Control: retitle -1 cron: CVE-2017-9525: group crontab to root escalation via postinst
Hi, On Fri, Jun 09, 2017 at 07:40:18AM +0200, Salvatore Bonaccorso wrote: > There is reported a group crontab to root escalation via the postinst > in Debian and Ubuntu, as stated in the oss-security post: > > http://www.openwall.com/lists/oss-security/2017/06/08/3 > > Our postinst contains: > > | # Fixup crontab , directory and files for new group 'crontab'. > | # Can't use dpkg-statoverride for this because it doesn't cooperate nicely > | # with cron alternatives such as bcron > | if [ -d $crondir/crontabs ] ; then > | chown root:crontab $crondir/crontabs > | chmod 1730 $crondir/crontabs > | # This used to be done conditionally. For versions prior to "3.0pl1-81" > | # It has been disabled to suit cron alternative such as bcron. > | cd $crondir/crontabs > | set +e > | ls -1 | xargs -r -n 1 --replace=xxx chown 'xxx:crontab' 'xxx' > | ls -1 | xargs -r -n 1 chmod 600 > | set -e > | fi > > which can be used for group-crontab-to-root escalation of privileges > as described by Qualys team in the above reference. This has been assigned CVE-2017-9525. Regards, Salvatore