Debian Bug report logs -
#528434
cron: Incomplete fix for CVE-2006-2607 (setgid() and initgroups() not checked)
Reported by: Jamie Strandboge <jamie@ubuntu.com>
Date: Tue, 12 May 2009 21:57:03 UTC
Severity: grave
Tags: patch, security
Found in version cron/3.0pl1-105
Fixed in version cron/3.0pl1-106
Done: Javier Fernandez-Sanguino Pen~a <jfs@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Javier Fernandez-Sanguino Pen~a <jfs@computer.org>:
Bug#528434; Package cron.
(Tue, 12 May 2009 21:57:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Jamie Strandboge <jamie@ubuntu.com>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Javier Fernandez-Sanguino Pen~a <jfs@computer.org>.
(Tue, 12 May 2009 21:57:15 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: cron
Version: 3.0pl1-105
Severity: grave
Tags: patch security
Justification: user security hole
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu jaunty ubuntu-patch
Hi,
I was reviewing a list of old bugs in the Ubuntu bug tracker, and came across:
https://bugs.edge.launchpad.net/ubuntu/+source/cron/+bug/46649
I then reviewed the Ubuntu and Debian packages and found that while the most
serious issue of not checking setuid() was addressed in 3.0pl1-64, checks for
setgid() and initgroups() were not added. Other distributions (eg Gentoo and
RedHat) fixed these calls as well. I was then curious to see when these
two calls could fail and found that sys_setgid can fail via LSM and
CAP_SETGID and sys_setgroups() can fail via LSM, CAP_SETGID,
NGROUPS_MAX, and ENOMEM. As such, Ubuntu plans to release a fix for this
in our stable releases with the following changelog:
* SECURITY UPDATE: cron does not check the return code of setgid() and
initgroups(), which under certain circumstances could cause applications
to run with elevated group privileges. Note that the more serious issue
of not checking the return code of setuid() was fixed in 3.0pl1-64.
(LP: #46649)
- do_command.c: check return code of setgid() and initgroups()
- CVE-2006-2607
We thought you might be interested in doing the same.
-- System Information:
Debian Release: 5.0
APT prefers jaunty-updates
APT policy: (500, 'jaunty-updates'), (500, 'jaunty-security'), (500, 'jaunty')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.28-11-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
[tmpLzJLLq (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Javier Fernandez-Sanguino Pen~a <jfs@computer.org>:
Bug#528434; Package cron.
(Wed, 13 May 2009 00:18:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to Javier Fernandez-Sanguino Pen~a <jfs@computer.org>.
(Wed, 13 May 2009 00:18:06 GMT) (full text, mbox, link).
Message #10 received at 528434@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tue, May 12, 2009 at 04:53:41PM -0500, Jamie Strandboge wrote:
> I then reviewed the Ubuntu and Debian packages and found that while the most
> serious issue of not checking setuid() was addressed in 3.0pl1-64, checks for
> setgid() and initgroups() were not added. Other distributions (eg Gentoo and
> RedHat) fixed these calls as well. I was then curious to see when these
(...)
Thanks for noticing this, I have just uploaded a package including this fix.
Regards
Javier
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Javier Fernandez-Sanguino Pen~a <jfs@debian.org>:
You have taken responsibility.
(Wed, 13 May 2009 00:54:21 GMT) (full text, mbox, link).
Notification sent
to Jamie Strandboge <jamie@ubuntu.com>:
Bug acknowledged by developer.
(Wed, 13 May 2009 00:54:22 GMT) (full text, mbox, link).
Message #15 received at 528434-close@bugs.debian.org (full text, mbox, reply):
Source: cron
Source-Version: 3.0pl1-106
We believe that the bug you reported is fixed in the latest version of
cron, which is due to be installed in the Debian FTP archive:
cron_3.0pl1-106.diff.gz
to pool/main/c/cron/cron_3.0pl1-106.diff.gz
cron_3.0pl1-106.dsc
to pool/main/c/cron/cron_3.0pl1-106.dsc
cron_3.0pl1-106_i386.deb
to pool/main/c/cron/cron_3.0pl1-106_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 528434@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Javier Fernandez-Sanguino Pen~a <jfs@debian.org> (supplier of updated cron package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 13 May 2009 01:05:41 +0200
Source: cron
Binary: cron
Architecture: source i386
Version: 3.0pl1-106
Distribution: unstable
Urgency: high
Maintainer: Javier Fernandez-Sanguino Pen~a <jfs@computer.org>
Changed-By: Javier Fernandez-Sanguino Pen~a <jfs@debian.org>
Description:
cron - process scheduling daemon
Closes: 405474 413962 452460 468262 485452 497699 500610 502650 511684 514062 514721 528434
Changes:
cron (3.0pl1-106) unstable; urgency=high
.
