Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 308055 (CVE-2010-0424)

Summary: <sys-process/vixie-cron-4.1-r14: DoS (CVE-2010-0424)
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: cron-bugs+disabled, pacho
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=565809
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 476034    

Description Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 15:43:32 UTC
CVE-2010-0424 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0424):
  The edit_cmd function in crontab.c in (1) cronie before 1.4.4 and (2)
  Vixie cron (vixie-cron) allows local users to change the modification
  times of arbitrary files, and consequently cause a denial of service,
  via a symlink attack on a temporary file in the /tmp directory.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-03-07 09:03:31 UTC
Rerating A3 [upstream]. Vixie-cron is on more than 5% of our systems and there is no patch yet from what I can see.
Comment 2 PaweĊ‚ Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-19 11:10:56 UTC
Here's how Fedora has fixed it for cronie: http://git.fedorahosted.org/git/?p=cronie.git;a=commitdiff;h=9e4a8fa5f9171fb724981f53879c9b20264aeb61

I wonder if we can just apply this patch for vixie-cron... Maintainers, could you please check that?
Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-03 02:12:23 UTC
@maintainers: ping. You bump it or we will.
Comment 4 Pacho Ramos gentoo-dev 2013-09-21 11:37:39 UTC
Any updates on this? :/
Comment 5 Chris Reffett (RETIRED) gentoo-dev Security 2013-10-19 22:43:08 UTC
Patch backported, it's slightly different (I moved two variable assignments from slightly earlier in the function so that the calls match how they look in the cronie patch, and used swap_uids() < OK instead of == -1 because it's done that way elsewhere in the file) but should work just fine.

Arch teams, please test and mark stable:
=sys-process/vixie-cron-4.1-r14
Target arches:
alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 6 Pacho Ramos gentoo-dev 2013-10-20 06:40:32 UTC
*** Bug 480122 has been marked as a duplicate of this bug. ***
Comment 7 Agostino Sarubbo gentoo-dev 2013-10-20 17:32:37 UTC
amd64 and x86 stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2013-10-21 13:16:07 UTC
Stable for HPPA.
Comment 9 Agostino Sarubbo gentoo-dev 2013-10-22 09:00:03 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-10-24 09:20:07 UTC
alpha/ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-10-24 09:22:02 UTC
ppc64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-10-25 11:00:42 UTC
arm stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-10-26 21:06:29 UTC
sparc stable
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2013-11-07 02:07:00 UTC
This issue was resolved and addressed in
 GLSA 201311-04 at http://security.gentoo.org/glsa/glsa-201311-04.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 15 Sean Amoss (RETIRED) gentoo-dev Security 2013-11-07 02:07:52 UTC
Re-opening for cleanup.

Maintainers, please drop vulnerable versions.
Comment 16 Agostino Sarubbo gentoo-dev 2013-11-07 11:43:58 UTC
(In reply to Sean Amoss from comment #15)
> Re-opening for cleanup.
> 
> Maintainers, please drop vulnerable versions.

done.