mysql_install_db in MariaDB 10.4.7 through 10.4.11 allows privilege escalation from the mysql user account to root because chown and chmod are performed unsafely, as demonstrated by a symlink attack on a chmod 04755 of auth_pam_tool_dir/auth_pam_tool. NOTE: this does not affect the Oracle MySQL product, which implements mysql_install_db differently.
Created mariadb tracking bugs for this issue:
Affects: fedora-all [bug 1802787]
Affects: openstack-rdo [bug 1802788]
Plugin `auth_pam_tool` was introduced in MariaDB upstream version 10.4.0 with the following commits:
The setuid permission was set in MariaDB upstream version 10.4.7 with commit:
This flaw did not affect the versions of MariaDB as shipped with Red Hat Enterprise Linux 7, and 8 as they did not include the vulnerable code, which was introduced in a newer version of the package. The same is true for the versions of MariaDB as shipped with Red Hat Software Collections 3.