Red Hat Bugzilla – Bug 235880
CVE-2007-1856 crontab denial of service
Last modified: 2007-11-30 17:07:43 EST
Raphael Marichez of Gentoo reported a denial of service flaw in vixie-cron.
By creating a hardlink to /etc/crontab, cron will stop executing the
/etc/crontab file and deposit an error message in /var/log/cron.
This can be easily tested by running:
ln /etc/crontab /tmp/crontab
tail -f /var/log/cron
Here is the patch from Open Wall Linux:
This flaw also affects RHEL 3 and 4.
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update
vixie-cron-4.1-68 was built to solve this issue.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.