michael orlitzky

CVE-2017-15945: dev-db/mysql, dev-db/mariadb, dev-db/percona-server, dev-db/mysql-cluster, and dev-db/mariadb-galera root privilege escalation via chown in ebuild phase functions

Product
Gentoo Linux dev-db/mysql , dev-db/mariadb , dev-db/percona-server , dev-db/mysql-cluster , and dev-db/mariadb-galera packages
Versions affected
dev-db/mysql
5.5.x series
5.5.57 and earlier
5.6.x series
5.6.36 and earlier, 5.6.37
dev-db/mariadb
5.5.x series
5.5.57 and earlier
10.0.x series
10.0.30 and earlier
10.1.x series
10.1.24 and earlier
10.2.x series
10.2.8 and earlier
dev-db/percona-server
5.6.37.82.2 and earlier
dev-db/mysql-cluster
7.2.x series
7.2.22 and earlier
7.3.x series
7.3.11 and earlier
dev-db/mariadb-galera
10.0.30 and earlier
Published on
2017-10-27
Author
Michael Orlitzky
Fixed in
commits 5a4dfd9, 40984ff, and b19f619
Bug report
https://bugs.gentoo.org/630822
MITRE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15945
Acknowledgements
Brian Evans for noticing that the MySQL eclasses suffered from the same problem, and for fixing everything. Thomas Deutschmann for researching the mitigation procedure.

Summary

Recent versions of dev-db/mariadb and all consumers of the MySQL eclasses allow their local unprivileged users to gain root by creating links on which chown is called during the pkg_postinst and pkg_config ebuild phases.

Details

More details, exploit examples, and mitigation suggestions are discussed in my article, End root chowning now (make pkg_postinst great again).

Mitigation

New revisions have been made of all affected packages. As a result, users need only update to the latest stable versions of the affected packages.