Bug 1687688 (CVE-2019-9704) - CVE-2019-9704 vixie-cron: calloc return value resulting in remote dos
Summary: CVE-2019-9704 vixie-cron: calloc return value resulting in remote dos
Keywords:
Status: NEW
Alias: CVE-2019-9704
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1699088 1699089
Blocks: 1696266
TreeView+ depends on / blocked
 
Reported: 2019-03-12 07:20 UTC by Dhananjay Arunesh
Modified: 2019-09-29 15:08 UTC (History)
2 users (show)

Fixed In Version: cron 3.0pl1-133, cronie 1.5.3
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-03-12 07:20:54 UTC
Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (daemon crash) via a large crontab file because the calloc return value is not checked.

Upstream commit:
https://salsa.debian.org/debian/cron/commit/f2525567

Comment 1 Tomas Mraz 2019-03-15 13:54:33 UTC
In cronie handled in cronie-1.5.3 release.

Comment 3 Scott Gayou 2019-04-10 18:53:57 UTC
Also fixed upstream in cronie here:
https://github.com/cronie-crond/cronie/commit/a6576769f01325303b11edc3e0cfb05ef382ce56

Comment 5 Scott Gayou 2019-04-17 18:15:56 UTC
Upstream Cronie fix is in release 1.5.3.


Note You need to log in before you can comment on or make changes to this bug.