Re: Vulnerability in vixie cron?
- From: Lowell Gilbert <freebsd-security-local@xxxxxxxxxxxxxxx>
- Date: Tue, 18 Jul 2006 08:23:09 -0400
Oliver Fromme <olli@xxxxxxxxxxxxxxxxx> writes:
Recently there have been advisories and patches for
SuSE and RedHat (and probably a few others) regarding
a vulnerability in Vixie Cron. The details say that
there's insufficient checking of the return value of
setuid, which can lead to priviledge escalation and
lets users run cron jobs with root priviledges.
As far as I know, FreBSD also uses Vixie Cron (at least
the cron(8) manpage says so). However, I haven't seen
any FreeBSD advisory regarding this, so I wonder if
FreeBSD's cron isn't affected for some reason?
Any information would be appreciated.
It looks to me like this wasn't exploitable in a default configuration
anyway, but it was fixed on 1 June in HEAD and on 1 July in RELENG_6.
http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.sbin/cron/cron/do_command.c
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
- References:
- Vulnerability in vixie cron?
- From: Oliver Fromme
- Vulnerability in vixie cron?
- Prev by Date: Vulnerability in vixie cron?
- Next by Date: Re: Vulnerability in vixie cron?
- Previous by thread: Vulnerability in vixie cron?
- Next by thread: Re: Vulnerability in vixie cron?
- Index(es):
