Summary: | <sys-process/vixie-cron-4.1-r14: DoS (CVE-2010-0424) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Stefan Behte (RETIRED) <craig> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | cron-bugs+disabled, pacho |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=565809 | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 476034 |
Description
Stefan Behte (RETIRED)
2010-03-06 15:43:32 UTC
Rerating A3 [upstream]. Vixie-cron is on more than 5% of our systems and there is no patch yet from what I can see. Here's how Fedora has fixed it for cronie: http://git.fedorahosted.org/git/?p=cronie.git;a=commitdiff;h=9e4a8fa5f9171fb724981f53879c9b20264aeb61 I wonder if we can just apply this patch for vixie-cron... Maintainers, could you please check that? @maintainers: ping. You bump it or we will. Any updates on this? :/ Patch backported, it's slightly different (I moved two variable assignments from slightly earlier in the function so that the calls match how they look in the cronie patch, and used swap_uids() < OK instead of == -1 because it's done that way elsewhere in the file) but should work just fine. Arch teams, please test and mark stable: =sys-process/vixie-cron-4.1-r14 Target arches: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 *** Bug 480122 has been marked as a duplicate of this bug. *** amd64 and x86 stable Stable for HPPA. ppc stable alpha/ia64 stable ppc64 stable arm stable sparc stable This issue was resolved and addressed in GLSA 201311-04 at http://security.gentoo.org/glsa/glsa-201311-04.xml by GLSA coordinator Sean Amoss (ackle). Re-opening for cleanup. Maintainers, please drop vulnerable versions. (In reply to Sean Amoss from comment #15) > Re-opening for cleanup. > > Maintainers, please drop vulnerable versions. done. |