Hi, On 2019-03-22 09:51, Antti Salmela wrote: > Package: cron > Version: 3.0pl1-127+deb8u2 > Severity: normal > > Dear Maintainer, > > fix for CVE-2019-9705 is also limiting cron.d files > under /etc/cron.d. I think following patch should be applied.
Thanks for the suggestion; at first glance, I am inclined to agree with you. I'm wondering as to the practical significance, though. Were you affected by this limit (in which case I would increase the severity), or is this more of an observation? I picked 1.000 out of a hat, because I never thought that any reasonable crontab would reach this limit, with maybe the exception of a heavily commented one. > commit d59d517ea2f42e0798b78d263c259633eeae22e9 > Author: Antti Salmela <[email protected]> > Date: Fri Mar 22 10:28:48 2019 +0200 > > Only apply crontab limit to user crontabs > > diff --git a/user.c b/user.c > index 94b5914..22a2830 100644 > --- a/user.c > +++ b/user.c > @@ -295,7 +295,7 @@ load_user(crontab_fd, pw, uname, fname, tabname) > */ > } while (status >= OK && LineNumber < MAX_TAB_LINES + > NHEADER_LINES + 2); > > - if (LineNumber >= MAX_TAB_LINES + NHEADER_LINES + 2) { > + if (pw != NULL && LineNumber >= MAX_TAB_LINES + NHEADER_LINES + 2) { > log_it(fname, getpid(), "ERROR", "crontab must not be longer " > "than " Stringify(MAX_TAB_LINES) " lines, " > "this crontab file will be ignored");

