Debian Security Advisory

cron -- local privilege escalation

Date Reported:
18 Nov 2000
Affected Packages:
cron
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2000-1096.
More information:
The version of Vixie Cron shipped with Debian GNU/Linux 2.2 is vulnerable to a local attack, discovered by Michal Zalewski. Several problems, including insecure permissions on temporary files and race conditions in their deletion, allowed attacks from a denial of service (preventing the editing of crontabs) to an escalation of privilege (when another user edited their crontab).

As a temporary fix, "chmod go-rx /var/spool/cron/crontabs" prevents the only available exploit; however, it does not address the problem. We recommend upgrading to version 3.0pl1-57.1, for Debian 2.2, or 3.0pl1-61, for Debian unstable.

Also, in the new cron packages, it is no longer possible to specify special files (devices, named pipes, etc.) by name to crontab. Note that this is not so much a security fix as a sanity check.

Note: Debian GNU/Linux 2.1 is vulnerable to this attack. We recommend upgrading to Debian GNU/Linux 2.2 (potato).

Fixed in:

Debian GNU/Linux 2.2 (potato)

Source:
http://security.debian.org/dists/potato/updates/main/source/cron_3.0pl1-57.1.diff.gz
http://security.debian.org/dists/potato/updates/main/source/cron_3.0pl1-57.1.dsc
http://security.debian.org/dists/potato/updates/main/source/cron_3.0pl1.orig.tar.gz
alpha:
http://security.debian.org/dists/potato/updates/main/binary-alpha/cron_3.0pl1-57.1_alpha.deb
arm:
http://security.debian.org/dists/potato/updates/main/binary-arm/cron_3.0pl1-57.1_arm.deb
i386:
http://security.debian.org/dists/potato/updates/main/binary-i386/cron_3.0pl1-57.1_i386.deb
m68k:
http://security.debian.org/dists/potato/updates/main/binary-m68k/cron_3.0pl1-57.1_m68k.deb
powerpc:
http://security.debian.org/dists/potato/updates/main/binary-powerpc/cron_3.0pl1-57.1_powerpc.deb
sparc:
http://security.debian.org/dists/potato/updates/main/binary-sparc/cron_3.0pl1-57.1_sparc.deb