CVE-2017-3312

First published: Tue Jan 17 2017(Updated: )

MySQL versions 5.5.52, 5.6.33, and 5.7.15 corrected a flaw in the way error log file was handled by mysqld_safe script. The issue allows mysql system user to escalate their privileges to root, and got two CVE ids assigned - <a href="https://access.redhat.com/security/cve/CVE-2016-6664">CVE-2016-6664</a> and <a href="https://access.redhat.com/security/cve/CVE-2016-5617">CVE-2016-5617</a> - see <a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED ERRATA - CVE-2016-5617 mysql: insecure error log file handling in mysqld_safe (CPU Oct 2016)" href="show_bug.cgi?id=1386564">bug 1386564</a>. The original fix was applied as part of the patch for another issue - CVE-2016-6662: <a href="https://github.com/mysql/mysql-server/commit/684a165f28b3718160a3e4c5ebd18a465d85e97c">https://github.com/mysql/mysql-server/commit/684a165f28b3718160a3e4c5ebd18a465d85e97c</a> The fix attempted to prevent script from using touch/chown/chmod on the configured log file if it was a symbolic link. This fix was found to be incomplete and having the following issues: - Fix was racy, and the race was quite easy to win. Changing ownership and mode of arbitrary files was still possible. - After the fix, mysqld_safe no longer tried to change ownership or mode of the log file if it was symlink, but it still used the file for logging and written new log entries to it. This allowed arbitrary file corruption, at least. - It was possible to set log-error to point to arbitrary file, bypassing symlinks checks added by the fix. These additional problems were corrected in versions 5.5.54, 5.6.35, and 5.7.17: Unsafe use of rm and chown in mysqld_safe could result in privilege escalation. chown now can be used only when the target directory is /var/log. An incompatible change is that if the directory for the Unix socket file is missing, it is no longer created; instead, an error occurs. Due to these changes, /bin/bash is required to run mysqld_safe on Solaris. /bin/sh is still used on other Unix/Linux platforms. <a href="http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-54.html">http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-54.html</a> <a href="http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-35.html">http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-35.html</a> <a href="http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-17.html">http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-17.html</a> via the following commit: <a href="https://github.com/mysql/mysql-server/commit/1f93f4381b60e3a8012ba36a4dec920416073759">https://github.com/mysql/mysql-server/commit/1f93f4381b60e3a8012ba36a4dec920416073759</a> This fix, however, effectively disables mysqld_safe's logging to file if the script is running as root.

Credit: secalert_us@oracle.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/type
• agent/first-publish-date
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2017-3312
• agent/author
• agent/references
• agent/severity
• agent/remedy
• agent/description
• collector/mitre-cve
• source/MITRE
• collector/nvd-index
• agent/software-canonical-lookup-request
• collector/nvd-api
• source/NVD
• agent/software-canonical-lookup
• agent/last-modified-date
• agent/source
• agent/softwarecombine
• agent/tags
• agent/event
• vendor/oracle
• canonical/mysql
• version/mysql/5.5.0
• version/mysql/5.5.53
• version/mysql/5.6.0
• version/mysql/5.6.34
• version/mysql/5.7.0
• version/mysql/5.7.16
• vendor/debian
• canonical/debian linux
• version/debian linux/8.0
• vendor/mariadb
• canonical/mariadb
• version/mariadb/5.5.0
• version/mariadb/10.0.0
• version/mariadb/10.1.0