Debian Bug report logs -
#820331
cronic: CVE-2016-3992: uses very predictable temporary files
Reported by: Dmitry Nezhevenko <dion@dion.org.ua>
Date: Thu, 7 Apr 2016 13:39:02 UTC
Severity: grave
Tags: security, upstream
Found in version cronic/2-1
Fixed in version cronic/3-1
Done: Daniel Lange <dl.ml1@usrlocal.de>
Bug is archived. No further changes may be made.
Outlook: Asked upstream whether original author wants to fix this / has a preferred temp file creation method. Otherwise I'll patch with mktemp.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Daniel Lange <dl.ml1@usrlocal.de>:
Bug#820331; Package cronic.
(Thu, 07 Apr 2016 13:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Dmitry Nezhevenko <dion@dion.org.ua>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Daniel Lange <dl.ml1@usrlocal.de>.
(Thu, 07 Apr 2016 13:39:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: cronic
Version: 2-1
Severity: grave
Tags: security
Justification: user security hole
Hi,
It looks like cronic uses very predictable temporary files (like
/tmp/cronic.out.$$) that depends only on PID:
--
OUT=/tmp/cronic.out.$$
ERR=/tmp/cronic.err.$$
TRACE=/tmp/cronic.trace.$$
set +e
"$@" >$OUT 2>$TRACE
RESULT=$?
set -e
--
Once used in root cron job, it opens a way to write garbage to any file by
creating symlinks '/tmp/cronic.out.PID -> /etc/fstab'
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.5.0+ (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages cronic depends on:
ii bash 4.3-14+b1
cronic recommends no packages.
Versions of packages cronic suggests:
ii cron 3.0pl1-128
-- no debconf information
--
WBR, Dmitry
[signature.asc (application/pgp-signature, inline)]
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 07 Apr 2016 19:30:11 GMT) (full text, mbox, link).
Outlook recorded from message bug 820331 message
Request was from Daniel Lange <dl.ml1@usrlocal.de>
to control@bugs.debian.org.
(Fri, 08 Apr 2016 09:27:07 GMT) (full text, mbox, link).
Removed outlook
Request was from Daniel Lange <dl.ml1@usrlocal.de>
to control@bugs.debian.org.
(Fri, 08 Apr 2016 09:33:06 GMT) (full text, mbox, link).
Outlook recorded from message bug 820331 message
Request was from Daniel Lange <dl.ml1@usrlocal.de>
to control@bugs.debian.org.
(Fri, 08 Apr 2016 10:21:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Daniel Lange <dl.ml1@usrlocal.de>:
Bug#820331; Package cronic.
(Sun, 10 Apr 2016 16:48:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Lange <dl.ml1@usrlocal.de>.
(Sun, 10 Apr 2016 16:48:09 GMT) (full text, mbox, link).
Message #18 received at 820331@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 cronic: CVE-2016-3992: uses very predictable temporary files
Hi,
On Thu, Apr 07, 2016 at 04:37:00PM +0300, Dmitry Nezhevenko wrote:
> Package: cronic
> Version: 2-1
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Hi,
>
> It looks like cronic uses very predictable temporary files (like
> /tmp/cronic.out.$$) that depends only on PID:
>
> --
> OUT=/tmp/cronic.out.$$
> ERR=/tmp/cronic.err.$$
> TRACE=/tmp/cronic.trace.$$
>
> set +e
> "$@" >$OUT 2>$TRACE
> RESULT=$?
> set -e
> --
>
> Once used in root cron job, it opens a way to write garbage to any file by
> creating symlinks '/tmp/cronic.out.PID -> /etc/fstab'
CVE-2016-3992 has been assigned for this issue. Can you forward this
to upstream and as well include the CVE id reference in
debian/changelog when fixing this issue?
Regards,
Salvatore
Changed Bug title to 'cronic: CVE-2016-3992: uses very predictable temporary files' from 'cronic: uses very predictable temporary files'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 820331-submit@bugs.debian.org.
(Sun, 10 Apr 2016 16:48:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#820331; Package cronic.
(Sun, 10 Apr 2016 18:15:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Lange <dl.ml1@usrlocal.de>:
Extra info received and forwarded to list.
(Sun, 10 Apr 2016 18:15:11 GMT) (full text, mbox, link).
Message #25 received at 820331@bugs.debian.org (full text, mbox, reply):
Am 10.04.2016 18:46, schrieb Salvatore Bonaccorso:
> CVE-2016-3992 has been assigned for this issue. Can you forward this
> to upstream and as well include the CVE id reference in
> debian/changelog when fixing this issue?
Upstream has already fixed yesterday and I packaged the v3 for Debian
this morning.
It's just waiting for Graham to upload. I'm a mere mortal, I can't :).
Information forwarded
to debian-bugs-dist@lists.debian.org, Daniel Lange <dl.ml1@usrlocal.de>:
Bug#820331; Package cronic.
(Mon, 11 Apr 2016 04:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Lange <dl.ml1@usrlocal.de>.
