[Secure-testing-team] Bug#572587: CVE-2010-0792: Information disclosure

Moritz Muehlenhoff jmm at debian.org
Thu Mar 4 22:54:46 UTC 2010 

Package: fcron
Severity: important
Tags: security

The following was posted to full-disclosure. Since Debian's fcron
package seems to use a fcron system group (correct me if I'm
wrong) we don't need to fix this in a DSA. Feel free to update 
this in a point release, though.

Cheers,
        Moritz

============================================
 fcrontab Information Disclosure Vulnerability
 March 3, 2010
 CVE-2010-0792
============================================

==Description==

fcrontab, part of the fcron scheduler, is vulnerable to several race
conditions that allow a local attacker to use symbolic links to read
unauthorized files.  On systems where fcrontab is installed with its
own "fcron" group, this allows an attacker to read other non-root
users' crontabs and fcron configuration files.  On systems where
fcrontab is installed suid root, this allows an attacker to read arbitrary
files.

==Solution==

The developer has released a new version, 3.0.5, to address these
vulnerabilities.  It is available for download on the developer's
website, http://fcron.free.fr.  Users are advised to recompile from
source or download updated packages from downstream distributors
when they become available.

==Credits==

This vulnerability was discovered by Dan Rosenberg
(dan.j.rosenberg at gmail.com).
Thanks to Thibault Godouet for his prompt response and new release.

==References==

CVE identifier CVE-2010-0792 has been assigned to this issue.


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-2-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages fcron depends on:
ii  adduser                       3.112      add and remove users and groups
ii  debconf [debconf-2.0]         1.5.28     Debian configuration management sy
ii  dpkg                          1.15.5.6   Debian package management system
ii  exim4-daemon-light [mail-tran 4.71-3     lightweight Exim MTA (v4) daemon
ii  libc6                         2.10.2-5   Embedded GNU C Library: Shared lib
ii  libpam-runtime                1.1.1-2    Runtime support for the PAM librar
ii  libpam0g                      1.1.1-2    Pluggable Authentication Modules l
ii  libselinux1                   2.0.89-4   SELinux runtime shared libraries

Versions of packages fcron recommends:
ii  sysklogd [system-log-daemon]  1.5-5      System Logging Daemon

fcron suggests no packages.

More information about the Secure-testing-team mailing list