[Touch-packages] [Bug 1971895] Re: Warning messages from stat printed on installation with no user crontabs
I can confirm the issue in question is fixed on bionic/18.04.6 via cron 3.0pl1-128.1ubuntu1.2. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cron in Ubuntu. https://bugs.launchpad.net/bugs/1971895 Title: Warning messages from stat printed on installation with no user crontabs Status in cron package in Ubuntu: Confirmed Status in cron source package in Xenial: Fix Released Status in cron source package in Bionic: Fix Released Bug description: On installation of cron on a new system, or (I expect) an upgrade with no user crontab files the following is printed: Setting up cron (3.0pl1-128.1ubuntu1.1) ... stat: cannot stat '*': No such file or directory stat: cannot stat '*': No such file or directory stat: cannot stat '*': No such file or directory Warning: * is not a regular file! This is related to the fix for CVE-2017-9525 introduced in 3.0pl1-128.1ubuntu1.1. The for loop at line 66 of cron.postinst needs to have a guard like the following added to it: [ "$tab_name" = "*" ] && continue We have observed this with Bionic, I haven't checked any other Ubuntu releases. Cheers, Andrew To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cron/+bug/1971895/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1971895] Re: Warning messages from stat printed on installation with no user crontabs
This bug was fixed in the package cron - 3.0pl1-128ubuntu2+esm2 --- cron (3.0pl1-128ubuntu2+esm2) xenial-security; urgency=medium * SECURITY REGRESSION: CVE-2017-9525 regression (LP: #1971895) - debian/postinst: add tab_name emptiness check - https://salsa.debian.org/debian/cron/-/commit/23047851 -- Rodrigo Figueiredo Zaiden Tue, 10 May 2022 18:07:46 -0300 ** Changed in: cron (Ubuntu Xenial) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cron in Ubuntu. https://bugs.launchpad.net/bugs/1971895 Title: Warning messages from stat printed on installation with no user crontabs Status in cron package in Ubuntu: Confirmed Status in cron source package in Xenial: Fix Released Status in cron source package in Bionic: Fix Released Bug description: On installation of cron on a new system, or (I expect) an upgrade with no user crontab files the following is printed: Setting up cron (3.0pl1-128.1ubuntu1.1) ... stat: cannot stat '*': No such file or directory stat: cannot stat '*': No such file or directory stat: cannot stat '*': No such file or directory Warning: * is not a regular file! This is related to the fix for CVE-2017-9525 introduced in 3.0pl1-128.1ubuntu1.1. The for loop at line 66 of cron.postinst needs to have a guard like the following added to it: [ "$tab_name" = "*" ] && continue We have observed this with Bionic, I haven't checked any other Ubuntu releases. Cheers, Andrew To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cron/+bug/1971895/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1971895] Re: Warning messages from stat printed on installation with no user crontabs
This bug was fixed in the package cron - 3.0pl1-128.1ubuntu1.2 --- cron (3.0pl1-128.1ubuntu1.2) bionic-security; urgency=medium * SECURITY REGRESSION: CVE-2017-9525 regression (LP: #1971895) - debian/postinst: add tab_name emptiness check - https://salsa.debian.org/debian/cron/-/commit/23047851 -- Rodrigo Figueiredo Zaiden Tue, 10 May 2022 17:59:19 -0300 ** Changed in: cron (Ubuntu Bionic) Status: Triaged => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9525 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cron in Ubuntu. https://bugs.launchpad.net/bugs/1971895 Title: Warning messages from stat printed on installation with no user crontabs Status in cron package in Ubuntu: Confirmed Status in cron source package in Xenial: Triaged Status in cron source package in Bionic: Fix Released Bug description: On installation of cron on a new system, or (I expect) an upgrade with no user crontab files the following is printed: Setting up cron (3.0pl1-128.1ubuntu1.1) ... stat: cannot stat '*': No such file or directory stat: cannot stat '*': No such file or directory stat: cannot stat '*': No such file or directory Warning: * is not a regular file! This is related to the fix for CVE-2017-9525 introduced in 3.0pl1-128.1ubuntu1.1. The for loop at line 66 of cron.postinst needs to have a guard like the following added to it: [ "$tab_name" = "*" ] && continue We have observed this with Bionic, I haven't checked any other Ubuntu releases. Cheers, Andrew To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cron/+bug/1971895/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1971895] Re: Warning messages from stat printed on installation with no user crontabs
