[debian-mysql] Bug#606601: mysql-server-5.0: affected by privilege escalation vulnerability in logrotate

[Florian Zumbiehl]

Package: mysql-server-5.0
Version: 5.0.51a-24+lenny1
Severity: grave
Justification: privilege escalation vulnerability
Tags: security

There was a privilege escalation vulnerability in logrotate that I reported
about four years ago and which finally got fixed in testing rouhgly one
year ago (see bug #388608). In lenny this vulnerability still exists and
logrotate's maintainer doesn't seem to be interested in fixing it,
given that nothing of substance has happened since when I last notified him
of the problem about two weeks ago.

As a proof of concept, I did successfully use it to elevate my privileges
from the postgres user to root. As it affects packages where the log
directory is writable for the package's system user, I based this mass
filing on a rough analysis of maintainer scripts, avoiding the effort
of actually installing and testing each individual package.

These lines from this package's maintainer scripts suggest that it likely
is affected by the vulnerability:

---------------------------------------------------------------------------
chown -R mysql:adm $mysql_newlogdir;	chmod 2750 $mysql_newlogdir;
chown mysql:adm   $mysql_logdir/mysql.$i
chmod 0640        $mysql_logdir/mysql.$i
---------------------------------------------------------------------------

Please note that the analysis this mass filing is based on also is
roughly a year old, and anyhow I don't recall which debian suite I based
it on at that time--as such, this report may be against the wrong version
and otherwise outdated in some details. Given how much effort I have
already needlessly put into this, I hope you have some understanding
for me not polishing this bug report.

Primarily I am filing this bug in order to allow the maintainers of
packages using logrotate to work around logrotate if they deem that
necessary.

Also, you should note that the security fix in testing introduces a
regression that may also affect this package which could cause data loss
in situations where this couldn't happen before. A fix for this regression
is available to logrotate's maintainer, also still unapplied for over a
year. A mass filing against packages affected by that regression may
follow later.

For some further details please see my announcement of this mass
filing on debian-qa:

http://lists.debian.org/debian-qa/2010/11/msg00024.html

I would also suggest to use that thread for any further discussion that
is not specific to this package and possibly for coordination between
maintainers of affected packages in order to avoid duplicated efforts
where possible.