Bug 1414133 (CVE-2017-3312) - CVE-2017-3312 mysql: insecure error log file handling in mysqld_safe, incomplete CVE-2016-6664 fix (CPU Jan 2017)
Summary: CVE-2017-3312 mysql: insecure error log file handling in mysqld_safe, incompl...
Status: CLOSED ERRATA
Alias: CVE-2017-3312
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20170117,repor...
Keywords: Security
Depends On: 1445520 1445521 1445537 1445538 1458933 1463415 1463416 1463417 1463418
Blocks: 1414362
TreeView+ depends on / blocked
 
Reported: 2017-01-17 20:56 UTC by Tomas Hoger
Modified: 2018-04-06 12:24 UTC (History)
31 users (show)

(edit)
Multiple flaws were found in the way the mysqld_safe script handled creation of error log file. The mysql operating system user could use these flaws to escalate their privileges to root.
Clone Of:
(edit)
Last Closed: 2018-03-21 14:48:30 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2192 normal SHIPPED_LIVE Moderate: mariadb security and bug fix update 2017-08-01 18:18:36 UTC
Red Hat Product Errata RHSA-2017:2787 normal SHIPPED_LIVE Important: rh-mysql56-mysql security and bug fix update 2017-09-21 11:42:12 UTC
Red Hat Product Errata RHSA-2017:2886 normal SHIPPED_LIVE Important: rh-mysql57-mysql security and bug fix update 2017-10-12 11:53:15 UTC
Red Hat Product Errata RHSA-2018:0279 normal SHIPPED_LIVE Moderate: rh-mariadb100-mariadb security update 2018-02-06 18:00:11 UTC
Red Hat Product Errata RHSA-2018:0574 None None None 2018-03-21 13:58 UTC

Description Tomas Hoger 2017-01-17 20:56:53 UTC
MySQL versions 5.5.52, 5.6.33, and 5.7.15 corrected a flaw in the way error log file was handled by mysqld_safe script.  The issue allows mysql system user to escalate their privileges to root, and got two CVE ids assigned - CVE-2016-6664 and CVE-2016-5617 - see bug 1386564.

The original fix was applied as part of the patch for another issue - CVE-2016-6662:

https://github.com/mysql/mysql-server/commit/684a165f28b3718160a3e4c5ebd18a465d85e97c

The fix attempted to prevent script from using touch/chown/chmod on the configured log file if it was a symbolic link.  This fix was found to be incomplete and having the following issues:

- Fix was racy, and the race was quite easy to win.  Changing ownership and mode of arbitrary files was still possible.

- After the fix, mysqld_safe no longer tried to change ownership or mode of the log file if it was symlink, but it still used the file for logging and written new log entries to it.  This allowed arbitrary file corruption, at least.

- It was possible to set log-error to point to arbitrary file, bypassing symlinks checks added by the fix.

These additional problems were corrected in versions 5.5.54, 5.6.35, and 5.7.17:

  Unsafe use of rm and chown in mysqld_safe could result in privilege
  escalation. chown now can be used only when the target directory is
  /var/log. An incompatible change is that if the directory for the Unix
  socket file is missing, it is no longer created; instead, an error occurs.
  Due to these changes, /bin/bash is required to run mysqld_safe on Solaris.
  /bin/sh is still used on other Unix/Linux platforms. 

http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-54.html
http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-35.html
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-17.html

via the following commit:

https://github.com/mysql/mysql-server/commit/1f93f4381b60e3a8012ba36a4dec920416073759

This fix, however, effectively disables mysqld_safe's logging to file if the script is running as root.

Comment 1 Tomas Hoger 2017-01-17 21:01:26 UTC
MariaDB only corrected the CVE-2016-6664 / CVE-2016-5617 issue in versions 5.5.54 and 10.0.29 using different fix from the one used by Oracle in MySQL.

MariaDB fix:

https://github.com/MariaDB/server/commit/8fcdd6b0ecbb966f4479856efe93a963a7a422f7

To avoid incompletely fixing this issue or breaking mysqld_safe logging, the above commit introduces new logging helper program - mysqld_safe_helper.  Log messages are piped to the helper program, which drops privileges before opening log file and copying its standard input to the log file.

Comment 2 Tomas Hoger 2017-01-18 08:32:01 UTC
The CVE is now public via Oracle CPU January 2017:

http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixMSQL

Comment 4 Adam Mariš 2017-01-18 13:29:29 UTC
Created mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1414387]

Comment 5 Adam Mariš 2017-01-18 13:29:44 UTC
Created community-mysql tracking bugs for this issue:

Affects: fedora-all [bug 1414386]

Comment 11 errata-xmlrpc 2017-08-01 19:41:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2192 https://access.redhat.com/errata/RHSA-2017:2192

Comment 12 errata-xmlrpc 2017-09-21 07:45:11 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2017:2787 https://access.redhat.com/errata/RHSA-2017:2787

Comment 13 errata-xmlrpc 2017-10-12 07:56:16 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2017:2886 https://access.redhat.com/errata/RHSA-2017:2886

Comment 14 errata-xmlrpc 2018-02-06 10:58:37 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0279 https://access.redhat.com/errata/RHSA-2018:0279

Comment 15 errata-xmlrpc 2018-03-21 13:58:46 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0574 https://access.redhat.com/errata/RHSA-2018:0574

Comment 16 Tomas Hoger 2018-03-21 14:48:47 UTC
Acknowledgments:

Name: Red Hat Product Security


Note You need to log in before you can comment on or make changes to this bug.