Re: mysql-5.5 CVE-2016-6662

To: Brian May <bam@debian.org>, team@security.debian.org, debian-lts@lists.debian.org
Subject: Re: mysql-5.5 CVE-2016-6662
From: Antoine Beaupré <anarcat@debian.org>
Date: Mon, 12 Sep 2016 18:42:21 -0400
Message-id: <[🔎] 87lgywd9ki.fsf@angela.anarc.at>
In-reply-to: <[🔎] 87k2egoih1.fsf@prune.linuxpenguins.xyz>
References: <[🔎] 87k2egoih1.fsf@prune.linuxpenguins.xyz>

On 2016-09-12 18:34:34, Brian May wrote:
> Hello,
>
> I had a look at CVE-2016-6662. Looks pretty simple to understand. Looks
> like the ability for mysqld to create arbitrary log files - that may
> overwrite/create config files with write permissions for the mysql user
> - is a key factor.
>
> http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html
>
> Anyone been able to find the upstream changes that address this?

I summarily looked in both percona and mariadb's git history, without
luck.

I added a note to the security tracker explaining that there's an
upstream MySQL release that fixes this. They have specific bug numbers
in their release notes that may be useful to track specific changesets
there.

What I read about the vulnerability is that it's not as bad as it
seems. It requires pretty high privilege (SUPER and FILE) to exploit,
but it does provide a significant escalation mechanism (mysql to root).
So it shouldn't be neglected, particularly in the light of the supposed
*other* escalation (CVE_2016-6663) that may be published later.

A.
-- 
The reasonable man adapts himself to the world.
The unreasonable man persists in trying to adapt the world to himself.
Therefore, all progress depends on the unreasonable man.
                        - George Bernard Shaw

Reply to:

References:
- mysql-5.5 CVE-2016-6662
  - From: Brian May <bam@debian.org>

Prev by Date: mysql-5.5 CVE-2016-6662
Next by Date: Questions regarding MySQL update
Previous by thread: mysql-5.5 CVE-2016-6662
Next by thread: Questions regarding MySQL update
Index(es):
- Date
- Thread