CVE-2010-0424 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0424): The edit_cmd function in crontab.c in (1) cronie before 1.4.4 and (2) Vixie cron (vixie-cron) allows local users to change the modification times of arbitrary files, and consequently cause a denial of service, via a symlink attack on a temporary file in the /tmp directory.
Rerating A3 [upstream]. Vixie-cron is on more than 5% of our systems and there is no patch yet from what I can see.
Here's how Fedora has fixed it for cronie: http://git.fedorahosted.org/git/?p=cronie.git;a=commitdiff;h=9e4a8fa5f9171fb724981f53879c9b20264aeb61 I wonder if we can just apply this patch for vixie-cron... Maintainers, could you please check that?
@maintainers: ping. You bump it or we will.
Any updates on this? :/
Patch backported, it's slightly different (I moved two variable assignments from slightly earlier in the function so that the calls match how they look in the cronie patch, and used swap_uids() < OK instead of == -1 because it's done that way elsewhere in the file) but should work just fine. Arch teams, please test and mark stable: =sys-process/vixie-cron-4.1-r14 Target arches: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
*** Bug 480122 has been marked as a duplicate of this bug. ***
amd64 and x86 stable
Stable for HPPA.
ppc stable
alpha/ia64 stable
ppc64 stable
arm stable
sparc stable
This issue was resolved and addressed in GLSA 201311-04 at http://security.gentoo.org/glsa/glsa-201311-04.xml by GLSA coordinator Sean Amoss (ackle).
Re-opening for cleanup. Maintainers, please drop vulnerable versions.
(In reply to Sean Amoss from comment #15) > Re-opening for cleanup. > > Maintainers, please drop vulnerable versions. done.