Your message dated Wed, 13 May 2009 00:32:03 +0000
with message-id <e1m42ob-0007vg...@ries.debian.org>
and subject line Bug#528434: fixed in cron 3.0pl1-106
has caused the Debian Bug report #528434,
regarding cron: Incomplete fix for CVE-2006-2607 (setgid() and initgroups() not
checked)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
528434: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=528434
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: cron
Version: 3.0pl1-105
Severity: grave
Tags: patch security
Justification: user security hole
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu jaunty ubuntu-patch
Hi,
I was reviewing a list of old bugs in the Ubuntu bug tracker, and came across:
https://bugs.edge.launchpad.net/ubuntu/+source/cron/+bug/46649
I then reviewed the Ubuntu and Debian packages and found that while the most
serious issue of not checking setuid() was addressed in 3.0pl1-64, checks for
setgid() and initgroups() were not added. Other distributions (eg Gentoo and
RedHat) fixed these calls as well. I was then curious to see when these
two calls could fail and found that sys_setgid can fail via LSM and
CAP_SETGID and sys_setgroups() can fail via LSM, CAP_SETGID,
NGROUPS_MAX, and ENOMEM. As such, Ubuntu plans to release a fix for this
in our stable releases with the following changelog:
* SECURITY UPDATE: cron does not check the return code of setgid() and
initgroups(), which under certain circumstances could cause applications
to run with elevated group privileges. Note that the more serious issue
of not checking the return code of setuid() was fixed in 3.0pl1-64.
(LP: #46649)
- do_command.c: check return code of setgid() and initgroups()
- CVE-2006-2607
We thought you might be interested in doing the same.
-- System Information:
Debian Release: 5.0
APT prefers jaunty-updates
APT policy: (500, 'jaunty-updates'), (500, 'jaunty-security'), (500, 'jaunty')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.28-11-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -u cron-3.0pl1/do_command.c cron-3.0pl1/do_command.c
--- cron-3.0pl1/do_command.c
+++ cron-3.0pl1/do_command.c
@@ -296,9 +296,21 @@
/* set our directory, uid and gid. Set gid first, since once
* we set uid, we've lost root privledges.
*/
- setgid(e->gid);
+ if (setgid(e->gid) !=0) {
+ char msg[256];
+ snprintf(msg, 256, "do_command:setgid(%lu) failed: %s",
+ (unsigned long) e->gid, strerror(errno));
+ log_it("CRON",getpid(),"error",msg);
+ exit(ERROR_EXIT);
+ }
# if defined(BSD) || defined(POSIX)
- initgroups(env_get("LOGNAME", e->envp), e->gid);
+ if (initgroups(env_get("LOGNAME", e->envp), e->gid) !=0) {
+ char msg[256];
+ snprintf(msg, 256, "do_command:initgroups(%lu) failed: %s",
+ (unsigned long) e->gid, strerror(errno));
+ log_it("CRON",getpid(),"error",msg);
+ exit(ERROR_EXIT);
+ }
# endif
if (setuid(e->uid) !=0) { /* we aren't root after this... */
char msg[256];
diff -u cron-3.0pl1/debian/changelog cron-3.0pl1/debian/changelog
--- End Message ---
--- Begin Message ---
Source: cron
Source-Version: 3.0pl1-106
We believe that the bug you reported is fixed in the latest version of
cron, which is due to be installed in the Debian FTP archive:
cron_3.0pl1-106.diff.gz
to pool/main/c/cron/cron_3.0pl1-106.diff.gz
cron_3.0pl1-106.dsc
to pool/main/c/cron/cron_3.0pl1-106.dsc
cron_3.0pl1-106_i386.deb
to pool/main/c/cron/cron_3.0pl1-106_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 528...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Javier Fernandez-Sanguino Pen~a <j...@debian.org> (supplier of updated cron
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 13 May 2009 01:05:41 +0200
Source: cron
Binary: cron
Architecture: source i386
Version: 3.0pl1-106
Distribution: unstable
Urgency: high
Maintainer: Javier Fernandez-Sanguino Pen~a <j...@computer.org>
Changed-By: Javier Fernandez-Sanguino Pen~a <j...@debian.org>
Description:
cron - process scheduling daemon
Closes: 405474 413962 452460 468262 485452 497699 500610 502650 511684 514062
514721 528434
Changes:
cron (3.0pl1-106) unstable; urgency=high
.
* SECURITY UPDATE: cron does not check the return code of setgid() and
initgroups(), which under certain circumstances could cause
applications to run with elevated group privileges. Note that the more
serious issue of not checking the return code of setuid() was fixed already
in 3.0pl1-64. (Closes: #528434)
- do_command.c: check return code of setgid() and initgroups()
- This fixes (hopefully completely) CVE-2006-2607
* crontab.c:
- close the temporary file after it is edited and
before calling cleanup_tmp_crontab() to behave properly on NFS
mounted / (Closes: #413962)
- if crontab is run without argument then it will read stdin to replace
the users crontab. This way it is POSIXLY_CORRECT. More information at
http://www.opengroup.org/onlinepubs/9699919799/utilities/crontab.html
(Closes: #514062)
* crontab.5 :
- Add details about multiple recipients in MAILTO (LP: #235464)
(Closes: #502650)
- Indicate that it also reads environment from /etc/environment
- Substitute ATT for AT&T (Closes: #405474)
* Proper fix for PAM configuration to make cron read the system
environment (Closes: #511684)
* debian/cron.init:
- Add support for 'status' in the init.d (Closes: #514721)
- Use 'cron' instead of 'crond' (Closes: #497699)
* Change lockfile-progs from Suggests: to Recommends: and remove wording
related to dselect, which is no longer relevant (Closes: #452460, #468262)
* Change the (outdated) wording of the description based on an example
provided by Justin B Rye (Closes: 485452)
* Change the postinst so that update-rc.d is only run if /etc/init.d/cron is
executable (Closes: #500610)
Checksums-Sha1:
e126ee949966e4ad31bf4fe8446391944ef6e3d1 1057 cron_3.0pl1-106.dsc
f4581b993d48c6dce3ce34dbd8ff61030f9986f4 70760 cron_3.0pl1-106.diff.gz
1a6fba880e467bebaa67dbbbf7408b566be39789 82630 cron_3.0pl1-106_i386.deb
Checksums-Sha256:
92bfb781a65d06a75eaa2bdf713f164ad5bcad20fcd3a599196a25149362f0cb 1057
cron_3.0pl1-106.dsc
bbec885b1c783756385aff56162df528a21296e8f6561e5717a9190a34fe5ebb 70760
cron_3.0pl1-106.diff.gz
7c4c22b8101403ad9b97e158c69e475aaf67c63fb9ef61c20013d5641b08c9d4 82630
cron_3.0pl1-106_i386.deb
Files:
44eb5eb1046cf2e77034a2f94198b779 1057 admin important cron_3.0pl1-106.dsc
490fa1083359db207a9b8678fc505190 70760 admin important cron_3.0pl1-106.diff.gz
bdef1e0aa346a217fa6cba8873fb967c 82630 admin important cron_3.0pl1-106_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKChDqsandgtyBSwkRAoBLAJ9/Io7a+VEspBl0NC6NF0XcFTBengCcCnn+
5kbwiezbFZiYz/zhitX+CEc=
=U+PT
-----END PGP SIGNATURE-----
--- End Message ---
