COMMAND

	MySQL configuration injection makes it runs as root

SYSTEMS AFFECTED

	mysql-server   3.23.49-8.2

PROBLEM

	Thanks to sergei message :
	
	MySQL Development Team
	   __  ___     ___ ____  __
	  /  |/  /_ __/ __/ __ \/ /   Sergei Golubchik <serg@mysql.com>
	 / /|_/ / // /\ \/ /_/ / /__  MySQL AB, http://www.mysql.com/
	/_/  /_/\_, /___/\___\_\___/  Osnabrueck, Germany
	       <___/
	
	
	
	On Mar 10, Guido A.J. Stevens wrote:
	> 
	> I can confirm this privilege escalation in mysql-server   3.23.49-8.2 
	> (debian/stable on linux/i386). Any mysql user with file privileges can 
	> trick the mysql server into running as root on restart of the mysql 
	> subsystem.
	> 
	> bugsman@libero.it wrote:
	> 
	> > mysql>SELECT * INTO OUTFILE '/path/to/mysql/datadir/my.cnf' FROM hack
	> 
	> > Now, when the mysql server will be restarted, the user option in our
	> > datadir my.cnf will 
	

SOLUTION

	This issue has been  adressed  in  3.23.56  (release  build  is  started
	today), and some steps were taken to alleviate the threat.
	
	In  particular,  MySQL  will  no  longer  read  config  files  that  are
	world-writeable (and SELECT ... OUTFILE always  creates  world-writeable
	files). Also, unlike other options, for  --user  option  the  first  one
	will have the precedence. So if --user is set in /etc/my.cnf (as  it  is
	recommended in the manual), datadir/my.cnf will not be able to  override
	it.
	
	Fixing this issue in more robust way would mean introducing too big  and
	incompatible  changes  into  stable  version,  thus  breaking  lots   of
	installations. It is to be done in 4.1.