mysql.txt

This does not seem to be exploitable on clean installs of Debian 7/8

Package versions:

5.5.49-0+deb8u1

5.5.31+dfsg-0+wheezy1

(both supposedly affected)

The mysqld_safe script runs as follows:

    + MY_BASEDIR_VERSION=/usr
    + ledir=/usr/sbin
    + test -d /usr/data/mysql
    + test -d /usr/var/mysql
    + DATADIR=/var/lib/mysql
    + test -z
    + test -r /usr/my.cnf
    + test -r /var/lib/mysql/my.cnf
    + log_error WARNING: Found /var/lib/mysql/my.cnf
    The data directory is a deprecated location for my.cnf, please move it to
    /usr/my.cnf
    + log_generic daemon.error WARNING: Found /var/lib/mysql/my.cnf
    The data directory is a deprecated location for my.cnf, please move it to
    /usr/my.cnf
    + priority=daemon.error
    + shift
    + date +%y%m%d %H:%M:%S
    + msg=160913 03:30:33 mysqld_safe WARNING: Found /var/lib/mysql/my.cnf
    The data directory is a deprecated location for my.cnf, please move it to
    /usr/my.cnf
    + echo 160913 03:30:33 mysqld_safe WARNING: Found /var/lib/mysql/my.cnf
    The data directory is a deprecated location for my.cnf, please move it to
    /usr/my.cnf
    160913 03:30:33 mysqld_safe WARNING: Found /var/lib/mysql/my.cnf
    The data directory is a deprecated location for my.cnf, please move it to
    /usr/my.cnf
    + MYSQL_HOME=/var/lib/mysql

This fails because MY_BASEDIR_VERSION is /usr on debian, and /usr/data/mysql does not exist.

    # Try where the binary installs put it
    if test -d $MY_BASEDIR_VERSION/data/mysql
    then
      DATADIR=$MY_BASEDIR_VERSION/data
      if test -z "$defaults" -a -r "$DATADIR/my.cnf"
      then
        defaults="--defaults-extra-file=$DATADIR/my.cnf"
      fi
    ...

The only possible scenario is if directory /usr/data/mysql is left over from past dist upgrades or introduced via other route.