Date: Wed, 5 Feb 2020 13:45:21 +0100 From: Matthias Gerstner <mgerstner@...e.de> To: oss-security@...ts.openwall.com Subject: CVE-2019-18901: mariadb: possible symlink attack for the mysql user in the SUSE specific mysql-systemd-helper script Hello list, in the course of a review of the mariadb packaging in the SUSE Linux distribution I discovered that a SUSE specific helper script "mysql-systemd-helper" unsafely operates with root privileges in the /var/lib/mysql directory . During initial package installation and during upgrade scenarios the file /var/lib/mysql/mysql_upgrade_info is created/overwritten and modified using the following shell commands: ``` echo -n "$MYSQLVER" > "$datadir"/mysql_upgrade_info chmod 640 "$datadir/mysql_upgrade_info" ``` Since the unprivileged mysql user owns the parent directory it can remove this file and replace it with a symlink to write/overwrite in privileged file systems locations. This could mostly be used for denial-of-service purposes, a full privilege escalation should not be easily achieved by this vulnerability, since the file content cannot be controlled by a potential attacker. Future SUSE mariadb packages will keep this file in a safe location in /var/lib/misc. Older, still supported packages will be fixed soon. Cheers Matthias References ---------- : https://bugzilla.suse.com/show_bug.cgi?id=1160895 -- Matthias Gerstner <matthias.gerstner@...e.de> Dipl.-Wirtsch.-Inf. (FH), Security Engineer https://www.suse.com/security Phone: +49 911 740 53 290 GPG Key ID: 0x14C405C971923553 SUSE Software Solutions Germany GmbH HRB 36809, AG Nürnberg Geschäftsführer: Felix Imendörffer Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.