Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 13 Sep 2016 01:53:00 +0000
From: HW42 <hw42@...umj.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2016-6662 - MySQL Remote Root Code Execution /
 Privilege Escalation ( 0day )

From the advisory:
> on MySQL versions in branches 5.5 and 5.6.
> The datadir location for my.cnf has only been removed from MySQL starting
> from 5.7 branch however in many configurations it will still load config
> from:
> 
> /var/lib/mysql/.my.cnf

This is only the case if HOME is set to /var/lib/mysql, right? So for
example not in the Debian config?

> IX. VENDOR RESPONSE / SOLUTION
> -------------------------
[...]
> No official patches or mitigations are available at this time from the vendor.
> As temporary mitigations, users should ensure that no mysql config files are
> owned by mysql user, and create root-owned dummy my.cnf files that are not in
> use.

Would it not be a better mitigation to not read the conf files from the
data directory at all? Something like the attached patch.

--- a/mysqld_safe	2016-09-13 03:34:59.000000000 +0200
+++ b/mysqld_safe	2016-09-13 03:34:29.345396880 +0200
@@ -419,10 +419,6 @@
 if test -d $MY_BASEDIR_VERSION/data/mysql
 then
   DATADIR=$MY_BASEDIR_VERSION/data
-  if test -z "$defaults" -a -r "$DATADIR/my.cnf"
-  then
-    defaults="--defaults-extra-file=$DATADIR/my.cnf"
-  fi
 # Next try where the source installs put it
 elif test -d $MY_BASEDIR_VERSION/var/mysql
 then
@@ -434,23 +430,7 @@
 
 if test -z "$MYSQL_HOME"
 then 
-  if test -r "$MY_BASEDIR_VERSION/my.cnf" && test -r "$DATADIR/my.cnf"
-  then
-    log_error "WARNING: Found two instances of my.cnf -
-$MY_BASEDIR_VERSION/my.cnf and
-$DATADIR/my.cnf
-IGNORING $DATADIR/my.cnf"
-
-    MYSQL_HOME=$MY_BASEDIR_VERSION
-  elif test -r "$DATADIR/my.cnf"
-  then
-    log_error "WARNING: Found $DATADIR/my.cnf
-The data directory is a deprecated location for my.cnf, please move it to
-$MY_BASEDIR_VERSION/my.cnf"
-    MYSQL_HOME=$DATADIR
-  else
-    MYSQL_HOME=$MY_BASEDIR_VERSION
-  fi
+  MYSQL_HOME=$MY_BASEDIR_VERSION
 fi
 export MYSQL_HOME
 


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