Re: Vulnerability in vixie cron?



Oliver Fromme <olli@xxxxxxxxxxxxxxxxx> writes:

Recently there have been advisories and patches for
SuSE and RedHat (and probably a few others) regarding
a vulnerability in Vixie Cron. The details say that
there's insufficient checking of the return value of
setuid, which can lead to priviledge escalation and
lets users run cron jobs with root priviledges.

As far as I know, FreBSD also uses Vixie Cron (at least
the cron(8) manpage says so). However, I haven't seen
any FreeBSD advisory regarding this, so I wonder if
FreeBSD's cron isn't affected for some reason?

Any information would be appreciated.

It looks to me like this wasn't exploitable in a default configuration
anyway, but it was fixed on 1 June in HEAD and on 1 July in RELENG_6.

http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.sbin/cron/cron/do_command.c
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"