CVE-2016-6662 in Ubuntu

CVE-2016-6662

Priority

Medium

Description

Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through
5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before
10.1.17; and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0,
and 5.7.x before 5.7.14-7 allow local users to create arbitrary
configurations and bypass certain protection mechanisms by setting
general_log_file to a my.cnf configuration. NOTE: this can be leveraged to
execute arbitrary code with root privileges by setting malloc_lib. NOTE:
the affected MySQL version information is from Oracle's October 2016 CPU.
Oracle has not commented on third-party claims that the issue was silently
patched in MySQL 5.5.52, 5.6.33, and 5.7.15.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6662
http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html
https://mariadb.com/kb/en/mariadb/mariadb-10027-release-notes/
https://usn.ubuntu.com/usn/usn-3078-1

Bugs

https://bugzilla.novell.com/show_bug.cgi?id=CVE-2016-6662

Package

Source: mariadb-10.0 (LP Ubuntu Debian)

Upstream:	released (10.0.27)
Ubuntu 12.04 ESM (Precise Pangolin):	DNE
Ubuntu 14.04 LTS (Trusty Tahr):	DNE
Ubuntu 16.04 LTS (Xenial Xerus):	released (10.0.27-0ubuntu0.16.04.1)
Ubuntu 17.04 (Zesty Zapus):	DNE
Ubuntu 17.10 (Artful Aardvark):	DNE
Ubuntu 18.04 LTS (Bionic Beaver):	DNE

Package

Source: percona-xtradb-cluster-5.6 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):	DNE
Ubuntu 14.04 LTS (Trusty Tahr):	DNE
Ubuntu 16.04 LTS (Xenial Xerus):	released (5.6.34-26.19-0ubuntu0.16.04.1)
Ubuntu 17.04 (Zesty Zapus):	not-affected (5.6.34-26.19-0ubuntu1)
Ubuntu 17.10 (Artful Aardvark):	not-affected (5.6.34-26.19-0ubuntu1)
Ubuntu 18.04 LTS (Bionic Beaver):	not-affected (5.6.34-26.19-0ubuntu1)

Package

Source: mariadb-5.5 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):	DNE
Ubuntu 14.04 LTS (Trusty Tahr):	released (5.5.52-1ubuntu0.14.04.1)
Ubuntu 16.04 LTS (Xenial Xerus):	DNE
Ubuntu 17.04 (Zesty Zapus):	DNE
Ubuntu 17.10 (Artful Aardvark):	DNE
Ubuntu 18.04 LTS (Bionic Beaver):	DNE

Package

Source: percona-server-5.6 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):	DNE
Ubuntu 14.04 LTS (Trusty Tahr):	DNE
Ubuntu 16.04 LTS (Xenial Xerus):	needed
Ubuntu 17.04 (Zesty Zapus):	needed
Ubuntu 17.10 (Artful Aardvark):	needed
Ubuntu 18.04 LTS (Bionic Beaver):	needed

Package

Source: percona-xtradb-cluster-5.5 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):	DNE
Ubuntu 14.04 LTS (Trusty Tahr):	needed
Ubuntu 16.04 LTS (Xenial Xerus):	DNE
Ubuntu 17.04 (Zesty Zapus):	DNE
Ubuntu 17.10 (Artful Aardvark):	DNE
Ubuntu 18.04 LTS (Bionic Beaver):	DNE

Package

Source: mysql-5.7 (LP Ubuntu Debian)

Upstream:	released (5.7.15)
Ubuntu 12.04 ESM (Precise Pangolin):	DNE
Ubuntu 14.04 LTS (Trusty Tahr):	DNE
Ubuntu 16.04 LTS (Xenial Xerus):	released (5.7.15-0ubuntu0.16.04.1)
Ubuntu 17.04 (Zesty Zapus):	released (5.7.15-0ubuntu2)
Ubuntu 17.10 (Artful Aardvark):	released (5.7.15-0ubuntu2)
Ubuntu 18.04 LTS (Bionic Beaver):	released (5.7.15-0ubuntu2)

Package

Source: mysql-5.6 (LP Ubuntu Debian)

Upstream:	released (5.6.33)
Ubuntu 12.04 ESM (Precise Pangolin):	DNE
Ubuntu 14.04 LTS (Trusty Tahr):	released (5.6.33-0ubuntu0.14.04.1)
Ubuntu 16.04 LTS (Xenial Xerus):	DNE
Ubuntu 17.04 (Zesty Zapus):	DNE
Ubuntu 17.10 (Artful Aardvark):	DNE
Ubuntu 18.04 LTS (Bionic Beaver):	DNE

Package

Source: mysql-5.5 (LP Ubuntu Debian)

Upstream:	released (5.5.52)
Ubuntu 12.04 ESM (Precise Pangolin):	released (5.5.52-0ubuntu0.12.04.1)
Ubuntu 14.04 LTS (Trusty Tahr):	released (5.5.52-0ubuntu0.14.04.1)
Ubuntu 16.04 LTS (Xenial Xerus):	DNE
Ubuntu 17.04 (Zesty Zapus):	DNE
Ubuntu 17.10 (Artful Aardvark):	DNE
Ubuntu 18.04 LTS (Bionic Beaver):	DNE

More Information

Updated: 2017-12-15 20:17:35 UTC (commit 13913)