The edit_cmd function in crontab.c in (1) cronie before 1.4.4 and (2)
Vixie cron (vixie-cron) allows local users to change the modification
times of arbitrary files, and consequently cause a denial of service,
via a symlink attack on a temporary file in the /tmp directory.
Rerating A3 [upstream]. Vixie-cron is on more than 5% of our systems and there is no patch yet from what I can see.
Here's how Fedora has fixed it for cronie: http://git.fedorahosted.org/git/?p=cronie.git;a=commitdiff;h=9e4a8fa5f9171fb724981f53879c9b20264aeb61
I wonder if we can just apply this patch for vixie-cron... Maintainers, could you please check that?
@maintainers: ping. You bump it or we will.
Any updates on this? :/
Patch backported, it's slightly different (I moved two variable assignments from slightly earlier in the function so that the calls match how they look in the cronie patch, and used swap_uids() < OK instead of == -1 because it's done that way elsewhere in the file) but should work just fine.
Arch teams, please test and mark stable:
alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
*** Bug 480122 has been marked as a duplicate of this bug. ***
amd64 and x86 stable
Stable for HPPA.
This issue was resolved and addressed in
GLSA 201311-04 at http://security.gentoo.org/glsa/glsa-201311-04.xml
by GLSA coordinator Sean Amoss (ackle).
Re-opening for cleanup.
Maintainers, please drop vulnerable versions.
(In reply to Sean Amoss from comment #15)
> Re-opening for cleanup.
> Maintainers, please drop vulnerable versions.