** Changed in: cron (Ubuntu Xenial) Assignee: (unassigned) => Rodrigo Figueiredo Zaiden (rodrigo-zaiden) ** Changed in: cron (Ubuntu Bionic) Assignee: (unassigned) => Rodrigo Figueiredo Zaiden (rodrigo-zaiden) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cron in Ubuntu. https://bugs.launchpad.net/bugs/1971895 Title: Warning messages from stat printed on installation with no user crontabs Status in cron package in Ubuntu: Confirmed Status in cron source package in Xenial: Triaged Status in cron source package in Bionic: Triaged Bug description: On installation of cron on a new system, or (I expect) an upgrade with no user crontab files the following is printed: Setting up cron (3.0pl1-128.1ubuntu1.1) ... stat: cannot stat '*': No such file or directory stat: cannot stat '*': No such file or directory stat: cannot stat '*': No such file or directory Warning: * is not a regular file! This is related to the fix for CVE-2017-9525 introduced in 3.0pl1-128.1ubuntu1.1. The for loop at line 66 of cron.postinst needs to have a guard like the following added to it: [ "$tab_name" = "*" ] && continue We have observed this with Bionic, I haven't checked any other Ubuntu releases. Cheers, Andrew To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cron/+bug/1971895/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1971895] Re: Warning messages from stat printed on installation with no user crontabs
** Also affects: cron (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: cron (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: cron (Ubuntu Xenial) Status: New => Triaged ** Changed in: cron (Ubuntu Bionic) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cron in Ubuntu. https://bugs.launchpad.net/bugs/1971895 Title: Warning messages from stat printed on installation with no user crontabs Status in cron package in Ubuntu: Confirmed Status in cron source package in Xenial: Triaged Status in cron source package in Bionic: Triaged Bug description: On installation of cron on a new system, or (I expect) an upgrade with no user crontab files the following is printed: Setting up cron (3.0pl1-128.1ubuntu1.1) ... stat: cannot stat '*': No such file or directory stat: cannot stat '*': No such file or directory stat: cannot stat '*': No such file or directory Warning: * is not a regular file! This is related to the fix for CVE-2017-9525 introduced in 3.0pl1-128.1ubuntu1.1. The for loop at line 66 of cron.postinst needs to have a guard like the following added to it: [ "$tab_name" = "*" ] && continue We have observed this with Bionic, I haven't checked any other Ubuntu releases. Cheers, Andrew To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cron/+bug/1971895/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1971895] Re: Warning messages from stat printed on installation with no user crontabs
** Tags added: regression-security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cron in Ubuntu. https://bugs.launchpad.net/bugs/1971895 Title: Warning messages from stat printed on installation with no user crontabs Status in cron package in Ubuntu: Confirmed Bug description: On installation of cron on a new system, or (I expect) an upgrade with no user crontab files the following is printed: Setting up cron (3.0pl1-128.1ubuntu1.1) ... stat: cannot stat '*': No such file or directory stat: cannot stat '*': No such file or directory stat: cannot stat '*': No such file or directory Warning: * is not a regular file! This is related to the fix for CVE-2017-9525 introduced in 3.0pl1-128.1ubuntu1.1. The for loop at line 66 of cron.postinst needs to have a guard like the following added to it: [ "$tab_name" = "*" ] && continue We have observed this with Bionic, I haven't checked any other Ubuntu releases. Cheers, Andrew To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cron/+bug/1971895/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1971895] Re: Warning messages from stat printed on installation with no user crontabs
Confirming this on Ubuntu 18.04.6 LTS while installing updates: Setting up cron (3.0pl1-128.1ubuntu1.1) ... stat: cannot stat '*': No such file or directory stat: cannot stat '*': No such file or directory stat: cannot stat '*': No such file or directory Warning: * is not a regular file! update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults I'm pretty sure I haven't seen this problem with other updates. