On 2017-06-12 23:17, Christian Kastner wrote: > Please find attached a first draft of a (so far only rudimentally > tested) patch for this issue.
I attached an updated version in which I reverted a last-minute change breaking the name comparison.
diff --git a/debian/postinst b/debian/postinst index ac97c9e..5f3f8c6 100644 --- a/debian/postinst +++ b/debian/postinst @@ -60,8 +60,32 @@ if [ -d $crondir/crontabs ] ; then # It has been disabled to suit cron alternative such as bcron. cd $crondir/crontabs set +e - ls -1 | xargs -r -n 1 --replace=xxx chown 'xxx:crontab' 'xxx' - ls -1 | xargs -r -n 1 chmod 600 + + # Iterate over each entry in the spool directory, perform some sanity + # checks (see CVE-2017-9525), and chown/chgroup the crontabs + for tab_name in * + do + tab_type=`stat -c '%F' "$tab_name"` + tab_links=`stat -c '%h' "$tab_name"` + tab_owner=`stat -c '%U' "$tab_name"` + + if [ "$tab_type" != "regular file" -a "$tab_type" != "regular empty file" ] + then + echo "Warning: $tab_name is not a regular file!" + continue + elif [ "$tab_links" -ne 1 ] + then + echo "Warning: $tab_name has more than one hard link!" + continue + elif [ "$tab_name" != "$tab_owner" ] + then + echo "Warning: $tab_name name differs from owner $tab_owner!" + continue + fi + + chown "$tab_owner:crontab" "$tab_name" + chmod 600 "$tab_name" + done set -e fi
signature.asc
Description: OpenPGP digital signature