I've recently noticed CVE-2010-0424 [1] listed in the cron list of "possible security bugs". Yesterday I did a fast review of the bug information (not that much available) and the fix introduced by the Fedora guys (from cronie 1.4.3 to cronie 1.4.4) which is available at [2].
>From what I can tell from the diff and comparing it to the crontab.c code [3] in our own cron fork (based on the 3.0 codebase, not the 4.1) I'm inclined to think that the CVE reference is not correct and our cron package is NOT affected. The problem seems to be related to the fact that in version 4.1, after copying the crontab to the temporary file, the utime is modified and set to 0 (as root). However, in version 3: the utime is not modified but, rather, the utime of the temporary file is obtained when the temporary file with the crontab is generated and then compared with the utime of the crontab temporary file *after* being edited to determine if something has changed. Consequently, there is no operation there (no call to utime()) which could be abused before cron drops its privileges to call the editor. I would say that Debian is not affected by this issue, although I would appreciate somebody to review the code and ratify that this is correct. Regards Javier [1] http://security-tracker.debian.org/tracker/CVE-2010-0424 [2] http://git.fedorahosted.org/git/cronie.git?p=cronie.git;a=commitdiff;h=9e4a8fa5f9171fb724981f53879c9b20264aeb61 [3] http://svn.debian.org/wsvn/pkg-cron/trunk/crontab.c _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
