CVE-2017-15945: dev-db/mysql, dev-db/mariadb, dev-db/percona-server, dev-db/mysql-cluster, and dev-db/mariadb-galera root privilege escalation via chown in ebuild phase functions
posted 2017-10-27
- Product
-
Gentoo Linux
dev-db/mysql
,
dev-db/mariadb
,
dev-db/percona-server
,
dev-db/mysql-cluster
,
and
dev-db/mariadb-galera
packages
- Versions affected
-
- dev-db/mysql
-
- 5.5.x series
- 5.5.57 and earlier
- 5.6.x series
- 5.6.36 and earlier, 5.6.37
- dev-db/mariadb
-
- 5.5.x series
- 5.5.57 and earlier
- 10.0.x series
- 10.0.30 and earlier
- 10.1.x series
- 10.1.24 and earlier
- 10.2.x series
- 10.2.8 and earlier
- dev-db/percona-server
- 5.6.37.82.2 and earlier
- dev-db/mysql-cluster
-
- 7.2.x series
- 7.2.22 and earlier
- 7.3.x series
- 7.3.11 and earlier
- dev-db/mariadb-galera
- 10.0.30 and earlier
- Published on
- 2017-10-27
- Fixed in
-
commits
5a4dfd9,
40984ff,
and b19f619
- Bug report
-
https://bugs.gentoo.org/630822
- MITRE
-
CVE-2017-15945
- Acknowledgements
-
Brian Evans for noticing that the MySQL eclasses suffered from the
same problem, and for fixing everything. Thomas Deutschmann for
researching the mitigation procedure.
Summary
Recent versions of dev-db/mariadb and all consumers of the MySQL
eclasses allow their local unprivileged users to gain root by
creating links on which chown is called
during the pkg_postinst and pkg_config
ebuild phases.
Details
More details, exploit examples, and mitigation suggestions are
discussed in my article, End
root chowning now (make pkg_postinst great again).
Mitigation
New revisions have been made of all affected packages. As a result,
users need only update to the latest stable versions of the affected
packages.