[Secure-testing-team] CVE-2010-0424: cron timestamp bug - not affected?

Michael Gilbert michael.s.gilbert at gmail.com
Wed Mar 17 15:04:21 UTC 2010


On Wed, 17 Mar 2010 12:43:26 +0100, Javier Fernandez-Sanguino wrote:
> I've recently noticed CVE-2010-0424 [1] listed in the cron list of
> "possible security bugs". Yesterday I did a fast review of the bug
> information (not that much available) and the fix introduced by the
> Fedora guys (from cronie 1.4.3 to cronie 1.4.4) which is available at
> [2].
> 
> From what I can tell from the diff and comparing it to the crontab.c
> code [3] in our own cron fork (based on the 3.0 codebase, not the 4.1)
> I'm inclined to think that the CVE reference is not correct and our
> cron package is NOT affected.
> 
> The problem seems to be related to the fact that in version 4.1, after
> copying the crontab to the temporary file, the utime is modified and
> set to 0 (as root). However, in version 3: the utime is not modified
> but, rather, the utime of the temporary file is obtained when the
> temporary file with the crontab is generated and then compared with
> the utime of the crontab temporary file *after* being edited to
> determine if something has changed.
> 
> Consequently, there is no operation there (no call to utime()) which
> could be abused before cron drops its privileges to call the editor.
> 
> I would say that Debian is not affected by this issue, although I
> would appreciate somebody to review the code and ratify that this is
> correct.

i had checked this when it was first disclosed and came to the same
conclusions.  i marked it as an NFU, but it was later reopened and
reassigned to cron, so i probably should have used not-affected to
begin with. that's what i've done now.

mike



More information about the Secure-testing-team mailing list