Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 453310 (CVE-2012-6110) - <sys-process/bcron-0.10: bcron-exec File Descriptor Handling Security Issue (CVE-2012-6110)
Summary: <sys-process/bcron-0.10: bcron-exec File Descriptor Handling Security Issue (...
Alias: CVE-2012-6110
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
: 467922 (view as bug list)
Depends on: 569020
  Show dependency tree
Reported: 2013-01-21 10:06 UTC by Agostino Sarubbo
Modified: 2016-06-26 11:33 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-01-21 10:06:19 UTC
From $URL :

A security issue has been reported in bcron, which can be exploited by malicious, local users to 
perform certain actions with escalated privileges.

The security issue is caused due to the "bcron-exec" utility insecurely handling file descriptors 
for temporary files, which can be exploited to overwrite the files with arbitrary content.

The security issue is reported in version 0.09. Prior versions may also be affected.

Update to version 0.10.

Provided and/or discovered by
Anton Khalikov in a Debian bug report.

Original Advisory

Anton Khalikov:
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-10-11 01:37:04 UTC
CVE-2012-6110 (
  bcron-exec in bcron before 0.10 does not close file descriptors associated
  with temporary files when running a cron job, which allows local users to
  modify job files and send spam messages by accessing an open file
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2014-10-15 03:36:39 UTC
Ping for update. 2013 issue, still vulnerable.

Maintainer(s): after the bump please let us know when the ebuild is ready for  stabilization.
Comment 3 Jeroen Roovers gentoo-dev 2014-12-05 17:12:18 UTC
*** Bug 467922 has been marked as a duplicate of this bug. ***
Comment 4 Sergey Popov gentoo-dev 2015-10-24 17:50:24 UTC
commit 251b45bcf6a46407dc82ae70cf11a33c08c9b14d
Author: Sergey Popov <>
Date:   Sat Oct 24 20:48:36 2015 +0300

    sys-process/bcron: version bump
    Non-maintainer commit, due to security reasons
    Port to EAPI 5, add epatch user
    Gentoo-Bug: 453310
    Package-Manager: portage-2.2.20
Comment 5 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-04 13:21:58 UTC
@arches, please stabilize.

@maintainers, after stabilization please remove vulnerable versions.

TARGET KEYWORDS: amd64 and x86.
Comment 6 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2016-03-05 17:07:35 UTC
 sys-process/bcron/bcron-0.10.ebuild: DEPEND: amd64(default/linux/amd64/13.0)

Deal with that first
Comment 7 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-18 07:47:06 UTC
Only issues repoman is reporting here are an upstream workaround and deprecated EAPI's in <sys-process/bcron-0.10.  Those will be fixed on cleanup after stabilization.
Comment 8 Agostino Sarubbo gentoo-dev 2016-03-19 16:24:51 UTC
CC back arches when 569020 is resolved
Comment 9 Agostino Sarubbo gentoo-dev 2016-06-13 12:26:30 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-06-13 12:27:18 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-06-21 05:53:15 UTC
GLSA Vote: No.

@maintainer(s), please cleanup the vulnerable versions.