Dawid Golunski, reporter of CVE-2016-6662 (bug 1375198), mentioned existence of a privilege escalation vulnerability which should allow a non-privileged database user without FILE permissions to escalate their privileges to database or system administrator. Quoting from the advisory for CVE-2016-6662: http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.txt It could also be combined with CVE-2016-6663 vulnerability which will be released shortly and could allow certain attackers to escalate their privileges to root even without FILE privilege. No further details are available at the moment.
This issue is now listed as fixed in MariaDB versions 5.5.52 and 10.1.18: https://mariadb.com/kb/en/mariadb/mariadb-5552-release-notes/ https://mariadb.com/kb/en/mariadb/mariadb-10118-release-notes/ According to MariaDB upstream, the CVE is for race condition issue fixed in this commit: https://github.com/MariaDB/server/commit/347eeefbfc658c8531878218487d729f4e020805 Corresponding MySQL commit is: https://github.com/mysql/mysql-server/commit/4e5473862e6852b0f3802b0cd0c6fa10b5253291 and it was applied in MySQL versions 5.5.52, 5.6.33, and 5.7.15.
We also believe that Oracle decided to assign a duplicate CVE id for this issue - CVE-2016-5616 tracked via bug 1386562. Also see bug 1386562 comment 4 for information on how this issue is mitigated by the default configuration of MySQL/MariaDB packages as shipped in Red Hat products.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Via RHSA-2016:2131 https://rhn.redhat.com/errata/RHSA-2016-2131.html
References: http://seclists.org/fulldisclosure/2016/Nov/4
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2595 https://rhn.redhat.com/errata/RHSA-2016-2595.html
(In reply to Tomas Hoger from comment #4) > We also believe that Oracle decided to assign a duplicate CVE id for this > issue - CVE-2016-5616 tracked via bug 1386562. The original flaw reporter has now also confirmed that the CVE-2016-5616 is a duplicate id for the issue that originally got CVE-2016-6663. His advisory also notes that the setting of symbolic-links = 0 (which is used by default in all MySQL and MariaDB packages for Red Hat Enterprise Linux 6 and later) mitigates this issue. External References: https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.txt
*** Bug 1386562 has been marked as a duplicate of this bug. ***
(In reply to Tomas Hoger from comment #4) > Also see bug 1386562 comment 4 for information on how this issue is > mitigated by the default configuration of MySQL/MariaDB packages as shipped > in Red Hat products. Copying the whole text of bug 1386562 comment 4 here, as bug 1386562 was closed as duplicate of this bug. -- The only change in MyISAM sub-component of MySQL in the listed versions is: https://github.com/mysql/mysql-server/commit/4e5473862e6852b0f3802b0cd0c6fa10b5253291 To exploit this flaw, attacker needs to have a local shell access on the server running MySQL server, and have write access to the data directory used to store database files. The data directory is normally only writeable to the mysql system user, who has full control over database files anyway. However, MyISAM engine allows users creating database tables to specify location where data files are stored using DATA DIRECTORY and INDEX DIRECTORY clauses for CREATE TABLE. That way, database files can be stored in any directory writeable to a local user. The DATA DIRECTORY and INDEX DIRECTORY clause is only applied when mysqld is running with symlink support enabled. The symlinks support is controlled via symbolic-links configuration directive and --symbolic-links / --skip-symbolic-links command line options. The default configuration of all MySQL and MariaDB packages on Red Hat Enterprise Linux 6 and later is to disable symlink support - symbolic-links=0 setting is used in the default my.cnf. With this setting, only mysql system user should be able to exploit this flaw. The mysql packages on Red Hat Enterprise Linux 5 have symlink support enabled by default, however, Red Hat has been recommending disabling symlink support since 2010: https://rhn.redhat.com/errata/RHSA-2010-0109.html
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Via RHSA-2016:2749 https://rhn.redhat.com/errata/RHSA-2016-2749.html
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Via RHSA-2016:2928 https://rhn.redhat.com/errata/RHSA-2016-2928.html
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2016:2927 https://rhn.redhat.com/errata/RHSA-2016-2927.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:0184 https://rhn.redhat.com/errata/RHSA-2017-0184.html