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cron in Ubuntu. https://bugs.launchpad.net/bugs/1971895 Title: Warning messages from stat printed on installation with no user crontabs Status in cron package in Ubuntu: Confirmed Bug description: On installation of cron on a new system, or (I expect) an upgrade with no user crontab files the following is printed: Setting up cron (3.0pl1-128.1ubuntu1.1) ... stat: cannot stat '*': No such file or directory stat: cannot stat '*': No such file or directory stat: cannot stat '*': No such file or directory Warning: * is not a regular file! This is related to the fix for CVE-2017-9525 introduced in 3.0pl1-128.1ubuntu1.1. The for loop at line 66 of cron.postinst needs to have a guard like the following added to it: [ "$tab_name" = "*" ] && continue We have observed this with Bionic, I haven't checked any other Ubuntu releases. Cheers, Andrew To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cron/+bug/1971895/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1971895] Re: Warning messages from stat printed on installation with no user crontabs
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: cron (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cron in Ubuntu. https://bugs.launchpad.net/bugs/1971895 Title: Warning messages from stat printed on installation with no user crontabs Status in cron package in Ubuntu: Confirmed Bug description: On installation of cron on a new system, or (I expect) an upgrade with no user crontab files the following is printed: Setting up cron (3.0pl1-128.1ubuntu1.1) ... stat: cannot stat '*': No such file or directory stat: cannot stat '*': No such file or directory stat: cannot stat '*': No such file or directory Warning: * is not a regular file! This is related to the fix for CVE-2017-9525 introduced in 3.0pl1-128.1ubuntu1.1. The for loop at line 66 of cron.postinst needs to have a guard like the following added to it: [ "$tab_name" = "*" ] && continue We have observed this with Bionic, I haven't checked any other Ubuntu releases. Cheers, Andrew To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cron/+bug/1971895/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1971895] Re: Warning messages from stat printed on installation with no user crontabs
I was just in the process of writing David Fernandez Gonzalez an Email about this problem when I came across this ticket. I can confirm this problem on Ubuntu 18.04.6. My 20.x machines did not get the update, so I cannot verify on other releases: Unpacking cron (3.0pl1-128.1ubuntu1.1) over (3.0pl1-128.1ubuntu1) ... Setting up cron (3.0pl1-128.1ubuntu1.1) ... stat: cannot stat '*': No such file or directory stat: cannot stat '*': No such file or directory stat: cannot stat '*': No such file or directory Warning: * is not a regular file! Every single sysadmin should be concerned. ANY TIME we see asterisk wildcards being used in this fashion, where [ or test operators are behaving in this manner, we have reason to become concerned. To me, this smells of a shell script trying to parse crontab entries, which is inherently dangerous. I am now questioning whether or not this postinst script potentially nuked something it shouldn't have. How this was missed is beyond me. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cron in Ubuntu. https://bugs.launchpad.net/bugs/1971895 Title: Warning messages from stat printed on installation with no user crontabs Status in cron package in Ubuntu: Confirmed Bug description: On installation of cron on a new system, or (I expect) an upgrade with no user crontab files the following is printed: Setting up cron (3.0pl1-128.1ubuntu1.1) ... stat: cannot stat '*': No such file or directory stat: cannot stat '*': No such file or directory stat: cannot stat '*': No such file or directory Warning: * is not a regular file! This is related to the fix for CVE-2017-9525 introduced in 3.0pl1-128.1ubuntu1.1. The for loop at line 66 of cron.postinst needs to have a guard like the following added to it: [ "$tab_name" = "*" ] && continue We have observed this with Bionic, I haven't checked any other Ubuntu releases. Cheers, Andrew To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cron/+bug/1971895/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
