Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 5 Feb 2020 13:45:21 +0100
From: Matthias Gerstner <>
Subject: CVE-2019-18901: mariadb: possible symlink attack for the mysql user
 in the SUSE specific mysql-systemd-helper script

Hello list,

in the course of a review of the mariadb packaging in the SUSE Linux
distribution I discovered that a SUSE specific helper script
"mysql-systemd-helper" unsafely operates with root privileges in
the /var/lib/mysql directory [1].

During initial package installation and during upgrade scenarios the
file /var/lib/mysql/mysql_upgrade_info is created/overwritten and
modified using the following shell commands:

echo -n "$MYSQLVER" > "$datadir"/mysql_upgrade_info
chmod 640 "$datadir/mysql_upgrade_info"

Since the unprivileged mysql user owns the parent directory it can
remove this file and replace it with a symlink to write/overwrite in
privileged file systems locations. This could mostly be used for
denial-of-service purposes, a full privilege escalation should not be
easily achieved by this vulnerability, since the file content cannot be
controlled by a potential attacker.

Future SUSE mariadb packages will keep this file in a safe location in
/var/lib/misc. Older, still supported packages will be fixed soon.





Matthias Gerstner <>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
Phone: +49 911 740 53 290
GPG Key ID: 0x14C405C971923553

SUSE Software Solutions Germany GmbH
HRB 36809, AG Nürnberg
Geschäftsführer: Felix Imendörffer

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.