Bug 1008253 (CVE-2016-6664)

Summary: VUL-0: CVE-2016-6664: mariadb,mysql: Root Privilege Escalation
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, astieger, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/174337/
Whiteboard: CVSSv2:SUSE:CVE-2016-6664:6.8:(AV:L/AC:L/Au:S/C:C/I:C/A:C) CVSSv3.1:SUSE:CVE-2016-6664:7.8:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2016-11-03 08:19:04 UTC 
CVE-2016-6664

https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html

=============================================
- Release date: 01.11.2016
- Discovered by: Dawid Golunski
- Severity: High/Critical
- CVE-2016-6664 / OCVE-2016-5617
- http://legalhackers.com
=============================================

I. VULNERABILITY
-------------------------

MySQL / MariaDB / PerconaDB   -   Root Privilege Escalation

MySQL  
	<= 5.5.51
	<= 5.6.32
	<= 5.7.14

MariaDB
	All current

Percona Server
	< 5.5.51-38.2
	< 5.6.32-78-1
	< 5.7.14-8

Percona XtraDB Cluster
	< 5.6.32-25.17
	< 5.7.14-26.17
	< 5.5.41-37.0

References:
CVE-2016-5617: bsc#1005563
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6664
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6664.html
Comment 2 Alexander Bergmann 2016-11-03 15:03:31 UTC 
MariaDB Statement:

"It’s important to note that CVE-2016-6664 is NOT exploitable by itself. Shell access must first be obtained through a vulnerability like CVE-2016-6663. Because CVE-2016-6663 has been fixed and is no longer exploitable, we’ve determined that CVE-2016-6664 is not critical on it’s own and doesn’t warrant an immediate fix to be released. A fix will be included in the next upcoming maintenance releases of MariaDB Server 5.5, 10.0 and 10.1."
Comment 3 Swamp Workflow Management 2016-11-03 23:01:40 UTC 
bugbot adjusting priority
Comment 4 Marcus Meissner 2016-12-01 10:03:04 UTC 
(still open for mariadb, but not urgent)
Comment 7 Swamp Workflow Management 2017-02-07 17:09:07 UTC 
SUSE-SU-2017:0411-1: An update that solves 11 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1008253,1020868,1020873,1020875,1020877,1020878,1020882,1020884,1020885,1020891,1020894,1020896,1022428
CVE References: CVE-2016-6664,CVE-2017-3238,CVE-2017-3243,CVE-2017-3244,CVE-2017-3257,CVE-2017-3258,CVE-2017-3265,CVE-2017-3291,CVE-2017-3312,CVE-2017-3317,CVE-2017-3318
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    mariadb-10.0.29-20.23.1
SUSE Linux Enterprise Server 12-LTSS (src):    mariadb-10.0.29-20.23.1
Comment 8 Swamp Workflow Management 2017-02-07 17:11:43 UTC 
SUSE-SU-2017:0412-1: An update that solves 11 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1008253,1020868,1020873,1020875,1020877,1020878,1020882,1020884,1020885,1020891,1020894,1020896,1022428
CVE References: CVE-2016-6664,CVE-2017-3238,CVE-2017-3243,CVE-2017-3244,CVE-2017-3257,CVE-2017-3258,CVE-2017-3265,CVE-2017-3291,CVE-2017-3312,CVE-2017-3317,CVE-2017-3318
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    mariadb-10.0.29-22.1
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    mariadb-10.0.29-22.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    mariadb-10.0.29-22.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    mariadb-10.0.29-22.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    mariadb-10.0.29-22.1
SUSE Linux Enterprise Server 12-SP2 (src):    mariadb-10.0.29-22.1
SUSE Linux Enterprise Server 12-SP1 (src):    mariadb-10.0.29-22.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    mariadb-10.0.29-22.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    mariadb-10.0.29-22.1
Comment 9 Kristyna Streitova 2017-02-09 12:51:00 UTC 
mysql
-----
It was already fixed within the previous update.


mariadb
-------
|       Codestream       |        Request         |
|------------------------|------------------------|
| SUSE:SLE-12:Update     | #127527                |
| SUSE:SLE-12-SP1:Update | #127361                |
| openSUSE:Leap:42.1     | using sources from SLE |
| openSUSE:Leap:42.2     | using sources from SLE |
| openSUSE:Factory       | #455745                |


All done here. I'm reassigning it back to the security-team.
Comment 10 Andreas Stieger 2017-02-16 20:50:11 UTC 
done
Comment 11 Andreas Stieger 2017-02-16 20:50:25 UTC 
seems all done
Comment 12 Swamp Workflow Management 2017-02-17 03:16:34 UTC 
openSUSE-SU-2017:0486-1: An update that solves 11 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1008253,1020868,1020873,1020875,1020877,1020878,1020882,1020884,1020885,1020891,1020894,1020896,1022428
CVE References: CVE-2016-6664,CVE-2017-3238,CVE-2017-3243,CVE-2017-3244,CVE-2017-3257,CVE-2017-3258,CVE-2017-3265,CVE-2017-3291,CVE-2017-3312,CVE-2017-3317,CVE-2017-3318
Sources used:
openSUSE Leap 42.2 (src):    mariadb-10.0.29-18.1
openSUSE Leap 42.1 (src):    mariadb-10.0.29-18.1