Your message dated Mon, 11 Apr 2016 10:19:51 +0000 with message-id <e1apywh-0006rk...@franck.debian.org> and subject line Bug#820331: fixed in cronic 3-1 has caused the Debian Bug report #820331, regarding cronic: CVE-2016-3992: uses very predictable temporary files to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 820331: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820331 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: cronic Version: 2-1 Severity: grave Tags: security Justification: user security hole Hi, It looks like cronic uses very predictable temporary files (like /tmp/cronic.out.$$) that depends only on PID: -- OUT=/tmp/cronic.out.$$ ERR=/tmp/cronic.err.$$ TRACE=/tmp/cronic.trace.$$ set +e "$@" >$OUT 2>$TRACE RESULT=$? set -e -- Once used in root cron job, it opens a way to write garbage to any file by creating symlinks '/tmp/cronic.out.PID -> /etc/fstab' -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.5.0+ (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages cronic depends on: ii bash 4.3-14+b1 cronic recommends no packages. Versions of packages cronic suggests: ii cron 3.0pl1-128 -- no debconf information -- WBR, Dmitry
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: cronic Source-Version: 3-1 We believe that the bug you reported is fixed in the latest version of cronic, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 820...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Daniel Lange <dl....@usrlocal.de> (supplier of updated cronic package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sun, 10 Apr 2016 10:59:36 +0200 Source: cronic Binary: cronic Architecture: source Version: 3-1 Distribution: unstable Urgency: medium Maintainer: Daniel Lange <dl....@usrlocal.de> Changed-By: Daniel Lange <dl....@usrlocal.de> Description: cronic - Bash script for wrapping cron jobs to prevent excess email sendin Closes: 820331 Changes: cronic (3-1) unstable; urgency=medium . * Updated from upstream. (Closes: #820331) * Update manual to v3. * Update policy to 3.9.8 (no changes required). Checksums-Sha1: 101351e9e034906f78c1691dbb93e304858f731b 1761 cronic_3-1.dsc ebc01c07bfdeabc8df1c619bb85ecff9eebf6274 648 cronic_3.orig.tar.xz 961fd6a6ba1d619f7306488ae969f24695933907 4976 cronic_3-1.debian.tar.xz Checksums-Sha256: 17cdb43e5106232d01389182e5fe7b0f1c9398071f41d1ffe0e4d9b2031ba761 1761 cronic_3-1.dsc 9327fe6712b947329478dcb7d86da6463872ed1bcfc9fe4c178ff3cb6cc388a9 648 cronic_3.orig.tar.xz 7e06810dbc0fd43ee51d5baf476c4eed2cfa6919a3c892bda22332e261badf8c 4976 cronic_3-1.debian.tar.xz Files: dbf3ccdaa7b7e93189c6f3bbac4f7ab7 1761 admin optional cronic_3-1.dsc 4fca21d4efef3488151dc83773c3c66a 648 admin optional cronic_3.orig.tar.xz f0b01b02f6c7ff295d99c73dd64cf5aa 4976 admin optional cronic_3-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJXC2AuAAoJEK/P7I5mnOHCHXkP/jMk4OQmKjaLjDcJbRULYvZE Zey3CsQbP/gPLWAqVS3d8VLK7M2PagWFnFT7un6FKgNDoFYRbKfLFSbYHRUAd5LB DcebHdrLzPfaUzQ+3GLPTdG69uYX6lURSa7jLztF7Ze7kvHeQN6TB6vbugbLMPZF 4UDsQYwPf6FO2KyPnSTzmflq71oRPTPSYwcsb38VuQ3X9pENp1J/pfsSStKLK7T+ hCpzs9w2rJqjzoKayPOxG0caXdhM4YROGewBYvU2h/NgoY90ijcyGDPmLL9HC+us cVO3q8gXcomzHvV5ALLru/ZAT3jBDkjfHnbkqJ9Rlsqc4KGZmG2ylPZH5QMRheZS bUg3hm2KuuUR1t4RYr/Ict7CWLXqiecGWqKesbtgRhAYKf/+wQ4G7k4EUHWvA2tt 5xc11VyRHypoo1le5wHuDGItPF/rXQDj61SwwpF4uU1EB1O9hJkMFXi/H9XqiXmD A8qrq4v6mwRRO1OXwHkK2qj+MoZ2yVAABFeaip//tS+q79f71ghLAONx/E29vWKO 0vzoswZirivzap0G/3jqJWDHUagsaKLdTOJvC7Diot09RGvD4FSV4fXDjP3cLByj gHbm7nOiz9rs9P4P2BPYyJWUVAip1XhL3+OWXUMNQR8hSHRqj9LkO0ilGCrLsVyq I6Z9cdqKleDYWAw0sz3V =Gntq -----END PGP SIGNATURE-----
--- End Message ---
