308057 – <sys-process/cronie-1.4.4 DoS (CVE-2010-0424)

Bug 308057 - <sys-process/cronie-1.4.4 DoS (CVE-2010-0424)

Summary: <sys-process/cronie-1.4.4 DoS (CVE-2010-0424)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High trivial
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	~3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2010-03-06 15:44 UTC by Stefan Behte (RETIRED)
Modified:	2010-03-14 22:15 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Behte (RETIRED) gentoo-dev

2010-03-06 15:44:18 UTC

+++ This bug was initially created as a clone of Bug #308055 +++

CVE-2010-0424 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0424):
  The edit_cmd function in crontab.c in (1) cronie before 1.4.4 and (2)
  Vixie cron (vixie-cron) allows local users to change the modification
  times of arbitrary files, and consequently cause a denial of service,
  via a symlink attack on a temporary file in the /tmp directory.

Comment 1 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev

2010-03-06 21:53:52 UTC

1.4.4 is now in cvs.
thanks for the report

Comment 2 Alex Legler (RETIRED) archtester

2010-03-07 08:56:35 UTC

Please also remove the older versions that are still in the tree.
Closing noglsa.

Comment 3 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev

2010-03-14 22:15:22 UTC

old versions removed.
thanks