(Mon, 11 Apr 2016 04:54:03 GMT) (full text, mbox, link).
Message #30 received at 820331@bugs.debian.org (full text, mbox, reply):
Hi Daniel,
On Sun, Apr 10, 2016 at 08:12:15PM +0200, Daniel Lange wrote:
> Am 10.04.2016 18:46, schrieb Salvatore Bonaccorso:
> >CVE-2016-3992 has been assigned for this issue. Can you forward this to
> >upstream and as well include the CVE id reference in debian/changelog when
> >fixing this issue?
> Upstream has already fixed yesterday and I packaged the v3 for Debian this
> morning.
> It's just waiting for Graham to upload. I'm a mere mortal, I can't :).
Ok no problem :)
Regards,
Salvatore
Reply sent
to Daniel Lange <dl.ml1@usrlocal.de>:
You have taken responsibility.
(Mon, 11 Apr 2016 10:21:04 GMT) (full text, mbox, link).
Notification sent
to Dmitry Nezhevenko <dion@dion.org.ua>:
Bug acknowledged by developer.
(Mon, 11 Apr 2016 10:21:05 GMT) (full text, mbox, link).
Message #35 received at 820331-close@bugs.debian.org (full text, mbox, reply):
Source: cronic
Source-Version: 3-1
We believe that the bug you reported is fixed in the latest version of
cronic, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 820331@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Lange <dl.ml1@usrlocal.de> (supplier of updated cronic package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 10 Apr 2016 10:59:36 +0200
Source: cronic
Binary: cronic
Architecture: source
Version: 3-1
Distribution: unstable
Urgency: medium
Maintainer: Daniel Lange <dl.ml1@usrlocal.de>
Changed-By: Daniel Lange <dl.ml1@usrlocal.de>
Description:
cronic - Bash script for wrapping cron jobs to prevent excess email sendin
Closes: 820331
Changes:
cronic (3-1) unstable; urgency=medium
.
* Updated from upstream. (Closes: #820331)
* Update manual to v3.
* Update policy to 3.9.8 (no changes required).
Checksums-Sha1:
101351e9e034906f78c1691dbb93e304858f731b 1761 cronic_3-1.dsc
ebc01c07bfdeabc8df1c619bb85ecff9eebf6274 648 cronic_3.orig.tar.xz
961fd6a6ba1d619f7306488ae969f24695933907 4976 cronic_3-1.debian.tar.xz
Checksums-Sha256:
17cdb43e5106232d01389182e5fe7b0f1c9398071f41d1ffe0e4d9b2031ba761 1761 cronic_3-1.dsc
9327fe6712b947329478dcb7d86da6463872ed1bcfc9fe4c178ff3cb6cc388a9 648 cronic_3.orig.tar.xz
7e06810dbc0fd43ee51d5baf476c4eed2cfa6919a3c892bda22332e261badf8c 4976 cronic_3-1.debian.tar.xz
Files:
dbf3ccdaa7b7e93189c6f3bbac4f7ab7 1761 admin optional cronic_3-1.dsc
4fca21d4efef3488151dc83773c3c66a 648 admin optional cronic_3.orig.tar.xz
f0b01b02f6c7ff295d99c73dd64cf5aa 4976 admin optional cronic_3-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJXC2AuAAoJEK/P7I5mnOHCHXkP/jMk4OQmKjaLjDcJbRULYvZE
Zey3CsQbP/gPLWAqVS3d8VLK7M2PagWFnFT7un6FKgNDoFYRbKfLFSbYHRUAd5LB
DcebHdrLzPfaUzQ+3GLPTdG69uYX6lURSa7jLztF7Ze7kvHeQN6TB6vbugbLMPZF
4UDsQYwPf6FO2KyPnSTzmflq71oRPTPSYwcsb38VuQ3X9pENp1J/pfsSStKLK7T+
hCpzs9w2rJqjzoKayPOxG0caXdhM4YROGewBYvU2h/NgoY90ijcyGDPmLL9HC+us
cVO3q8gXcomzHvV5ALLru/ZAT3jBDkjfHnbkqJ9Rlsqc4KGZmG2ylPZH5QMRheZS
bUg3hm2KuuUR1t4RYr/Ict7CWLXqiecGWqKesbtgRhAYKf/+wQ4G7k4EUHWvA2tt
5xc11VyRHypoo1le5wHuDGItPF/rXQDj61SwwpF4uU1EB1O9hJkMFXi/H9XqiXmD
A8qrq4v6mwRRO1OXwHkK2qj+MoZ2yVAABFeaip//tS+q79f71ghLAONx/E29vWKO
0vzoswZirivzap0G/3jqJWDHUagsaKLdTOJvC7Diot09RGvD4FSV4fXDjP3cLByj
gHbm7nOiz9rs9P4P2BPYyJWUVAip1XhL3+OWXUMNQR8hSHRqj9LkO0ilGCrLsVyq
I6Z9cdqKleDYWAw0sz3V
=Gntq
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 16 May 2016 07:29:52 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:27:07 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon