Bug 1001367 - (CVE-2016-6663) VUL-0: CVE-2016-6663: mariadb,mysql: Privilege Escalation / Race Condition
(CVE-2016-6663)
VUL-0: CVE-2016-6663: mariadb,mysql: Privilege Escalation / Race Condition
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/172510/
CVSSv2:SUSE:CVE-2016-5616:6.0:(AV:L/...
:
Depends on: 1008318
Blocks:
  Show dependency treegraph
 
Reported: 2016-09-27 07:54 UTC by Johannes Segitz
Modified: 2022-02-13 11:15 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-09-27 07:54:36 UTC
Quoting the reporter (Dawid Golunski)

"The CVE-2016-6663 is not public yet. I refer to it in the advisory to
give some heads up in case someone wanted to discard this issue based
on reasoning that FILE privs are not common and that they will never
be pwned etc. It'll soon be published then it'll be clear what this
CVEID is about ;)"

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1378936
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6663
http://seclists.org/oss-sec/2016/q3/602
http://seclists.org/oss-sec/2016/q3/483
Comment 2 Swamp Workflow Management 2016-09-27 22:00:13 UTC
bugbot adjusting priority
Comment 3 Alexander Bergmann 2016-11-03 08:55:54 UTC
Details are now available:

https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html
Comment 4 Alexander Bergmann 2016-11-03 12:50:44 UTC
This problem was already fixed in MySQL 5.5.52 that is already available for SLES-11-SP4.

https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-52.html

Changes in MySQL 5.5.52

* Privilege escalation was possible by exploiting the way REPAIR TABLE used
  temporary files.
Comment 5 Alexander Bergmann 2016-11-03 12:52:44 UTC
This problem is fixed in MariaDB version 10.0.28:

https://mariadb.com/kb/en/mariadb/mariadb-10028-release-notes/
https://mariadb.com/kb/en/mariadb/security/

CVE-2016-6663: MariaDB 5.5.52, MariaDB 10.1.18, MariaDB 10.0.28
Comment 7 Kristyna Streitova 2016-11-03 16:23:59 UTC
Submitted for MariaDB:

|       Codestream       | Request |
|------------------------|---------|
| SUSE:SLE-12:Update     | #123567 |
| SUSE:SLE-12-SP1:Update | #123568 |


Reassigning it back to the security team.
Comment 9 Swamp Workflow Management 2016-11-28 19:07:20 UTC
SUSE-SU-2016:2932-1: An update that solves 9 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1001367,1003800,1005555,1005558,1005562,1005564,1005566,1005569,1005581,1005582,1006539,1008318
CVE References: CVE-2016-3492,CVE-2016-5584,CVE-2016-5616,CVE-2016-5624,CVE-2016-5626,CVE-2016-5629,CVE-2016-6663,CVE-2016-7440,CVE-2016-8283
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    mariadb-10.0.28-20.16.2
SUSE Linux Enterprise Server 12-LTSS (src):    mariadb-10.0.28-20.16.2
Comment 10 Swamp Workflow Management 2016-11-28 19:09:26 UTC
SUSE-SU-2016:2933-1: An update that solves 9 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1001367,1003800,1004477,1005555,1005558,1005562,1005564,1005566,1005569,1005581,1005582,1006539,1008318,990890
CVE References: CVE-2016-3492,CVE-2016-5584,CVE-2016-5616,CVE-2016-5624,CVE-2016-5626,CVE-2016-5629,CVE-2016-6663,CVE-2016-7440,CVE-2016-8283
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    mariadb-10.0.28-17.2
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    mariadb-10.0.28-17.2
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    mariadb-10.0.28-17.2
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    mariadb-10.0.28-17.2
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    mariadb-10.0.28-17.2
SUSE Linux Enterprise Server 12-SP2 (src):    mariadb-10.0.28-17.2
SUSE Linux Enterprise Server 12-SP1 (src):    mariadb-10.0.28-17.2
SUSE Linux Enterprise Desktop 12-SP2 (src):    mariadb-10.0.28-17.2
SUSE Linux Enterprise Desktop 12-SP1 (src):    mariadb-10.0.28-17.2
Comment 11 Marcus Meissner 2016-12-01 09:46:07 UTC
we also released mysql 5.5.53, which also has fixed this problem.
Comment 12 Swamp Workflow Management 2016-12-06 15:07:47 UTC
openSUSE-SU-2016:3025-1: An update that solves 9 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1001367,1003800,1004477,1005555,1005558,1005562,1005564,1005566,1005569,1005581,1005582,1008318,990890
CVE References: CVE-2016-3492,CVE-2016-5584,CVE-2016-5616,CVE-2016-5624,CVE-2016-5626,CVE-2016-5629,CVE-2016-6663,CVE-2016-7440,CVE-2016-8283
Sources used:
openSUSE Leap 42.2 (src):    mariadb-10.0.28-15.1
Comment 13 Swamp Workflow Management 2016-12-06 15:11:24 UTC
openSUSE-SU-2016:3028-1: An update that solves 9 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1001367,1003800,1004477,1005555,1005558,1005562,1005564,1005566,1005569,1005581,1005582,1006539,1008318,990890
CVE References: CVE-2016-3492,CVE-2016-5584,CVE-2016-5616,CVE-2016-5624,CVE-2016-5626,CVE-2016-5629,CVE-2016-6663,CVE-2016-7440,CVE-2016-8283
Sources used:
openSUSE Leap 42.1 (src):    mariadb-10.0.28-15.1