From $URL : Description A security issue has been reported in bcron, which can be exploited by malicious, local users to perform certain actions with escalated privileges. The security issue is caused due to the "bcron-exec" utility insecurely handling file descriptors for temporary files, which can be exploited to overwrite the files with arbitrary content. The security issue is reported in version 0.09. Prior versions may also be affected. Solution Update to version 0.10. Provided and/or discovered by Anton Khalikov in a Debian bug report. Original Advisory http://untroubled.org/bcron/NEWS Anton Khalikov: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686650
CVE-2012-6110 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6110): bcron-exec in bcron before 0.10 does not close file descriptors associated with temporary files when running a cron job, which allows local users to modify job files and send spam messages by accessing an open file descriptor.
Ping for update. 2013 issue, still vulnerable. Maintainer(s): after the bump please let us know when the ebuild is ready for stabilization.
*** Bug 467922 has been marked as a duplicate of this bug. ***
commit 251b45bcf6a46407dc82ae70cf11a33c08c9b14d Author: Sergey Popov <pinkbyte@gentoo.org> Date: Sat Oct 24 20:48:36 2015 +0300 sys-process/bcron: version bump Non-maintainer commit, due to security reasons Port to EAPI 5, add epatch user Gentoo-Bug: 453310 Package-Manager: portage-2.2.20
@arches, please stabilize. @maintainers, after stabilization please remove vulnerable versions. TARGET KEYWORDS: amd64 and x86.
sys-process/bcron/bcron-0.10.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['>=dev-libs/bglibs-1.106'] Deal with that first
Only issues repoman is reporting here are an upstream workaround and deprecated EAPI's in <sys-process/bcron-0.10. Those will be fixed on cleanup after stabilization.
CC back arches when 569020 is resolved
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
GLSA Vote: No. @maintainer(s), please cleanup the vulnerable versions.
Security cleanup: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0851a23ce5e1800c5a4fff744916dee1533e32f8