Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 308075 (CVE-2010-0792) - <sys-process/fcron-3.0.5-r2: symlink attack (CVE-2010-0792)
Summary: <sys-process/fcron-3.0.5-r2: symlink attack (CVE-2010-0792)
Status: RESOLVED FIXED
Alias: CVE-2010-0792
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://fcron.free.fr/
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-03-06 16:00 UTC by Stefan Behte (RETIRED)
Modified: 2013-11-25 17:53 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 16:00:49 UTC
CVE-2010-0792 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0792):
  fcrontab in fcron before 3.0.5 allows local users to read arbitrary
  files via a symlink attack on an unspecified file.
Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-03-10 01:43:10 UTC
Security, 3.0.5 is in tree now.

Only bad note on that is that it depends on a newly-added pambase, but since I only changed the system-services stack it should be fine to go stable as it is even right now.

Thanks!
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-03-11 13:31:36 UTC
3.0.5-r1 is the stable candidate if security wants a new stable.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-18 00:07:33 UTC
Arches, please test and mark stable:
=sys-process/fcron-3.0.5-r2
Target keywords : "amd64 hppa ppc sparc x86"
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2010-03-18 16:35:42 UTC
x86 stable
Comment 5 Brent Baude (RETIRED) gentoo-dev 2010-03-23 20:01:19 UTC
this deps a non-stable version of pambase for most arches.  advice?
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2010-03-24 05:53:51 UTC
Stable for HPPA.
Comment 7 Markus Meier gentoo-dev 2010-03-29 21:47:45 UTC
amd64 stable
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2010-04-04 19:09:57 UTC
sparc stable
Comment 9 Brent Baude (RETIRED) gentoo-dev 2010-04-15 15:09:16 UTC
ppc done; closing as last arch
Comment 10 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-04-15 15:15:12 UTC
Reopening, this is a security bug.
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2010-05-22 11:13:38 UTC
GLSA vote: yes
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2010-08-14 14:44:18 UTC
YES too, request filed.
Comment 13 Gokdeniz Karadag 2011-02-18 13:20:35 UTC
3.0.5-r2 is the oldest available version in the tree. Is there still a need for a GLSA ?
Comment 14 Stefan Behte (RETIRED) gentoo-dev Security 2011-02-22 21:51:06 UTC
Yes.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2013-11-25 17:53:41 UTC
This issue was resolved and addressed in
 GLSA 201311-16 at http://security.gentoo.org/glsa/glsa-201311-16.xml
by GLSA coordinator Sergey Popov (pinkbyte).