Red Hat Bugzilla – Bug 27217
crontab buffer overflows on names over 20 chars
Last modified: 2007-04-18 12:31:26 EDT
Just like the recent post to Bugtraq regarding vixie-cron and RH 7.0.
crontab does getpwuid() but then stores the name in a 20-byte buffer w/o
checking its length. Since crontab is suid root, this could be fun....
rpm -qf `which crontab`
*** Bug 27216 has been marked as a duplicate of this bug. ***
Fixed in -61.
This defect is considered MUST-FIX for Florence Release-Candidate #1
Does this bug also affect RH 6.x?
Sort of. It overflows the buffer, but manages not to crash.
Hm, but I guess there will be a security errata release for all releases?
I'm not sure there's a need to. Sure, buffer overflows, esp. in suid programs
are never good, but how could you exploit this particular one?
I don't know, but better safe than sorry. IMNSHO.