Bug 893661 (CVE-2012-6097)

Summary:	CVE-2012-6097 cronie: fd leak in 1.4.8
Product:	[Other] Security Response	Reporter:	Vincent Danen <vdanen>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED NOTABUG	QA Contact:
Severity:	low	Docs Contact:
Priority:	low
Version:	unspecified	CC:	mmaslano, pertusus, tmraz
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	cronie 1.4.9	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2013-01-09 17:06:10 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Vincent Danen 2013-01-09 15:58:17 UTC

It was reported [1],[2] that cronie would leak certain fd's.  On systems where /etc/crontab is not world-readable this could be an information disclosure concern.

This was introduced upstream in cronie 1.4.8 [3] and fixed in 1.4.9 [4], so the only version of cronie that is affected by this issue is 1.4.8.  It was also patched in Fedora via cronie-1.4.8-2.fc15 (see [2] for those details).

[1] https://bugzilla.novell.com/show_bug.cgi?id=786096
[2] https://bugzilla.redhat.com/show_bug.cgi?id=717505
[3] http://git.fedorahosted.org/cgit/cronie.git/commit/src/cron.c?id=acdf4ae8456888ed78201906ef528f4c28f54582
[4] http://git.fedorahosted.org/cgit/cronie.git/commit/src/cron.c?id=b19007ca9fddd62ecef3af4a7d2d252f1d5e0419


Statement:

Not vulnerable. This issue did not affect the versions of cronie as shipped with Red Hat Enterprise Linux 6.