Package: cron Version: 3.0pl1-124 Severity: normal Tags: security Debian's crontab contains multiple symlink races. If crontab was setuid root (which I think it normally is), this could be used to e.g. wipe directories (vulnerable code is in cleanup_tmp_crontab) or for other attacks. However, as it is only setgid crontab on debian, the only attack this can be used for is to block cron access for a user named "crontab" by invoking "crontab -e" and replacing the folder in /tmp with a symlink before crontab creates the file "crontab" inside the folder. The code vulnerable to this attack is in create_tmp_crontab.
So, the code is not really practically exploitable because the only special thing the crontab group is allowed to do is creating files in the cron spool directory, but theoretically, it's very vulnerable. -- Package-specific info: --- EDITOR: --- /usr/bin/editor: /bin/nano --- /usr/bin/crontab: -rwxr-sr-x 1 root crontab 35880 Jul 3 23:41 /usr/bin/crontab --- /var/spool/cron: drwxr-xr-x 5 root root 4096 Sep 15 15:57 /var/spool/cron --- /var/spool/cron/crontabs: drwx-wx--T 2 root crontab 4096 Oct 23 17:11 /var/spool/cron/crontabs --- /etc/cron.d: drwxr-xr-x 2 root root 4096 Oct 7 15:11 /etc/cron.d --- /etc/cron.daily: drwxr-xr-x 2 root root 4096 Oct 6 23:53 /etc/cron.daily --- /etc/cron.hourly: drwxr-xr-x 2 root root 4096 Sep 15 15:27 /etc/cron.hourly --- /etc/cron.monthly: drwxr-xr-x 2 root root 4096 Sep 16 15:50 /etc/cron.monthly --- /etc/cron.weekly: drwxr-xr-x 2 root root 4096 Sep 15 16:08 /etc/cron.weekly -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages cron depends on: ii adduser 3.113+nmu3 ii debianutils 4.3.2 ii dpkg 1.16.8 ii libc6 2.13-35 ii libpam-runtime 1.1.3-7.1 ii libpam0g 1.1.3-7.1 ii libselinux1 2.1.9-5 ii lsb-base 4.1+Debian7 Versions of packages cron recommends: ii exim4 4.80-5 ii exim4-daemon-light [mail-transport-agent] 4.80-5 Versions of packages cron suggests: ii anacron 2.3-19 pn checksecurity <none> ii logrotate 3.8.1-4 Versions of packages cron is related to: pn libnss-ldap <none> pn libnss-ldapd <none> pn libpam-ldap <none> pn libpam-mount <none> pn nis <none> pn nscd <none> -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org