Joined: 13 Jun 2003
Location: Barcelona, Spain
|Posted: Thu Nov 18, 2004 10:11 pm Post subject: [ GLSA 200411-27 ] Fcron: Multiple vulnerabilities
|Gentoo Linux Security Advisory
Title: Fcron: Multiple vulnerabilities (GLSA 200411-27)
Date: November 18, 2004
Multiple vulnerabilities in Fcron can allow a local user to potentially cause a Denial of Service.
Fcron is a command scheduler with extended capabilities over cron and anacron.
Vulnerable: <= 2.9.5
Unaffected: >= 2.0.2 < 2.0.3
Unaffected: >= 18.104.22.168
Architectures: All supported architectures
Due to design errors in the fcronsighup program, Fcron may allow a local user to bypass access restrictions (CAN-2004-1031), view the contents of root owned files (CAN-2004-1030), remove arbitrary files or create empty files (CAN-2004-1032), and send a SIGHUP to any process. A vulnerability also exists in fcrontab which may allow local users to view the contents of fcron.allow and fcron.deny (CAN-2004-1033).
A local attacker could exploit these vulnerabilities to perform a Denial of Service on the system running Fcron.
Make sure the fcronsighup and fcrontab binaries are only executable by trusted users.
All Fcron users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-process/fcron-2.0.2"
Last edited by GLSA on Sat Aug 23, 2008 4:17 am; edited 3 times in total