Bugzilla – Full Text Bug Listing |
Summary: | VUL-0: CVE-2014-4274: mysql: user can load arbitrary DSO as plugin | ||
---|---|---|---|
Product: | [Novell Products] SUSE Security Incidents | Reporter: | Sebastian Krahmer <krahmer> |
Component: | Incidents | Assignee: | Kristyna Streitova <kstreitova> |
Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
Severity: | Normal | ||
Priority: | P3 - Medium | CC: | jsegitz, kstreitova, meissner, security-team, stefan.nordhausen |
Version: | unspecified | ||
Target Milestone: | --- | ||
Hardware: | Other | ||
OS: | Other | ||
Whiteboard: | maint:released:sle11-sp3:60892 | ||
Found By: | --- | Services Priority: | |
Business Priority: | Blocker: | --- | |
Marketing QA Status: | --- | IT Deployment: | --- |
Description
Sebastian Krahmer
2014-01-07 13:13:19 UTC
Verified, was able to create /var/lib/mysql/my.cnf on my 13.1, for some reason it was ignored there, but was read and used on 12.3. More dangerous thing would be actually put there 'skip-grant-tables'. With that after either crashing or restarting MySQL attacker has full root access to all MySQL databases. SLE11 should be pretty close to what we have in 12.3. There were some similar symlink issues in the past, hopefully it will be addressed fast in upstream. Assigning new MySQL maintainer, keeping myself in CC bugbot adjusting priority What are we going to do about this? Did you report this issue to Oracle? Did you receive a response from them? Yesterday, I got an email from Oracle indicating that this is finally fixed now.The mail said Tracking #: S0415779 Description: LOCAL USER CAN RUN ARBITRARY CODE IN THE CONTEXT OF THE MYSQL SERVER Status: Issue fixed in main codeline, scheduled for a future CPU Thank you, Stefan! Michal Hrusecki and I have been talking to the Oracle release managers in person during the openSUSE conference, and exchanged about the problem, so it was on their radar. Are you content with attributing the secure_file_priv problem to Stefan Nordhausen? Thank you, Roman. This particular issue does not have a CVE yet, right? Or did Oracle assign one? "future CPU" means probably not the April 2014 one, but the July/June 2014 CPU. So do not mention this bug yet, but continue with the update? Affected packages: SLE-10-SP3-TERADATA: mysql SLE-11-SP3: mysql Stefan, is this http://seclists.org/oss-sec/2014/q3/553 ? if yes, I would make this bug public and we can offer information there. That sounds very much like this issue, especially because it says "MyISAM temporary files" and not "MySQL temporary files". MyISAM isn't producing that many temporary files. But the last update from Oracle was on August 22nd and again just said "Issue fixed in main codeline, scheduled for a future CPU". I'll ask them if the fix was already released and somebody just forgot to close an internal ticket. https://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/4638 seems the fix referenced... yeah any news? Line referenced in the Comment 17 exists in mysql-5.0.96 in SLE11 (twice) and in the mysql-5.0.26 in SLE10 SP3 (twice), but not in the mysql-5.5.39 in SLE11 SP3. It's not in the SLE12 mariadb either. Regarding Bug 896400 and CVE-2014-4274 it's about MyISAM temporary files as well but version number where it was fixed doesn't match. Either changelog is not exact or there is another bug. The updates are prepared. We are waiting for confirmation that Bug 857678 and Bug 896400 are equal. 12.3 and 13.1: https://build.opensuse.org/project/show/home:kstreitova:branches:OBS_Maintained:mariadb Factory is not affected. SLE10 SP3 and SLE11: https://build.suse.de/project/show/home:kstreitova:branches:OBS_Maintained:mysql SLE11 SP3 and SLE12 is not affected. Seems that Oracle is finally releasing the patch. This is what I got from them on Friday evening: The following issue reported by you is fixed in the upcoming Critical Patch Update, due to be released at 1:00 PM, U.S. Pacific Time, on October 14, 2014. We ask that any information that you plan to publish regarding this issue be released after this date and time. This Critical Patch Update will contain a fix for the following issue: Reporter: Stefan Nordhausen S0415779 LOCAL USER CAN RUN ARBITRARY CODE IN THE CONTEXT OF THE MYSQL SERVER This is very likely the bug 896400 / CVE-2014-4274 issue. making public, feel free to close when we have released this An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-03-04. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/60717 released SUSE-SU-2015:0620-1: An update that fixes 33 vulnerabilities is now available. Category: security (important) Bug References: 857678,868673,878779,901237,914058 CVE References: CVE-2012-5615,CVE-2014-0224,CVE-2014-4274,CVE-2014-4287,CVE-2014-6463,CVE-2014-6464,CVE-2014-6469,CVE-2014-6474,CVE-2014-6478,CVE-2014-6484,CVE-2014-6489,CVE-2014-6491,CVE-2014-6494,CVE-2014-6495,CVE-2014-6496,CVE-2014-6500,CVE-2014-6505,CVE-2014-6507,CVE-2014-6520,CVE-2014-6530,CVE-2014-6551,CVE-2014-6555,CVE-2014-6559,CVE-2014-6564,CVE-2014-6568,CVE-2015-0374,CVE-2015-0381,CVE-2015-0382,CVE-2015-0385,CVE-2015-0391,CVE-2015-0409,CVE-2015-0411,CVE-2015-0432 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): mysql-5.0.96-0.6.20, mysql-5.5.42-0.8.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): mysql-5.0.96-0.6.20, mysql-5.5.42-0.8.1 SUSE Linux Enterprise Server 11 SP3 (src): mysql-5.0.96-0.6.20, mysql-5.5.42-0.8.1 SUSE Linux Enterprise Desktop 11 SP3 (src): mysql-5.0.96-0.6.20, mysql-5.5.42-0.8.1 |