This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 154920 - CAN-2005-1038 vixie-cron information leak
CAN-2005-1038 vixie-cron information leak
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: vixie-cron (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jason Vas Dias
Brock Organ
impact=moderate,public=20050406,sourc...
: Security
Depends On:
Blocks: 156322
  Show dependency treegraph
 
Reported: 2005-04-14 16:35 EDT by Josh Bressers
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version: RHSA-2005-361
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-10-05 08:34:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2005-04-14 16:35:46 EDT
crontab in Vixie cron 4.1, when running with the -e option, allows local users
to read the cron files of other users by changing the file being edited to a
symlink.  NOTE: there is insufficient information to know whether this is a
duplicate of CVE-2001-0235.

http://www.securityfocus.com/archive/1/395093
Comment 1 Josh Bressers 2005-04-14 16:36:40 EDT
This issue should also affect RHEL2.1 and RHEL3
Comment 2 Jason Vas Dias 2005-04-14 20:43:03 EDT
Actually, in RHEL-3, vixie-cron-3.0.1-76 would not have this problem,
becuase it used fstat(fd,&st) on the same original file descriptor
for the file that was unlinked by the attack; since the modification
time had not changed, it would print
  'crontab: no changes made to crontab'
and would not install the link as the new crontab.

Because this version crontab did not re-open the file descriptor for
the crontab temporary file name, it cannot be used with graphical 
EDITORs such as gedit / kedit, which do an unlink() and rename()
when writing the file - this was fixed for bug 129170, which may
have unwittingly opened the way for this exploit.

This bug is now fixed with vixie-cron-4.1-33_EL4 (RHSA-2005:351-06) .


Comment 3 Jason Vas Dias 2005-04-14 21:54:39 EDT
This bug is now fixed in RHEL-3 with vixie-cron-4.1-6_EL3 .
Comment 4 Josh Bressers 2005-04-21 17:04:55 EDT
Re: comment #2

That should read this issue doesn't affect RHEL-2
Comment 5 Jason Vas Dias 2005-04-21 19:05:40 EDT
RHEL-4: fixed with vixie-cron-4.1-33_EL4+ (errata RHSA-2005:351-06)
RHEL-3: fixed with vixie-cron-4.1-6_EL3   (errata RHSA-2004:402-22)
Comment 6 Mark J. Cox (Product Security) 2005-06-29 03:34:10 EDT
Split bug 162022 for RHEL3
Comment 7 Josh Bressers 2005-07-08 17:24:28 EDT
Our current fix for this issue is not complete.  A race condition still exists
between the time we lstat the file in question, and when we open the file.
Comment 15 Red Hat Bugzilla 2005-10-05 08:34:16 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-361.html

Note You need to log in before you can comment on or make changes to this bug.