On Tue, 12 May 2009 16:53:41 -0500, Jamie Strandboge wrote: > Package: cron > Version: 3.0pl1-105 > Severity: grave > Tags: patch security > Justification: user security hole > User: ubuntu-de...@lists.ubuntu.com > Usertags: origin-ubuntu jaunty ubuntu-patch > > Hi, > > I was reviewing a list of old bugs in the Ubuntu bug tracker, and came across: > https://bugs.edge.launchpad.net/ubuntu/+source/cron/+bug/46649 > > I then reviewed the Ubuntu and Debian packages and found that while the most > serious issue of not checking setuid() was addressed in 3.0pl1-64, checks for > setgid() and initgroups() were not added. Other distributions (eg Gentoo and > RedHat) fixed these calls as well. I was then curious to see when these > two calls could fail and found that sys_setgid can fail via LSM and > CAP_SETGID and sys_setgroups() can fail via LSM, CAP_SETGID, > NGROUPS_MAX, and ENOMEM. As such, Ubuntu plans to release a fix for this > in our stable releases with the following changelog: > > * SECURITY UPDATE: cron does not check the return code of setgid() and > initgroups(), which under certain circumstances could cause applications > to run with elevated group privileges. Note that the more serious issue > of not checking the return code of setuid() was fixed in 3.0pl1-64. > (LP: #46649) > - do_command.c: check return code of setgid() and initgroups() > - CVE-2006-2607 > > We thought you might be interested in doing the same.
thanks for submitting this report. this is very helpful and a great step toward better collaboration on security issues! mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
