Package: cron Version: 3.0pl1-127+deb8u1 Severity: critical Tags: security Justification: root security hole
Hi Debian Security Team: I recently started to read the source code of Cron / Crontab and I think I found a vulnerability in that. I found that in file "database.c" # http://anonscm.debian.org/cgit/pkg-cron/pkg-cron.git/tree/database.c?h=debian/3.0pl1-128 load_database(...) -> process_crontab(...) -> force_rescan_user(...) free(u); # line 600 ... link_user(new_db, u); # line 609 "u" have been freed but still put it into link_user(...). link_user(...) connect the freed "u" to a linked-list. So, if the program use the "new_db" later, the program will segment fault. Ex. In "cron.c" find_jobs(...) will use the freed "u" And there is a condition to step into force_rescan_user(...). In file "database.c" line 599 if ((u->name = strdup(fname)) == NULL) { free(u); errno = ENOMEM; } But I think in a low-memory machine or embedded system the condition can be ignored : ) p.s. I think other Linux distribution like ubuntu also have this vulnerablity Above is the detail of this vulnerability. Thanks :) -- Package-specific info: --- EDITOR: --- /usr/bin/editor: /bin/nano --- /usr/bin/crontab: -rwxr-sr-x 1 root crontab 36008 Jun 11 2015 /usr/bin/crontab --- /var/spool/cron: drwxr-xr-x 3 root root 4096 Jun 7 2015 /var/spool/cron --- /var/spool/cron/crontabs: drwx-wx--T 2 root crontab 4096 Dec 27 14:22 /var/spool/cron/crontabs --- /etc/cron.d: drwxr-xr-x 2 root root 4096 Dec 27 14:07 /etc/cron.d --- /etc/cron.daily: drwxr-xr-x 2 root root 4096 Dec 27 14:07 /etc/cron.daily --- /etc/cron.hourly: drwxr-xr-x 2 root root 4096 Dec 27 14:07 /etc/cron.hourly --- /etc/cron.monthly: drwxr-xr-x 2 root root 4096 Dec 27 14:07 /etc/cron.monthly --- /etc/cron.weekly: drwxr-xr-x 2 root root 4096 Dec 27 14:07 /etc/cron.weekly -- System Information: Debian Release: 8.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages cron depends on: ii adduser 3.113+nmu3 ii debianutils 4.4+b1 ii dpkg 1.17.25 ii init-system-helpers 1.22 ii libc6 2.19-18 ii libpam-runtime 1.1.8-3.1 ii libpam0g 1.1.8-3.1 ii libselinux1 2.3-2 ii lsb-base 4.1+Debian13+nmu1 Versions of packages cron recommends: pn exim4 | postfix | mail-transport-agent <none> Versions of packages cron suggests: pn anacron <none> pn checksecurity <none> ii logrotate 3.8.7-1+b1 Versions of packages cron is related to: pn libnss-ldap <none> pn libnss-ldapd <none> pn libpam-ldap <none> pn libpam-mount <none> pn nis <none> pn nscd <none> -- no debconf information