Bug 154920

Summary: CAN-2005-1038 vixie-cron information leak
Product: Red Hat Enterprise Linux 4 Reporter: Josh Bressers <bressers>
Component: vixie-cronAssignee: Jason Vas Dias <jvdias>
Status: CLOSED ERRATA QA Contact: Brock Organ <borgan>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20050406,source=cve,reported=20050410
Fixed In Version: RHSA-2005-361 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-10-05 12:34:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 156322    

Description Josh Bressers 2005-04-14 20:35:46 UTC 
crontab in Vixie cron 4.1, when running with the -e option, allows local users
to read the cron files of other users by changing the file being edited to a
symlink.  NOTE: there is insufficient information to know whether this is a
duplicate of CVE-2001-0235.

http://www.securityfocus.com/archive/1/395093
Comment 1 Josh Bressers 2005-04-14 20:36:40 UTC 
This issue should also affect RHEL2.1 and RHEL3
Comment 2 Jason Vas Dias 2005-04-15 00:43:03 UTC 
Actually, in RHEL-3, vixie-cron-3.0.1-76 would not have this problem,
becuase it used fstat(fd,&st) on the same original file descriptor
for the file that was unlinked by the attack; since the modification
time had not changed, it would print
  'crontab: no changes made to crontab'
and would not install the link as the new crontab.

Because this version crontab did not re-open the file descriptor for
the crontab temporary file name, it cannot be used with graphical 
EDITORs such as gedit / kedit, which do an unlink() and rename()
when writing the file - this was fixed for bug 129170, which may
have unwittingly opened the way for this exploit.

This bug is now fixed with vixie-cron-4.1-33_EL4 (RHSA-2005:351-06) .
Comment 3 Jason Vas Dias 2005-04-15 01:54:39 UTC 
This bug is now fixed in RHEL-3 with vixie-cron-4.1-6_EL3 .
Comment 4 Josh Bressers 2005-04-21 21:04:55 UTC 
Re: comment #2

That should read this issue doesn't affect RHEL-2
Comment 5 Jason Vas Dias 2005-04-21 23:05:40 UTC 
RHEL-4: fixed with vixie-cron-4.1-33_EL4+ (errata RHSA-2005:351-06)
RHEL-3: fixed with vixie-cron-4.1-6_EL3   (errata RHSA-2004:402-22)
Comment 6 Mark J. Cox 2005-06-29 07:34:10 UTC 
Split bug 162022 for RHEL3
Comment 7 Josh Bressers 2005-07-08 21:24:28 UTC 
Our current fix for this issue is not complete.  A race condition still exists
between the time we lstat the file in question, and when we open the file.
Comment 15 Red Hat Bugzilla 2005-10-05 12:34:16 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-361.html