Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 685848 (CVE-2019-9704, CVE-2019-9705) - <sys-process/cronie-1.5.4: multiple vulnerabilities (CVE-2019-{9704,9705})
Summary: <sys-process/cronie-1.5.4: multiple vulnerabilities (CVE-2019-{9704,9705})
Status: RESOLVED FIXED
Alias: CVE-2019-9704, CVE-2019-9705
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-05-13 15:05 UTC by GLSAMaker/CVETool Bot
Modified: 2019-08-11 21:49 UTC (History)
1 user (show)

See Also:
Package list:
sys-process/cronie-1.5.4
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-05-13 15:05:03 UTC
CVE-2019-9704 (https://nvd.nist.gov/vuln/detail/CVE-2019-9704):
  Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause
  a denial of service (daemon crash) via a large crontab file because the
  calloc return value is not checked.

CVE-2019-9705 (https://nvd.nist.gov/vuln/detail/CVE-2019-9705):
  Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause
  a denial of service (memory consumption) via a large crontab file because an
  unlimited number of lines is accepted.
Comment 1 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-05-13 20:16:51 UTC
arm64 stable
Comment 2 Rolf Eike Beer 2019-05-14 08:25:19 UTC
sparc stable
Comment 3 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-05-15 14:45:20 UTC
amd64 stable
Comment 4 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-05-15 14:49:45 UTC
amd64 stable
Comment 5 Thomas Deutschmann gentoo-dev Security 2019-05-16 23:57:10 UTC
x86 stable
Comment 6 ernsteiswuerfel 2019-05-22 00:03:12 UTC
Looking good on ppc64.

# cat cronie-685848.report 
USE tests started on Mi 22. Mai 01:52:49 CEST 2019

FEATURES=' test' USE='' succeeded for =sys-process/cronie-1.5.4
USE='-anacron -inotify -pam' succeeded for =sys-process/cronie-1.5.4
USE='anacron -inotify -pam' succeeded for =sys-process/cronie-1.5.4
USE='-anacron inotify -pam' succeeded for =sys-process/cronie-1.5.4
USE='anacron inotify -pam' succeeded for =sys-process/cronie-1.5.4
USE='-anacron -inotify pam' succeeded for =sys-process/cronie-1.5.4
USE='anacron -inotify pam' succeeded for =sys-process/cronie-1.5.4
USE='-anacron inotify pam' succeeded for =sys-process/cronie-1.5.4
USE='anacron inotify pam' succeeded for =sys-process/cronie-1.5.4

revdep tests started on Mi 22. Mai 02:02:07 CEST 2019

FEATURES=' test' USE='' succeeded for virtual/cron
Comment 7 Sergei Trofimovich gentoo-dev 2019-05-22 08:13:38 UTC
ia64 stable
Comment 8 ernsteiswuerfel 2019-05-22 10:31:12 UTC
Looking good on ppc.

# cat cronie-685848.report 
USE tests started on Mi 22. Mai 12:21:32 CEST 2019

FEATURES=' test' USE='' succeeded for =sys-process/cronie-1.5.4
USE='-anacron -inotify -pam' succeeded for =sys-process/cronie-1.5.4
USE='anacron -inotify -pam' succeeded for =sys-process/cronie-1.5.4
USE='-anacron inotify -pam' succeeded for =sys-process/cronie-1.5.4
USE='anacron inotify -pam' succeeded for =sys-process/cronie-1.5.4
USE='-anacron -inotify pam' succeeded for =sys-process/cronie-1.5.4
USE='anacron -inotify pam' succeeded for =sys-process/cronie-1.5.4
USE='-anacron inotify pam' succeeded for =sys-process/cronie-1.5.4
USE='anacron inotify pam' succeeded for =sys-process/cronie-1.5.4

revdep tests started on Mi 22. Mai 12:27:48 CEST 2019

FEATURES=' test' USE='' succeeded for virtual/cron
Comment 9 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-05-23 13:18:35 UTC
arm stable
Comment 10 Sergei Trofimovich gentoo-dev 2019-05-25 07:58:25 UTC
ppc stable
Comment 11 Sergei Trofimovich gentoo-dev 2019-05-25 08:03:29 UTC
ppc64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2019-06-06 06:49:31 UTC
alpha stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 13 Larry the Git Cow gentoo-dev 2019-06-06 10:07:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1d6c8257d37ccf5d32d3b061dfd33bcb7b1f74c1

commit 1d6c8257d37ccf5d32d3b061dfd33bcb7b1f74c1
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2019-06-06 10:06:55 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2019-06-06 10:07:22 +0000

    sys-process/cronie: Security cleanup
    
    Bug: https://bugs.gentoo.org/685848
    Package-Manager: Portage-2.3.67, Repoman-2.3.14
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 sys-process/cronie/Manifest                        |   1 -
 sys-process/cronie/cronie-1.5.2.ebuild             | 109 ---------------------
 .../cronie/files/cronie-1.5.2-systemd.patch        |  30 ------
 3 files changed, 140 deletions(-)