* SECURITY UPDATE: cron does not check the return code of setgid() and
initgroups(), which under certain circumstances could cause
applications to run with elevated group privileges. Note that the more
serious issue of not checking the return code of setuid() was fixed already
in 3.0pl1-64. (Closes: #528434)
- do_command.c: check return code of setgid() and initgroups()
- This fixes (hopefully completely) CVE-2006-2607
* crontab.c:
- close the temporary file after it is edited and
before calling cleanup_tmp_crontab() to behave properly on NFS
mounted / (Closes: #413962)
- if crontab is run without argument then it will read stdin to replace
the users crontab. This way it is POSIXLY_CORRECT. More information at
http://www.opengroup.org/onlinepubs/9699919799/utilities/crontab.html
(Closes: #514062)
* crontab.5 :
- Add details about multiple recipients in MAILTO (LP: #235464)
(Closes: #502650)
- Indicate that it also reads environment from /etc/environment
- Substitute ATT for AT&T (Closes: #405474)
* Proper fix for PAM configuration to make cron read the system
environment (Closes: #511684)
* debian/cron.init:
- Add support for 'status' in the init.d (Closes: #514721)
- Use 'cron' instead of 'crond' (Closes: #497699)
* Change lockfile-progs from Suggests: to Recommends: and remove wording
related to dselect, which is no longer relevant (Closes: #452460, #468262)
* Change the (outdated) wording of the description based on an example
provided by Justin B Rye (Closes: 485452)
* Change the postinst so that update-rc.d is only run if /etc/init.d/cron is
executable (Closes: #500610)
Checksums-Sha1:
e126ee949966e4ad31bf4fe8446391944ef6e3d1 1057 cron_3.0pl1-106.dsc
f4581b993d48c6dce3ce34dbd8ff61030f9986f4 70760 cron_3.0pl1-106.diff.gz
1a6fba880e467bebaa67dbbbf7408b566be39789 82630 cron_3.0pl1-106_i386.deb
Checksums-Sha256:
92bfb781a65d06a75eaa2bdf713f164ad5bcad20fcd3a599196a25149362f0cb 1057 cron_3.0pl1-106.dsc
bbec885b1c783756385aff56162df528a21296e8f6561e5717a9190a34fe5ebb 70760 cron_3.0pl1-106.diff.gz
7c4c22b8101403ad9b97e158c69e475aaf67c63fb9ef61c20013d5641b08c9d4 82630 cron_3.0pl1-106_i386.deb
Files:
44eb5eb1046cf2e77034a2f94198b779 1057 admin important cron_3.0pl1-106.dsc
490fa1083359db207a9b8678fc505190 70760 admin important cron_3.0pl1-106.diff.gz
bdef1e0aa346a217fa6cba8873fb967c 82630 admin important cron_3.0pl1-106_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKChDqsandgtyBSwkRAoBLAJ9/Io7a+VEspBl0NC6NF0XcFTBengCcCnn+
5kbwiezbFZiYz/zhitX+CEc=
=U+PT
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Javier Fernandez-Sanguino Pen~a <jfs@computer.org>:
Bug#528434; Package cron.
(Thu, 14 May 2009 15:06:02 GMT) (full text, mbox, link).
Acknowledgement sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Javier Fernandez-Sanguino Pen~a <jfs@computer.org>.
(Thu, 14 May 2009 15:06:02 GMT) (full text, mbox, link).
Message #20 received at 528434@bugs.debian.org (full text, mbox, reply):
On Tue, 12 May 2009 16:53:41 -0500, Jamie Strandboge wrote:
> Package: cron
> Version: 3.0pl1-105
> Severity: grave
> Tags: patch security
> Justification: user security hole
> User: ubuntu-devel@lists.ubuntu.com
> Usertags: origin-ubuntu jaunty ubuntu-patch
>
> Hi,
>
> I was reviewing a list of old bugs in the Ubuntu bug tracker, and came across:
> https://bugs.edge.launchpad.net/ubuntu/+source/cron/+bug/46649
>
> I then reviewed the Ubuntu and Debian packages and found that while the most
> serious issue of not checking setuid() was addressed in 3.0pl1-64, checks for
> setgid() and initgroups() were not added. Other distributions (eg Gentoo and
> RedHat) fixed these calls as well. I was then curious to see when these
> two calls could fail and found that sys_setgid can fail via LSM and
> CAP_SETGID and sys_setgroups() can fail via LSM, CAP_SETGID,
> NGROUPS_MAX, and ENOMEM. As such, Ubuntu plans to release a fix for this
> in our stable releases with the following changelog:
>
> * SECURITY UPDATE: cron does not check the return code of setgid() and
> initgroups(), which under certain circumstances could cause applications
> to run with elevated group privileges. Note that the more serious issue
> of not checking the return code of setuid() was fixed in 3.0pl1-64.
> (LP: #46649)
> - do_command.c: check return code of setgid() and initgroups()
> - CVE-2006-2607
>
> We thought you might be interested in doing the same.
thanks for submitting this report. this is very helpful and a great
step toward better collaboration on security issues!
mike
Information forwarded
to debian-bugs-dist@lists.debian.org, Javier Fernandez-Sanguino Pen~a <jfs@debian.org>:
Bug#528434; Package cron.
(Tue, 13 Apr 2010 21:27:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Javier Fernandez-Sanguino <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to Javier Fernandez-Sanguino Pen~a <jfs@debian.org>.
(Tue, 13 Apr 2010 21:27:10 GMT) (full text, mbox, link).
Message #25 received at 528434@bugs.debian.org (full text, mbox, reply):
Hi,
Recarding his bug in Vixie Cron, Christian Kastner pointed me to an
additional place where the call to initgroups was unchecked. I've
commited a fix in the latest cron package version (3.0pl1-109). You
might want to review this fix too to include it in Ubuntu.
The patch is available at
http://svn.debian.org/wsvn/pkg-cron/trunk/popen.c?op=diff&rev=0&sc=0
Regards
Javier
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 07 Mar 2011 08:37:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:41:25 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon