Bug 566498

Summary: CVE-2010-0424 vixie-cron, cronie: Race condition by setting timestamp of user's crontab file, when editing the file [Fedora all]
Product: [Fedora] Fedora Reporter: Jan Lieskovsky <jlieskov>
Component: cronieAssignee: Marcela Mašláňová <mmaslano>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: mmaslano, pertusus, tmraz, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://fedoraproject.org/wiki/Security/TrackingBugs
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-08 02:11:51 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 565809    

Description Jan Lieskovsky 2010-02-18 11:18:32 EST 
This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected Fedora versions.

For comments that are specific to the vulnerability please use bugs filed against "Security Response" product referenced in "Blocks" field.

bug #565809:
CVE-2010-0424 vixie-cron, cronie: Race condition by setting timestamp of user's crontab file, when editing the file

When creating a Bodhi update request, please include the bug IDs of the respective parent bugs filed against the "Security Response" product. Please mention CVE ids in the RPM changelog when available.

Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=565809

Please note: this issue affects multiple supported versions of Fedora.  Only one tracking bug has been filed; please only close it when all affected versions are fixed.

For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs
Comment 1 Fedora Update System 2010-02-19 02:04:32 EST 
cronie-1.4.3-4.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/cronie-1.4.3-4.fc12
Comment 2 Fedora Update System 2010-02-19 02:18:02 EST 
cronie-1.4.3-4.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/cronie-1.4.3-4.fc12
Comment 3 Fedora Update System 2010-02-19 03:47:43 EST 
cronie-1.4.4-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/cronie-1.4.4-1.fc13
Comment 4 Fedora Update System 2010-02-19 03:55:57 EST 
cronie-1.4.4-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/cronie-1.4.4-1.fc13
Comment 5 Fedora Update System 2010-02-24 01:12:33 EST 
cronie-1.4.3-4.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2010-03-04 22:33:07 EST 
cronie-1.4.4-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Vincent Danen 2010-03-08 13:21:47 EST 
Fedora 11 is still supported.  Why is this closed when no update for F11 was released?
Comment 8 Marcela Mašláňová 2010-03-09 02:09:04 EST 
It has a low security impact, but if it's needed I can backport it also into F-11.
Comment 9 Vincent Danen 2010-03-09 10:18:14 EST 
I wasn't aware that we didn't do updates for the oldest supported release if the issue was low impact.  Is that a policy or guideline set somewhere?  If it is, then don't worry about it, but it if isn't then we should probably do it.  We've often done low impact updates for the oldest supported release.

Thanks for any clarification you can provide.
Comment 10 Marcela Mašláňová 2010-03-09 11:09:19 EST 
If you put it this way. I'll backport it.
Comment 11 Fedora Update System 2010-03-09 11:25:38 EST 
cronie-1.3-4.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/cronie-1.3-4.fc11
Comment 12 Vincent Danen 2010-03-09 11:31:01 EST 
Thank you, Marcela.  I'll have to hunt on the Fedora wiki to see if there are any policies regarding what gets pushed and where.  Maybe it's worth discussing whether low impact issues should be done for the N-1 release.  Regardless, thank you for this.
Comment 13 Fedora Update System 2010-03-15 20:42:33 EDT 
cronie-1.3-4.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.