On Wed, Sep 14, 2016 at 09:07:32AM -0400, Roberto C. Sánchez wrote: > > That is not to say that they couldn't have addressed the vulnerabilities > without contacting David to tell him that they had done say. That said, > the exploit is explained in a very detailed and methodical way in the > advisory. Later on today I will work on replicating the exploit using > the latest 5.5.52 packages from Ubuntu to confirm that this version in > fact does fix the vulnerability. >
By the time I got to this I saw that the security team had uploaded 5.5.52 to jessie, so I used that as a testbed. The 5.5.52 update does in fact prevent the exploit from taking place. Specifically, the error message indicates that MySQL now rejects writing the query output to a file that ends in .cnf or .ini. I was able to change the file name and MySQL would still write it, but an arbirtarily named file clearly doesn't accomplish the objective of the exploit. That said, the references in the advisory to the imminent CVE-2016-6663 make me think that there is likely more to this. -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
signature.asc
Description: Digital signature