017-3312)

Summary: CVE-2017-3312 mysql: insecure error log file handling in mysqld_safe, incomplete CVE-2016-6664 fix (CPU Jan 2017)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, avibelli, ayoung, chrisw, cvsbot-xmlrpc, databases-maint, dciabrin, gsterlin, hhorak, jbalunas, jjoyce, jorton, jschluet, jshepherd, kbasil, lhh, lpeer, markmc, mbayer, mburns, mmuzila, mschorm, rbryant, rrajasek, sclewis, security-response-team, slinaber, srevivo, tdecacqu, tjay, tkirby
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Multiple flaws were found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use these flaws to escalate their privileges to root.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-21 14:48:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1445520, 1445521, 1445537, 1445538, 1458933, 1463415, 1463416, 1463417, 1463418    
Bug Blocks: 1414362    

Description Tomas Hoger 2017-01-17 20:56:53 UTC 
MySQL versions 5.5.52, 5.6.33, and 5.7.15 corrected a flaw in the way error log file was handled by mysqld_safe script.  The issue allows mysql system user to escalate their privileges to root, and got two CVE ids assigned - CVE-2016-6664 and CVE-2016-5617 - see bug 1386564.

The original fix was applied as part of the patch for another issue - CVE-2016-6662:

https://github.com/mysql/mysql-server/commit/684a165f28b3718160a3e4c5ebd18a465d85e97c

The fix attempted to prevent script from using touch/chown/chmod on the configured log file if it was a symbolic link.  This fix was found to be incomplete and having the following issues:

- Fix was racy, and the race was quite easy to win.  Changing ownership and mode of arbitrary files was still possible.

- After the fix, mysqld_safe no longer tried to change ownership or mode of the log file if it was symlink, but it still used the file for logging and written new log entries to it.  This allowed arbitrary file corruption, at least.

- It was possible to set log-error to point to arbitrary file, bypassing symlinks checks added by the fix.

These additional problems were corrected in versions 5.5.54, 5.6.35, and 5.7.17:

  Unsafe use of rm and chown in mysqld_safe could result in privilege
  escalation. chown now can be used only when the target directory is
  /var/log. An incompatible change is that if the directory for the Unix
  socket file is missing, it is no longer created; instead, an error occurs.
  Due to these changes, /bin/bash is required to run mysqld_safe on Solaris.
  /bin/sh is still used on other Unix/Linux platforms. 

http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-54.html
http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-35.html
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-17.html

via the following commit:

https://github.com/mysql/mysql-server/commit/1f93f4381b60e3a8012ba36a4dec920416073759

This fix, however, effectively disables mysqld_safe's logging to file if the script is running as root.
Comment 1 Tomas Hoger 2017-01-17 21:01:26 UTC 
MariaDB only corrected the CVE-2016-6664 / CVE-2016-5617 issue in versions 5.5.54 and 10.0.29 using different fix from the one used by Oracle in MySQL.

MariaDB fix:

https://github.com/MariaDB/server/commit/8fcdd6b0ecbb966f4479856efe93a963a7a422f7

To avoid incompletely fixing this issue or breaking mysqld_safe logging, the above commit introduces new logging helper program - mysqld_safe_helper.  Log messages are piped to the helper program, which drops privileges before opening log file and copying its standard input to the log file.
Comment 2 Tomas Hoger 2017-01-18 08:32:01 UTC 
The CVE is now public via Oracle CPU January 2017:

http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixMSQL
Comment 4 Adam Mariš 2017-01-18 13:29:29 UTC 
Created mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1414387]
Comment 5 Adam Mariš 2017-01-18 13:29:44 UTC 
Created community-mysql tracking bugs for this issue:

Affects: fedora-all [bug 1414386]
Comment 11 errata-xmlrpc 2017-08-01 19:41:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2192 https://access.redhat.com/errata/RHSA-2017:2192
Comment 12 errata-xmlrpc 2017-09-21 07:45:11 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2017:2787 https://access.redhat.com/errata/RHSA-2017:2787
Comment 13 errata-xmlrpc 2017-10-12 07:56:16 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2017:2886 https://access.redhat.com/errata/RHSA-2017:2886
Comment 14 errata-xmlrpc 2018-02-06 10:58:37 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0279 https://access.redhat.com/errata/RHSA-2018:0279
Comment 15 errata-xmlrpc 2018-03-21 13:58:46 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0574 https://access.redhat.com/errata/RHSA-2018:0574
Comment 16 Tomas Hoger 2018-03-21 14:48:47 UTC 
Acknowledgments:

Name: Red Hat Product Security