Control: clone 992748 -1 Control: retitle -1 systemd-cron: CVE-2017-9525: group crontab to root escalation via postinst Control: severity -1 important Control: found -1 1.5.16-1 Control: found -1 1.5.14-2 Control: tags 992748 - security
Hi Chris, On Sun, Sep 05, 2021 at 02:49:40PM +0200, Chris Hofstaedtler wrote: > Control: tags -1 + security > > * Alexandre Detiste <alexandre.deti...@gmail.com> [210905 12:47]: > > Le lun. 23 août 2021 à 04:57, Martin-Éric Racine > > <martin-eric.rac...@iki.fi> a écrit : > > > Setting up systemd-cron (1.5.17-1) ... > > > xargs: warning: options --max-args and --replace/-I/-i are mutually > > > exclusive, ignoring previous --max-args value > > > Thanks. > > > > This was copy-pasted from src:cron, which must have the same bug now. > > src:cron removed the offending code as part of a security fix in > 2018: > > https://salsa.debian.org/debian/cron/-/commit/a10ab4e346e941aaa92f4b671a96895392b917af > > This would suggest CVE-2017-9525 also affects src:systemd-cron. Looks right and confirmed in a quick test. If the attacher has gained crontab group then further escalation is possible. Though technically those two bugs will be resolved at the same step I though to be good to separate the escalation issue and the error in postinst (but as said, they will be fixed basically together). Once fixed in unstable, can you please fix the issue as well via upcoming point releases for bullseye and buster? Similarly as for the src:cron case a DSA is not warranted. Regards, Salvatore
