Bug 685848 (CVE-2019-9704, CVE-2019-9705)

Summary:	<sys-process/cronie-1.5.4: multiple vulnerabilities (CVE-2019-{9704,9705})
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	polynomial-c
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [noglsa cve]
Package list:	sys-process/cronie-1.5.4	Runtime testing required:	---

Description GLSAMaker/CVETool Bot gentoo-dev

2019-05-13 15:05:03 UTC

CVE-2019-9704 (https://nvd.nist.gov/vuln/detail/CVE-2019-9704):
  Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause
  a denial of service (daemon crash) via a large crontab file because the
  calloc return value is not checked.

CVE-2019-9705 (https://nvd.nist.gov/vuln/detail/CVE-2019-9705):
  Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause
  a denial of service (memory consumption) via a large crontab file because an
  unlimited number of lines is accepted.

Comment 1 Aaron Bauman (RETIRED) gentoo-dev

2019-05-13 20:16:51 UTC

arm64 stable

Comment 2 Rolf Eike Beer archtester

2019-05-14 08:25:19 UTC

sparc stable

Comment 3 Mikle Kolyada (RETIRED) archtester

2019-05-15 14:45:20 UTC

amd64 stable

Comment 4 Mikle Kolyada (RETIRED) archtester

2019-05-15 14:49:45 UTC

amd64 stable

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2019-05-16 23:57:10 UTC

x86 stable

Comment 6 ernsteiswuerfel archtester

2019-05-22 00:03:12 UTC

Looking good on ppc64.

# cat cronie-685848.report 
USE tests started on Mi 22. Mai 01:52:49 CEST 2019

FEATURES=' test' USE='' succeeded for =sys-process/cronie-1.5.4
USE='-anacron -inotify -pam' succeeded for =sys-process/cronie-1.5.4
USE='anacron -inotify -pam' succeeded for =sys-process/cronie-1.5.4
USE='-anacron inotify -pam' succeeded for =sys-process/cronie-1.5.4
USE='anacron inotify -pam' succeeded for =sys-process/cronie-1.5.4
USE='-anacron -inotify pam' succeeded for =sys-process/cronie-1.5.4
USE='anacron -inotify pam' succeeded for =sys-process/cronie-1.5.4
USE='-anacron inotify pam' succeeded for =sys-process/cronie-1.5.4
USE='anacron inotify pam' succeeded for =sys-process/cronie-1.5.4

revdep tests started on Mi 22. Mai 02:02:07 CEST 2019

FEATURES=' test' USE='' succeeded for virtual/cron

Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev

2019-05-22 08:13:38 UTC

ia64 stable

Comment 8 ernsteiswuerfel archtester

2019-05-22 10:31:12 UTC

Looking good on ppc.

# cat cronie-685848.report 
USE tests started on Mi 22. Mai 12:21:32 CEST 2019

FEATURES=' test' USE='' succeeded for =sys-process/cronie-1.5.4
USE='-anacron -inotify -pam' succeeded for =sys-process/cronie-1.5.4
USE='anacron -inotify -pam' succeeded for =sys-process/cronie-1.5.4
USE='-anacron inotify -pam' succeeded for =sys-process/cronie-1.5.4
USE='anacron inotify -pam' succeeded for =sys-process/cronie-1.5.4
USE='-anacron -inotify pam' succeeded for =sys-process/cronie-1.5.4
USE='anacron -inotify pam' succeeded for =sys-process/cronie-1.5.4
USE='-anacron inotify pam' succeeded for =sys-process/cronie-1.5.4
USE='anacron inotify pam' succeeded for =sys-process/cronie-1.5.4

revdep tests started on Mi 22. Mai 12:27:48 CEST 2019

FEATURES=' test' USE='' succeeded for virtual/cron

Comment 9 Mikle Kolyada (RETIRED) archtester

2019-05-23 13:18:35 UTC

arm stable

Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev

2019-05-25 07:58:25 UTC

ppc stable

Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev

2019-05-25 08:03:29 UTC

ppc64 stable

Comment 12 Agostino Sarubbo gentoo-dev

2019-06-06 06:49:31 UTC

alpha stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 13 Larry the Git Cow gentoo-dev

2019-06-06 10:07:28 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1d6c8257d37ccf5d32d3b061dfd33bcb7b1f74c1

commit 1d6c8257d37ccf5d32d3b061dfd33bcb7b1f74c1
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2019-06-06 10:06:55 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2019-06-06 10:07:22 +0000

    sys-process/cronie: Security cleanup
    
    Bug: https://bugs.gentoo.org/685848
    Package-Manager: Portage-2.3.67, Repoman-2.3.14
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 sys-process/cronie/Manifest                        |   1 -
 sys-process/cronie/cronie-1.5.2.ebuild             | 109 ---------------------
 .../cronie/files/cronie-1.5.2-systemd.patch        |  30 ------
 3 files changed, 140 deletions(-)