GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Mon Apr 16, 2007 7:26 pm Post subject: [ GLSA 200704-11 ] Vixie Cron: Denial of Service |
|
|
Gentoo Linux Security Advisory
Title: Vixie Cron: Denial of Service (GLSA 200704-11)
Severity: low
Exploitable: local
Date: April 16, 2007
Bug(s): #164466
ID: 200704-11
Synopsis
The Gentoo implementation of Vixie Cron is vulnerable to a local Denial of Service.
Background
Vixie Cron is a command scheduler with extended syntax over cron.
Affected Packages
Package: sys-process/vixie-cron
Vulnerable: < 4.1-r10
Unaffected: >= 4.1-r10
Architectures: All supported architectures
Description
During an internal audit, Raphael Marichez of the Gentoo Linux Security Team found that Vixie Cron has weak permissions set on Gentoo, allowing for a local user to create hard links to system and users cron files, while a st_nlink check in database.c will generate a superfluous error.
Impact
Depending on the partitioning scheme and the "cron" group membership, a malicious local user can create hard links to system or users cron files that will trigger the st_link safety check and prevent the targeted cron file from being run from the next restart or database reload.
Workaround
There is no known workaround at this time.
Resolution
All Vixie Cron users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=sys-process/vixie-cron-4.1-r10" |
References
CVE-2007-1856 |
|