Your message dated Tue, 22 Jan 2013 20:47:09 +0000
with message-id <[email protected]>
and subject line Bug#686650: fixed in bcron 0.09-11+squeeze1
has caused the Debian Bug report #686650,
regarding bcron: CVE-2012-6110: bcron file descriptors not closed
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
686650: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686650
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: bcron
Version: 0.09-12
Severity: normal
Tags: upstream
Dear Maintainer,
I think I have found a security breach in bcron. Bcron-exec program does not
close
its file descriptors when does fork()/exec() to run scheduled jobs. When used
in
untrusted environment such as shared hosting, it is possible for one user to
send
spam from neighbour user's accounts or read other's cron job stdout.
In deeper details. If any user's program runs through cron and generates some
output to
stdout/stderr, cron must send its output to owner's e-mail. Bcron uses
start_slot()
function to create a temp file, write e-mail message headers in there to prepare
this mail to be sent and then does fork/exec to run scheduled task and
redirects
its stdout/stderr to this particular file. After this task done its work,
bcron in end_slot() compares the length of temp file with stored length of empty
temp file with only headers filled in and if they differ, end_slot() runs
sendmail
to deliver this message.
start_slot() calls forkexec_slot() to fork and forkexec_slot() calls exec_cmd()
to exec corresponding task. But before calling execv() it must close all open
fds
execpt stdin/stdout/stderr. Unfortunatelly, there is no such code in exec_cmd().
If one creates 2 tasks and runs them simultaneously using bcron, the following
situation occurs:
1. First task (cron1.sh):
root@debian:~# lsof -p 14230
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
cron1.sh 14230 root cwd DIR 254,0 4096 902 /root
cron1.sh 14230 root rtd DIR 254,0 4096 2 /
cron1.sh 14230 root txt REG 254,0 106920 624 /bin/dash
cron1.sh 14230 root mem REG 254,0 1583120 732
/lib/x86_64-linux-gnu/libc-2.13.so
cron1.sh 14230 root mem REG 254,0 136936 977
/lib/x86_64-linux-gnu/ld-2.13.so
cron1.sh 14230 root 0u CHR 1,3 0t0 1199 /dev/null
cron1.sh 14230 root 1u REG 0,17 479453 22716
/tmp/bcron.14096.1346752020.105007 (deleted)
cron1.sh 14230 root 2u REG 0,17 479453 22716
/tmp/bcron.14096.1346752020.105007 (deleted)
cron1.sh 14230 root 3r FIFO 0,8 0t0 55752 pipe
cron1.sh 14230 root 10r REG 254,0 45 115 /root/cron1.sh
2. second task (cron2.sh):
root@debian:~# lsof -p 14231
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
cron2.sh 14231 root cwd DIR 254,0 4096 902 /root
cron2.sh 14231 root rtd DIR 254,0 4096 2 /
cron2.sh 14231 root txt REG 254,0 106920 624 /bin/dash
cron2.sh 14231 root mem REG 254,0 1583120 732
/lib/x86_64-linux-gnu/libc-2.13.so
cron2.sh 14231 root mem REG 254,0 136936 977
/lib/x86_64-linux-gnu/ld-2.13.so
cron2.sh 14231 root 0u CHR 1,3 0t0 1199 /dev/null
cron2.sh 14231 root 1u REG 0,17 316908 22717
/tmp/bcron.14096.1346752020.105958 (deleted)
cron2.sh 14231 root 2u REG 0,17 316908 22717
/tmp/bcron.14096.1346752020.105958 (deleted)
cron2.sh 14231 root 3r FIFO 0,8 0t0 44757 pipe
cron2.sh 14231 root 6u REG 0,17 318938 22716
/tmp/bcron.14096.1346752020.105007 (deleted)
cron2.sh 14231 root 10r REG 254,0 45 112 /root/cron2.sh
Notice fd #6 is temp file created for gathering output of cron1.sh but cron2.sh
has access to it and may overwrite it with its own content. And this message
would be sent from cron1 while cron1 never generated it.
Speaking about shared hosting environment, it is possible for malicious user
to send spam without any traces showing this spam was sent from his/her account.
I'm going to attach path fixing this issue after it is tested and considered
stable.
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages bcron depends on:
ii libbg1 1.106-1
ii libc6 2.13-35
Versions of packages bcron recommends:
ii bcron-run 0.09-12
ii postfix [mail-transport-agent] 2.9.3-2.1
ii runit 2.1.1-6.2
ii ucspi-unix 0.36-4
bcron suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: bcron
Source-Version: 0.09-11+squeeze1
We believe that the bug you reported is fixed in the latest version of
bcron, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gerrit Pape <[email protected]> (supplier of updated bcron package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 18 Jan 2013 03:21:49 +0000
Source: bcron
Binary: bcron bcron-run
Architecture: all source
Version: 0.09-11+squeeze1
Distribution: stable
Urgency: high
Maintainer: Gerrit Pape <[email protected]>
Changed-By: Gerrit Pape <[email protected]>
Description:
bcron - Bruce's cron system (programs)
bcron-run - Bruce's cron system
Closes: 686650
Changes:
bcron (0.09-11+squeeze1) stable; urgency=high
.
* debian/diff/0008-bcron-exec-Mark-all-temporary-files-close-...diff:
new; from upstream git; bcron-exec: Mark all temporary files
close-on-exec and close selfpipe; this fixes a security bug in
bcron where cron jobs get access to the temporary output files from
all other jobs that are still running (CVE-2012-6110, closes:
#686650).
Checksums-Sha1:
e43f2943ae85c6faed0e89f5239a35ebf0cbaa3e 1003 bcron_0.09-11+squeeze1.dsc
c674016644770a244d2405add3dcc1eaf93fcd5c 9813 bcron_0.09-11+squeeze1.diff.gz
0a11fa23a16081444c1d56f1a66ca41bccf4cb34 8856
bcron-run_0.09-11+squeeze1_all.deb
Checksums-Sha256:
ea4c3aee269124e0a22a1e005a40b11cfa8285bc84a2693917e18763a7f73319 1003
bcron_0.09-11+squeeze1.dsc
22ec07febaafb47fc257cbd0db6df087fd957900ecef77b731df216c3520f630 9813
bcron_0.09-11+squeeze1.diff.gz
f4dd528f70c8b92e72caf4bdb163525829b24673f3c655f36d9ee1593113392d 8856
bcron-run_0.09-11+squeeze1_all.deb
Files:
7bc703c6abe42b1605a2e7d9c83b498a 1003 admin optional bcron_0.09-11+squeeze1.dsc
acfe940f0537953c7eda49b4cbfe9920 9813 admin optional
bcron_0.09-11+squeeze1.diff.gz
002a91faa6ebaf620ae4b3bb8a6df090 8856 admin optional
bcron-run_0.09-11+squeeze1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlD74OkACgkQGJoyQbxwpv+vmwCfWFtwITNdvyYBelYH5jPN0pS9
vU8An2L9LHBFz6oM3Xnlq7KqE8VPLx7/
=5l6X
-----END PGP SIGNATURE-----
--- End Message ---