mysql_install_db in MariaDB 10.4.7 through 10.4.11 allows privilege escalation from the mysql user account to root because chown and chmod are performed unsafely, as demonstrated by a symlink attack on a chmod 04755 of auth_pam_tool_dir/auth_pam_tool. NOTE: this does not affect the Oracle MySQL product, which implements mysql_install_db differently. Reference: https://seclists.org/oss-sec/2020/q1/55 Upstream commit: https://github.com/MariaDB/server/commit/9d18b6246755472c8324bf3e20e234e08ac45618
Created mariadb tracking bugs for this issue: Affects: fedora-all [bug 1802787] Affects: openstack-rdo [bug 1802788]
Plugin `auth_pam_tool` was introduced in MariaDB upstream version 10.4.0 with the following commits: https://github.com/MariaDB/server/commit/efba0b1df5abe1ac972181a01bcbd208693639ae https://github.com/MariaDB/server/commit/25410d448d5cd5796852da106324309d169981c9 The setuid permission was set in MariaDB upstream version 10.4.7 with commit: https://github.com/MariaDB/server/commit/ec494cb1fadb40ae25b944bb1229fc2d6f88e8c6
Statement: This flaw did not affect the versions of MariaDB as shipped with Red Hat Enterprise Linux 7, and 8 as they did not include the vulnerable code, which was introduced in a newer version of the package. The same is true for the versions of MariaDB as shipped with Red Hat Software Collections 3.