Your message dated Tue, 22 Jan 2013 20:47:09 +0000
with message-id <[email protected]>
and subject line Bug#686650: fixed in bcron 0.09-11+squeeze1
has caused the Debian Bug report #686650,
regarding bcron: CVE-2012-6110: bcron file descriptors not closed
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
686650: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686650
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: bcron
Version: 0.09-12
Severity: normal
Tags: upstream

Dear Maintainer,

I think I have found a security breach in bcron. Bcron-exec program does not 
close 
its file descriptors when does fork()/exec() to run scheduled jobs. When used 
in 
untrusted environment such as shared hosting, it is possible for one user to 
send
spam from neighbour user's accounts or read other's cron job stdout.

In deeper details. If any user's program runs through cron and generates some 
output to
stdout/stderr, cron must send its output to owner's e-mail. Bcron uses 
start_slot()
function to create a temp file, write e-mail message headers in there to prepare
this mail to be sent and then does fork/exec to run scheduled task and 
redirects 
its stdout/stderr to this particular file. After this task done its work,
bcron in end_slot() compares the length of temp file with stored length of empty
temp file with only headers filled in and if they differ, end_slot() runs 
sendmail
to deliver this message.

start_slot() calls forkexec_slot() to fork and forkexec_slot() calls exec_cmd() 
to exec corresponding task. But before calling execv() it must close all open 
fds
execpt stdin/stdout/stderr. Unfortunatelly, there is no such code in exec_cmd().

If one creates 2 tasks and runs them simultaneously using bcron, the following 
situation occurs:

1. First task (cron1.sh):

root@debian:~# lsof -p 14230
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF  NODE NAME
cron1.sh 14230 root  cwd    DIR  254,0     4096   902 /root
cron1.sh 14230 root  rtd    DIR  254,0     4096     2 /
cron1.sh 14230 root  txt    REG  254,0   106920   624 /bin/dash
cron1.sh 14230 root  mem    REG  254,0  1583120   732 
/lib/x86_64-linux-gnu/libc-2.13.so
cron1.sh 14230 root  mem    REG  254,0   136936   977 
/lib/x86_64-linux-gnu/ld-2.13.so
cron1.sh 14230 root    0u   CHR    1,3      0t0  1199 /dev/null
cron1.sh 14230 root    1u   REG   0,17   479453 22716 
/tmp/bcron.14096.1346752020.105007 (deleted)
cron1.sh 14230 root    2u   REG   0,17   479453 22716 
/tmp/bcron.14096.1346752020.105007 (deleted)
cron1.sh 14230 root    3r  FIFO    0,8      0t0 55752 pipe
cron1.sh 14230 root   10r   REG  254,0       45   115 /root/cron1.sh

2. second task (cron2.sh):

root@debian:~# lsof -p 14231
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF  NODE NAME
cron2.sh 14231 root  cwd    DIR  254,0     4096   902 /root
cron2.sh 14231 root  rtd    DIR  254,0     4096     2 /
cron2.sh 14231 root  txt    REG  254,0   106920   624 /bin/dash
cron2.sh 14231 root  mem    REG  254,0  1583120   732 
/lib/x86_64-linux-gnu/libc-2.13.so
cron2.sh 14231 root  mem    REG  254,0   136936   977 
/lib/x86_64-linux-gnu/ld-2.13.so
cron2.sh 14231 root    0u   CHR    1,3      0t0  1199 /dev/null
cron2.sh 14231 root    1u   REG   0,17   316908 22717 
/tmp/bcron.14096.1346752020.105958 (deleted)
cron2.sh 14231 root    2u   REG   0,17   316908 22717 
/tmp/bcron.14096.1346752020.105958 (deleted)
cron2.sh 14231 root    3r  FIFO    0,8      0t0 44757 pipe
cron2.sh 14231 root    6u   REG   0,17   318938 22716 
/tmp/bcron.14096.1346752020.105007 (deleted)
cron2.sh 14231 root   10r   REG  254,0       45   112 /root/cron2.sh

Notice fd #6 is temp file created for gathering output of cron1.sh but cron2.sh 
has access to it and may overwrite it with its own content. And this message 
would be sent from cron1 while cron1 never generated it.

Speaking about shared hosting environment, it is possible for malicious user
to send spam without any traces showing this spam was sent from his/her account.

I'm going to attach path fixing this issue after it is tested and considered 
stable.


-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages bcron depends on:
ii  libbg1  1.106-1
ii  libc6   2.13-35

Versions of packages bcron recommends:
ii  bcron-run                       0.09-12
ii  postfix [mail-transport-agent]  2.9.3-2.1
ii  runit                           2.1.1-6.2
ii  ucspi-unix                      0.36-4

bcron suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message ---
Source: bcron
Source-Version: 0.09-11+squeeze1

We believe that the bug you reported is fixed in the latest version of
bcron, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gerrit Pape <[email protected]> (supplier of updated bcron package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 18 Jan 2013 03:21:49 +0000
Source: bcron
Binary: bcron bcron-run
Architecture: all source
Version: 0.09-11+squeeze1
Distribution: stable
Urgency: high
Maintainer: Gerrit Pape <[email protected]>
Changed-By: Gerrit Pape <[email protected]>
Description: 
 bcron      - Bruce's cron system (programs)
 bcron-run  - Bruce's cron system
Closes: 686650
Changes: 
 bcron (0.09-11+squeeze1) stable; urgency=high
 .
   * debian/diff/0008-bcron-exec-Mark-all-temporary-files-close-...diff:
     new; from upstream git; bcron-exec: Mark all temporary files
     close-on-exec and close selfpipe; this fixes a security bug in
     bcron where cron jobs get access to the temporary output files from
     all other jobs that are still running (CVE-2012-6110, closes:
     #686650).
Checksums-Sha1: 
 e43f2943ae85c6faed0e89f5239a35ebf0cbaa3e 1003 bcron_0.09-11+squeeze1.dsc
 c674016644770a244d2405add3dcc1eaf93fcd5c 9813 bcron_0.09-11+squeeze1.diff.gz
 0a11fa23a16081444c1d56f1a66ca41bccf4cb34 8856 
bcron-run_0.09-11+squeeze1_all.deb
Checksums-Sha256: 
 ea4c3aee269124e0a22a1e005a40b11cfa8285bc84a2693917e18763a7f73319 1003 
bcron_0.09-11+squeeze1.dsc
 22ec07febaafb47fc257cbd0db6df087fd957900ecef77b731df216c3520f630 9813 
bcron_0.09-11+squeeze1.diff.gz
 f4dd528f70c8b92e72caf4bdb163525829b24673f3c655f36d9ee1593113392d 8856 
bcron-run_0.09-11+squeeze1_all.deb
Files: 
 7bc703c6abe42b1605a2e7d9c83b498a 1003 admin optional bcron_0.09-11+squeeze1.dsc
 acfe940f0537953c7eda49b4cbfe9920 9813 admin optional 
bcron_0.09-11+squeeze1.diff.gz
 002a91faa6ebaf620ae4b3bb8a6df090 8856 admin optional 
bcron-run_0.09-11+squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlD74OkACgkQGJoyQbxwpv+vmwCfWFtwITNdvyYBelYH5jPN0pS9
vU8An2L9LHBFz6oM3Xnlq7KqE8VPLx7/
=5l6X
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to