Bug#528434: cron: Incomplete fix for CVE-2006-2607 (setgid() and initgroups() not checked)

Tue, 12 May 2009 14:59:31 -0700 

Package: cron
Version: 3.0pl1-105
Severity: grave
Tags: patch security
Justification: user security hole
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu jaunty ubuntu-patch

Hi,

I was reviewing a list of old bugs in the Ubuntu bug tracker, and came across:
https://bugs.edge.launchpad.net/ubuntu/+source/cron/+bug/46649

I then reviewed the Ubuntu and Debian packages and found that while the most
serious issue of not checking setuid() was addressed in 3.0pl1-64, checks for
setgid() and initgroups() were not added. Other distributions (eg Gentoo and
RedHat) fixed these calls as well. I was then curious to see when these
two calls could fail and found that sys_setgid can fail via LSM and
CAP_SETGID and sys_setgroups() can fail via LSM, CAP_SETGID,
NGROUPS_MAX, and ENOMEM. As such, Ubuntu plans to release a fix for this
in our stable releases with the following changelog:

  * SECURITY UPDATE: cron does not check the return code of setgid() and
    initgroups(), which under certain circumstances could cause applications
    to run with elevated group privileges. Note that the more serious issue
    of not checking the return code of setuid() was fixed in 3.0pl1-64.
    (LP: #46649)
    - do_command.c: check return code of setgid() and initgroups()
    - CVE-2006-2607

We thought you might be interested in doing the same.


-- System Information:
Debian Release: 5.0
  APT prefers jaunty-updates
  APT policy: (500, 'jaunty-updates'), (500, 'jaunty-security'), (500, 'jaunty')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.28-11-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -u cron-3.0pl1/do_command.c cron-3.0pl1/do_command.c
--- cron-3.0pl1/do_command.c
+++ cron-3.0pl1/do_command.c
@@ -296,9 +296,21 @@
 		/* set our directory, uid and gid.  Set gid first, since once
 		 * we set uid, we've lost root privledges.
 		 */
-		setgid(e->gid);
+		if (setgid(e->gid) !=0) {
+		  char msg[256];
+		  snprintf(msg, 256, "do_command:setgid(%lu) failed: %s",
+			   (unsigned long) e->gid, strerror(errno));
+		  log_it("CRON",getpid(),"error",msg);
+		  exit(ERROR_EXIT);
+		}
 # if defined(BSD) || defined(POSIX)
-		initgroups(env_get("LOGNAME", e->envp), e->gid);
+		if (initgroups(env_get("LOGNAME", e->envp), e->gid) !=0) {
+		  char msg[256];
+		  snprintf(msg, 256, "do_command:initgroups(%lu) failed: %s",
+			   (unsigned long) e->gid, strerror(errno));
+		  log_it("CRON",getpid(),"error",msg);
+		  exit(ERROR_EXIT);
+		}
 # endif
 		if (setuid(e->uid) !=0) { /* we aren't root after this... */
 		  char msg[256];
diff -u cron-3.0pl1/debian/changelog cron-3.0pl1/debian/changelog

Reply via email to