User: Password:
|
|
Subscribe / Log in / New account

vixie-cron: privilege escalation

Package(s):cron CVE #(s):CVE-2006-2607
Created:May 31, 2006 Updated:June 1, 2009
Description: The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root.
Alerts:
Ubuntu USN-778-1 cron 2009-06-01
Red Hat RHSA-2006:0539-01 vixie-cron 2006-07-12
Gentoo 200606-07 vixie-cron 2006-06-09
SuSE SUSE-SA:2006:027 cron 2006-05-31
rPath rPSA-2006-0082-1 vixie-cron 2006-05-25

(Log in to post comments)

vixie-cron: privilege escalation

Posted Jul 22, 2006 19:48 UTC (Sat) by jfs (guest, #7140) [Link]

I was surprised to see that this was fixed in Debian (before I go to maintain the cron package) as it was done by the previous maintainer (Steve Greenland) over 5 years ago! See http://svn.debian.org/wsvn/pkg-cron/trunk/?rev=153&sc=1

OpenBSD (on which OpenWall Linux is based on) fixed this (only :) 2 years ago, http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/cron/d... but FreeBSD only did so recently: http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.sbin/cron/c...
and so did NetBSD: http://cvsweb.netbsd.org/bsdweb.cgi/src/usr.sbin/cron/do_...

Since Paul Vixie's cron is such a heavily-used package (by most GNU/Linux and BSD operating systems) and there's lots of patches and improvements from different vendors I wonder if all the cron maintainers should get together in order to do a proper review of what other's have patched and try to get an improved (and common) codebase.


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds