Hide Forgot
MySQL versions 5.5.52, 5.6.33, and 5.7.15 corrected a flaw in the way error log file was handled by mysqld_safe script. The issue allows mysql system user to escalate their privileges to root, and got two CVE ids assigned - CVE-2016-6664 and CVE-2016-5617 - see bug 1386564. The original fix was applied as part of the patch for another issue - CVE-2016-6662: https://github.com/mysql/mysql-server/commit/684a165f28b3718160a3e4c5ebd18a465d85e97c The fix attempted to prevent script from using touch/chown/chmod on the configured log file if it was a symbolic link. This fix was found to be incomplete and having the following issues: - Fix was racy, and the race was quite easy to win. Changing ownership and mode of arbitrary files was still possible. - After the fix, mysqld_safe no longer tried to change ownership or mode of the log file if it was symlink, but it still used the file for logging and written new log entries to it. This allowed arbitrary file corruption, at least. - It was possible to set log-error to point to arbitrary file, bypassing symlinks checks added by the fix. These additional problems were corrected in versions 5.5.54, 5.6.35, and 5.7.17: Unsafe use of rm and chown in mysqld_safe could result in privilege escalation. chown now can be used only when the target directory is /var/log. An incompatible change is that if the directory for the Unix socket file is missing, it is no longer created; instead, an error occurs. Due to these changes, /bin/bash is required to run mysqld_safe on Solaris. /bin/sh is still used on other Unix/Linux platforms. http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-54.html http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-35.html http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-17.html via the following commit: https://github.com/mysql/mysql-server/commit/1f93f4381b60e3a8012ba36a4dec920416073759 This fix, however, effectively disables mysqld_safe's logging to file if the script is running as root.
MariaDB only corrected the CVE-2016-6664 / CVE-2016-5617 issue in versions 5.5.54 and 10.0.29 using different fix from the one used by Oracle in MySQL. MariaDB fix: https://github.com/MariaDB/server/commit/8fcdd6b0ecbb966f4479856efe93a963a7a422f7 To avoid incompletely fixing this issue or breaking mysqld_safe logging, the above commit introduces new logging helper program - mysqld_safe_helper. Log messages are piped to the helper program, which drops privileges before opening log file and copying its standard input to the log file.
The CVE is now public via Oracle CPU January 2017: http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixMSQL
Created mariadb tracking bugs for this issue: Affects: fedora-all [bug 1414387]
Created community-mysql tracking bugs for this issue: Affects: fedora-all [bug 1414386]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2192 https://access.redhat.com/errata/RHSA-2017:2192
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2017:2787 https://access.redhat.com/errata/RHSA-2017:2787
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2017:2886 https://access.redhat.com/errata/RHSA-2017:2886
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2018:0279 https://access.redhat.com/errata/RHSA-2018:0279
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2018:0574 https://access.redhat.com/errata/RHSA-2018:0574
Acknowledgments: Name: Red Hat Product Security