Univention Bugzilla – Bug 49066
cron: Multiple issues (4.2)
Last modified: 2019-03-27 16:44:47 CET
New Debian cron 3.0pl1-127+deb8u2 fixes: This update addresses the following issues: * In the cron package through 3.0pl1-128 on Debian, and through 3.0pl1-128ubuntu2 on Ubuntu, the postinst maintainer script allows for group-crontab-to-root privilege escalation via symlink attacks against unsafe usage of the chown and chmod programs. (CVE-2017-9525) * calloc return value resulting in remote dos (CVE-2019-9704) * dos(memory consumption) via a large crontab file (CVE-2019-9705) * use-after-free resulting in dos (CVE-2019-9706)
--- mirror/ftp/4.2/unmaintained/4.2-0/source/cron_3.0pl1-127+deb8u1.dsc +++ apt/ucs_4.2-0-errata4.2-5/source/cron_3.0pl1-127+deb8u2.dsc @@ -1,3 +1,31 @@ +3.0pl1-127+deb8u2 [Thu, 21 Mar 2019 20:43:10 +0100] Mike Gabriel <sunweaver@debian.org>: + + [ Christian Kastner ] + * SECURITY: Fix bypass of /etc/cron.{allow,deny} on failure to open + If these files exist, then they must be readable by the user executing + crontab(1). Users will now be denied by default if they aren't. + (LP: #1813833) + * SECURITY: Fix for possible DoS by use-after-free + A user reported a use-after-free condition in the cron daemon, leading to a + possible Denial-of-Service scenario by crashing the daemon. + (CVE-2019-9706) (Closes: #809167) + * SECURITY: DoS: Fix unchecked return of calloc() + Florian Weimer discovered that a missing check for the return value of + calloc() could crash the daemon, which could be triggered by a very + large crontab created by a user. (CVE-2019-9704) + * Enforce maximum crontab line count of 1000 to prevent a malicious user + from creating an excessivly large crontab. The daemon will log a warning + for existing files, and crontab(1) will refuse to create new ones. + (CVE-2019-9705) + * SECURITY: group crontab to root escalation + via postinst as described by Alexander Peslyak (Solar Designer) in + http://www.openwall.com/lists/oss-security/2017/06/08/3 + (CVE-2017-9525) + * Add d/NEWS altering to the new 1000 lines limit. + + [ Mike Gabriel ] + * debian/NEWS: Fix <distribution> from unstable to jessie-security. + 3.0pl1-127+deb8u1 [Sun, 03 May 2015 15:25:18 +0200] Christian Kastner <debian@kvr.at>: * d/cron.service: Use KillMode=process to kill only the daemon. <http://10.200.17.11/4.2-5/#4767155941363492006>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.2-5] a77656a6fb Bug #49066: cron 3.0pl1-127+deb8u2 doc/errata/staging/cron.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) [4.2-5] e0a8eb60dd Bug #49066: cron 3.0pl1-127+deb8u2 doc/errata/staging/cron.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+)
<http://errata.software-univention.de/ucs/4.2/616.html>