oss-sec mailing list archives
CVE-2019-18901: mariadb: possible symlink attack for the mysql user in the SUSE specific mysql-systemd-helper script
From: Matthias Gerstner <mgerstner () suse de>
Date: Wed, 5 Feb 2020 13:45:21 +0100
Hello list, in the course of a review of the mariadb packaging in the SUSE Linux distribution I discovered that a SUSE specific helper script "mysql-systemd-helper" unsafely operates with root privileges in the /var/lib/mysql directory [1]. During initial package installation and during upgrade scenarios the file /var/lib/mysql/mysql_upgrade_info is created/overwritten and modified using the following shell commands: ``` echo -n "$MYSQLVER" > "$datadir"/mysql_upgrade_info chmod 640 "$datadir/mysql_upgrade_info" ``` Since the unprivileged mysql user owns the parent directory it can remove this file and replace it with a symlink to write/overwrite in privileged file systems locations. This could mostly be used for denial-of-service purposes, a full privilege escalation should not be easily achieved by this vulnerability, since the file content cannot be controlled by a potential attacker. Future SUSE mariadb packages will keep this file in a safe location in /var/lib/misc. Older, still supported packages will be fixed soon. Cheers Matthias References ---------- [1]: https://bugzilla.suse.com/show_bug.cgi?id=1160895 -- Matthias Gerstner <matthias.gerstner () suse de> Dipl.-Wirtsch.-Inf. (FH), Security Engineer https://www.suse.com/security Phone: +49 911 740 53 290 GPG Key ID: 0x14C405C971923553 SUSE Software Solutions Germany GmbH HRB 36809, AG Nürnberg Geschäftsführer: Felix Imendörffer
Attachment:
signature.asc
Description:
Current thread:
- CVE-2019-18901: mariadb: possible symlink attack for the mysql user in the SUSE specific mysql-systemd-helper script Matthias Gerstner (Feb 05)