XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Minor
    • Resolution: Not a Bug
    • None
    • N/A
    • Server
    • Fedora / RHEL / CentOS Stream / upstream RPMs

    Description

      Hello,
      I'am digging through an old CVE-2017-3291


      It explains, that the `--ledir` option of mysqld_safe MUST NOT be accepted from config file, as an attacker with permission to edit at least some config files can re-define it to run malicious custom version of the server from a custom location.

      This was fixed in MySQL upstream in this commit:
      https://github.com/mysql/mysql-server/commit/53230ba274a37fa13d65e802c6ef3766cd0c6d91#diff-c9bb8f11d208a2bbeb6a062052ea37cfed9bc624b0b8222c063ae8df901a0019L221

      And it is present in the MySQL code base to this day:
      https://github.com/mysql/mysql-server/blob/8.0/scripts/mysqld_safe.sh#L248

      The MariaDB upstream claims, it fixed the CVE in:
      MariaDB 5.5.54, MariaDB 10.1.21, MariaDB 10.0.29
      https://mariadb.com/kb/en/security/

      The commit that implemented the fix in MariaDB 10.1.21 is this:
      https://github.com/MariaDB/server/commit/8fcdd6b0ecbb966f4479856efe93a963a7a422f7#diff-c9bb8f11d208a2bbeb6a062052ea37cfed9bc624b0b8222c063ae8df901a0019R242

      The fix is present in MariaDB 10.1 series to this day:
      https://github.com/MariaDB/server/blob/10.1/scripts/mysqld_safe.sh#L332

      But it never made it into MariaDB 10.2 and later:
      https://github.com/MariaDB/server/blob/10.2/scripts/mysqld_safe.sh#L343
      https://github.com/MariaDB/server/blob/11.2/scripts/mysqld_safe.sh#L330

      So it seems like a security regression in the upstream code of MariaDB.


      The mysqld_safe is meant to be used on distros without Systemd:

      mysqld_safe is the recommended way to start mysqld on Linux and Unix distributions that do not support systemd. Additionally, the mysql.server init script used by sysVinit starts mysqld with mysqld_safe by default.
      

      As per: https://mariadb.com/kb/en/mysqld_safe/

      Neither Fedora, CentOS Stream, RHEL:
      https://gitlab.com/redhat/centos-stream/rpms/mariadb/-/blob/c9s/mysql.service.in#L41
      nor upstream:
      https://github.com/MariaDB/server/blob/11.3/support-files/mariadb.service.in#L94
      use it in the Systemd service files.

      That IMO greatly reduces the area of attack, as the server admin had to configure custom systemd service file that would be used for starting the DB, so it would use the mysqld_safe.


      I'm not sure how to regression came to be.
      It doesn't seem to be intended, as the it was not reverted. It was just never applied in MariaDB 10.2, as far as I can tell.

      However since we (upstream, Fedora, CentOS Stream, RHEL) all still ship the mysqld_safe (or mariadb-safe), I'd like to clarify, whether it is an overlooked regression, or whether the base ground for this CVE does not exists to begin with in MariaDB 10.2 and later.

      Attachments

        Activity

          People

            serg Sergei Golubchik
            mschorm Michal Schorm
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.