Your message dated Mon, 25 Jul 2022 17:34:05 +0000
with message-id <e1og1y1-0005pn...@fasolo.debian.org>
and subject line Bug#585552: fixed in cron 3.0pl1-149
has caused the Debian Bug report #585552,
regarding crontab should not accept all control characters
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
585552: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=585552
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: cron
Version: 3.0pl1-105
It is possible to hide scheduled tasks inside a cron table by using control
characters '\r' and '\b', example:
$ crontab -l
no crontab for alice
$ printf "* * * * * >/tmp/x;\rno crontab for alice\n" | crontab -
// new task (">/tmp/x") is hidden because of the carriage return char
$ crontab -l
no crontab for alice
// even for root
# crontab -l -u alice
no crontab for alice
[ and one minute later ... ]
# ls -l /tmp/x
-rw-r--r-- 1 alice alice 0 juin 2 22:27 /tmp/x
>From a security side, this thing could also allow someone to hide a
backdoor (example: http://vladz.devzero.fr/other/hide-task.sh.txt).
I suggest that the crontab command rejects control characters which can be
used to hide strings (mostly carriage return '\r' and backspace '\b'
characters). I wrote a small patch for this (attached file), let me know if
more improvements are needed.
I am using Debian version 5.0.4 (kernel 2.6.26-2-686).
--- crontab.c 2010-06-11 13:57:08.000000000 +0000
+++ crontab.c.orig 2010-06-11 13:51:13.000000000 +0000
@@ -823,8 +823,19 @@
*/
rewind(NewCrontab);
Set_LineNum(1)
- while (EOF != (ch = get_char(NewCrontab)))
+ while (EOF != (ch = get_char(NewCrontab))) {
+ /* Do not accept carriage return and backspace characters
+ * because they could be used to hide scheduled tasks.
+ */
+ if(ch == '\r' || ch == '\b') {
+ fprintf(stderr, "%s: Some control characters are not allowed\n",
+ ProgramName);
+ fclose(tmp); unlink(tn);
+ return (-2);
+ }
+
putc(ch, tmp);
+ }
if (ferror(tmp) || fflush(tmp) || fsync(fd)) {
fprintf(stderr, "%s: error while writing new crontab to %s\n",
--- End Message ---
--- Begin Message ---
Source: cron
Source-Version: 3.0pl1-149
Done: Georges Khaznadar <georg...@debian.org>
We believe that the bug you reported is fixed in the latest version of
cron, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 585...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Georges Khaznadar <georg...@debian.org> (supplier of updated cron package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 25 Jul 2022 15:43:43 +0200
Source: cron
Architecture: source
Version: 3.0pl1-149
Distribution: unstable
Urgency: medium
Maintainer: Javier Fernández-Sanguino Peña <j...@debian.org>
Changed-By: Georges Khaznadar <georg...@debian.org>
Closes: 585552
Changes:
cron (3.0pl1-149) unstable; urgency=medium
.
* manage characters \r and \b in a special way, since one could use
them to obfuscate a crontab. This patch closes: #585552.
Now one can insert characters \r and \b into a crontab's shell command,
`crontab -l` will show those characters in escaped format; so the
obfuscation is more difficult to create.
* introduced the debian patch d/patches/features/protect-list.patch and
the test d/tests/check-listings-protection to create the feature and
check that it works as expected
Checksums-Sha1:
d28b83ffb8b0a973d9a2bc35adfe2d5e8b9bf72c 2129 cron_3.0pl1-149.dsc
257d08fded97a9da85fbc8cc852ebc5e72cc1a5d 112112 cron_3.0pl1-149.debian.tar.xz
5e2076bec2d5af4bec4b84a51b0da8e55266f283 6029 cron_3.0pl1-149_source.buildinfo
Checksums-Sha256:
1761559e70c138601ce1108e2d8918a398289bad53f4c71474dc29d981b4102b 2129
cron_3.0pl1-149.dsc
8c3967f34c6da1f1f2266368aefcef9b745414824164293e4a01a511647bd466 112112
cron_3.0pl1-149.debian.tar.xz
149c7c3d2bb0a9c868026df8ea866f5ba455db366ed5b129459d5700bc617ca2 6029
cron_3.0pl1-149_source.buildinfo
Files:
d4a8d410501d56635c5251268b93d2c8 2129 admin important cron_3.0pl1-149.dsc
526dd2bb22275e1b5468ea6d32e1fc60 112112 admin important
cron_3.0pl1-149.debian.tar.xz
8efd02db343bae17e074ea3e6623eb8e 6029 admin important
cron_3.0pl1-149_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCAAyFiEEM0CzZP9nFT+3zK6FHCgWkHE2rjkFAmLezW0UHGdlb3JnZXNr
QGRlYmlhbi5vcmcACgkQHCgWkHE2rjkyuQ/+PMN+TecriI7FQ6EigJCXhO0FcvHh
LJRvTpcSGbbPuhIFjK/z2gy/JQ/rBlTkaqnRbUrewRqf3+jONagN4HfmD+GxoGlW
9tuZiHRHISMQPh1da9/vtv52SXa1QsJB4EHbOTtICZXTYUlvljzYNDYSkLroDtvH
gEYjPxWC3252LAEKCHu6uRHUS/JIZJUJmD+G+T14/uHUF6ZWmLJBOc366s6Tm6fe
DkgNhRotEWRnvPug+NS1+4bLeGl7CaCijKwcdjYESLbZDUCDqkaP1NoIoB0Ld6nw
YKtmY8/scQISjY9evJ0RgFLdNjGx1qQBzoJM7e+xUglCm6dMx8jPLXhTiKzh/uWr
QTw9b/+HCIMGwkOfYL8eEBXzT8QZ5tFwh0q9HwrsM9rPiqFbmViQvPvgDCua/7Rx
xHwJoiZOMXok/NGhh+5o5my/hnI3uuk7TqteMeLhGRH6WzloUfCnif0wYXGjb4iY
QarDTqlFcRxcxcBf+RyvCjvpMcBBHlLxLuSOiBk02v2UaYjo2eYm/6afZCiFcxO1
4FqrM36bNE3fDew4b2XCPHDbdsfQxyFkSjw9q0gtS0lQgl9DBvlOVrmrX3D23/Nv
1RzmpdhuuomNlpt9GYqtOSx8bcz1RjZF7lmcvOgryCIfJVPu6ofjOz8zZ/dUlYtr
1K15bqeBeVIgRfg=
=Mq/q
-----END PGP SIGNATURE-----
--- End Message ---
