Bug 49066 - cron: Multiple issues (4.2)
cron: Multiple issues (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
All Linux
: P3 normal (vote)
: UCS 4.2-5-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-03-25 07:18 CET by Quality Assurance
Modified: 2019-03-27 16:44 CET (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 3.3 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L) Debian RedHat


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2019-03-25 07:18:29 CET
New Debian cron 3.0pl1-127+deb8u2 fixes:
This update addresses the following issues:
* In the cron package through 3.0pl1-128 on Debian, and through  3.0pl1-128ubuntu2 on Ubuntu, the postinst maintainer script allows for  group-crontab-to-root privilege escalation via symlink attacks against  unsafe usage of the chown and chmod programs. (CVE-2017-9525)
* calloc return value resulting in remote dos (CVE-2019-9704)
* dos(memory consumption) via a large crontab file (CVE-2019-9705)
* use-after-free resulting in dos (CVE-2019-9706)
Comment 1 Quality Assurance univentionstaff 2019-03-25 08:00:48 CET
--- mirror/ftp/4.2/unmaintained/4.2-0/source/cron_3.0pl1-127+deb8u1.dsc
+++ apt/ucs_4.2-0-errata4.2-5/source/cron_3.0pl1-127+deb8u2.dsc
@@ -1,3 +1,31 @@
+3.0pl1-127+deb8u2 [Thu, 21 Mar 2019 20:43:10 +0100] Mike Gabriel <sunweaver@debian.org>:
+
+  [ Christian Kastner ]
+  * SECURITY: Fix bypass of /etc/cron.{allow,deny} on failure to open
+    If these files exist, then they must be readable by the user executing
+    crontab(1). Users will now be denied by default if they aren't.
+    (LP: #1813833)
+  * SECURITY: Fix for possible DoS by use-after-free
+    A user reported a use-after-free condition in the cron daemon, leading to a
+    possible Denial-of-Service scenario by crashing the daemon.
+    (CVE-2019-9706) (Closes: #809167)
+  * SECURITY: DoS: Fix unchecked return of calloc()
+    Florian Weimer discovered that a missing check for the return value of
+    calloc() could crash the daemon, which could be triggered by a very
+    large crontab created by a user. (CVE-2019-9704)
+  * Enforce maximum crontab line count of 1000 to prevent a malicious user
+    from creating an excessivly large crontab. The daemon will log a warning
+    for existing files, and crontab(1) will refuse to create new ones.
+    (CVE-2019-9705)
+  * SECURITY: group crontab to root escalation
+    via postinst as described by Alexander Peslyak (Solar Designer) in
+    http://www.openwall.com/lists/oss-security/2017/06/08/3
+    (CVE-2017-9525)
+  * Add d/NEWS altering to the new 1000 lines limit.
+
+  [ Mike Gabriel ]
+  * debian/NEWS: Fix <distribution> from unstable to jessie-security.
+
 3.0pl1-127+deb8u1 [Sun, 03 May 2015 15:25:18 +0200] Christian Kastner <debian@kvr.at>:
 
   * d/cron.service: Use KillMode=process to kill only the daemon.

<http://10.200.17.11/4.2-5/#4767155941363492006>
Comment 2 Philipp Hahn univentionstaff 2019-03-25 15:52:05 CET
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.2-5] a77656a6fb Bug #49066: cron 3.0pl1-127+deb8u2
 doc/errata/staging/cron.yaml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

[4.2-5] e0a8eb60dd Bug #49066: cron 3.0pl1-127+deb8u2
 doc/errata/staging/cron.yaml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
Comment 3 Arvid Requate univentionstaff 2019-03-27 16:44:47 CET
<http://errata.software-univention.de/ucs/4.2/616.html>