Privilege escalation was possible by exploiting the way REPAIR TABLE used temporary files. (Bug #24388746) For mysqld_safe, the argument to –malloc-lib now must be one of the directories /usr/lib, /usr/lib64, /usr/lib/i386-linux-gnu, or /usr/lib/x86_64-linux-gnu. In addition, the –mysqld and –mysqld-version options can be used only on the command line and not in an option file. (Bug #24464380) It was possible to write log files ending with .ini or .cnf that later could be parsed as option files. The general query log and slow query log can no longer be written to a file ending with .ini or .cnf. (Bug #24388753)
2 commentaires
MySQL : un chercheur dévoile deux failles 0-day « critiques »
13/09/2016
Le 13/09/2016 à 13h 42
Effectivement, la communication c’est pas le fort d’Oracle….
Le 13/09/2016 à 11h 24
La faille a été patchée par Oracle la semaine dernière (5.5.52⁄5.6.33⁄5.7.15), l’article est totalement faux sur ce point.
 http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-33.html
Privilege escalation was possible by exploiting the way REPAIR TABLE used temporary files. (Bug #24388746) For mysqld_safe, the argument to –malloc-lib now must be one of the directories /usr/lib, /usr/lib64, /usr/lib/i386-linux-gnu, or /usr/lib/x86_64-linux-gnu. In addition, the –mysqld and –mysqld-version options can be used only on the command line and not in an option file. (Bug #24464380) It was possible to write log files ending with .ini or .cnf that later could be parsed as option files. The general query log and slow query log can no longer be written to a file ending with .ini or .cnf. (Bug #24388753)