Summary: | sys-process/vixie-cron: local DoS (CVE-2007-1856) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Raphael Marichez (Falco) (RETIRED) <falco> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | ka0ttic, killerfox, tcort, tsunam, wschlich |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A3 [glsa] Falco | ||
Package list: | Runtime testing required: | --- |
Description
Raphael Marichez (Falco) (RETIRED)
2007-01-29 21:10:51 UTC
Aaron, Wolfram, do you have an idea on why does this st_nlink check exist? Do you have any comment? FCron (2 and 3) only seems to check link count for temporary files. Thus, it does not seem to be affected. (In reply to comment #2) > FCron (2 and 3) only seems to check link count for temporary files. > Thus, it does not seem to be affected. > Right, thanks. But vixie-cron doesn't deal with that kind of temporary files. It really checks st_nlinks on the real crontabs. Vapier do you have any clue here? I'm still looking for a possible reason why does vixie-cron check st_links==1 on its crontabs, allowing for a local DoS throught hardlinks created on /etc/crontab /etc/cron.*/* /var/spool...etc i cant guess; seems like a dumb check so i'd tend to ask to Wolfram if he wants to patch that and fix it. I don't know how to handle that issue without an active upstream. Sorry, but I have nothing to do with vixie-cron -- only fcron :-) So what is going to happen here? Falco, do you want to contact upstream? Might be best. vorlon, i wanted to contact upstream but i'm afraid there's no upstream. Falco, any news on this one? (In reply to comment #9) > Falco, any news on this one? > i wish to talk about it on v-sec but i'm not officially introduced yet. Falco, any more news on this one? Hi dear arches security liaisons, please test vixie-cron-4.1-r10 which changes vixie-cron behaviour on /var/spool/cron/crontabs. Upgrade should be OK, so should the new installations, but please test it deeply since it's a major package, and don't hesitate to comment. After upgrading , /var/spool/cron/crontabs should be : drwx-wx--T 2 root crontab And inside: -rw------- 1 apache crontab 417 Mar 11 20:53 apache -rw------- 1 falco crontab 1.1K Apr 8 23:36 falco etc And /usr/bin/crontab is no longer SUID, but now SGID. Very few linux distros are concerned by this bug so i think we will disclose it very soon. No need to urge here, you can just report on that bug if the tests are OK. Thanks in advance. (In reply to comment #12) > please test vixie-cron-4.1-r10 fine on ppc64. no stable marking yet? Hi arches, you can now mark it stable if it runs fine for you, since it's already partially public via the OWL patch http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/vixie-cron/vixie-cron-4.1.20060426-owl-st_nlink.diff Goes public now, removing liaisons and adding arch aliases. Please see comment #12. x86 + ia64 stable sparc stable. would have been good to remove the liasons when adding arches too... emerges fine and works on amd64 Portage 2.1.2.2 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0, 2.6.20-beyond2 x86_64) ================================================================= System uname: 2.6.20-beyond2 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4600+ Gentoo Base System release 1.12.9 Timestamp of tree: Tue, 10 Apr 2007 15:20:01 +0000 ccache version 2.4 [enabled] dev-java/java-config: 1.3.7, 2.0.31-r5 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r6 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -Os -pipe -msse3 -w" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/php/apache1-php5/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo" CXXFLAGS="-march=k8 -Os -pipe -msse3 -w" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--quiet" FEATURES="buildsyspkg ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ " LANG="en_US.UTF-8" LC_ALL="en_US.UTF-8" MAKEOPTS="-j3 -l3 -s" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/overlay" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X a52 aac acpi alsa amd64 amr audiofile bitmap-fonts bzip2 cairo cdinstall cdr cli cracklib crypt cups dbus dri dts dvd dvdr dvdread emboss encode exif fam firefox fortran gdbm gif gstreamer gtk gtk2 hal iconv jpeg libg++ logrotate mad midi mikmod minimal mp3 mpeg ncurses nptl nptlonly offensive ogg opengl pam pcre php png ppds pppd quicktime readline reflection sdl session smp spl ssl svg symlink tcpd test tiff truetype truetype-fonts type1-fonts unicode v4l vim vorbis x264 xinerama xorg xv xvid zlib" ALSA_CARDS="emu10k1" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="evdev keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIRC_DEVICES="inputlirc" USERLAND="GNU" VIDEO_CARDS="nvidia" Unset: CTARGET, INSTALL_MASK, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS amd64 stable! ppc64 stable Stable for HPPA (killerfox). ppc stable Alpha done. GLSA 200704-11 thanks everyone once again :) |