[Pkg-cron-devel] [pkg-cron] 03/10: Fix for CVE-2017-9525: group crontab to root escalation via postinst as described by Alexander Peslyak (Solar Designer) in http://www.openwall.com/lists/oss-security/2017/06/08/3 (Closes: 864466)
Javier Fernandez-Sanguino Peña
jfs at moszumanska.debian.org
Sun Mar 11 22:37:12 UTC 2018
This is an automated email from the git hooks/post-receive script.
jfs pushed a commit to branch master
in repository pkg-cron.
commit a10ab4e346e941aaa92f4b671a96895392b917af
Author: Javier Fernandez-Sanguino <jfs at debian.org>
Date: Sun Mar 11 22:45:16 2018 +0100
Fix for CVE-2017-9525: group crontab to root escalation via postinst as
described by Alexander Peslyak (Solar Designer) in
http://www.openwall.com/lists/oss-security/2017/06/08/3 (Closes: 864466)
The fix: replaces the unconditional chown/chgrp of everything under
/var/spool/cron/crontabs with a conditional solution. A file in that
directory must now satisfy the following requirements:
1. It must be a regular file
2. It must have a hard link count of exactly 1
3. It's name must match its owner (the daemon expects this)
---
debian/changelog | 5 +++++
debian/postinst | 28 ++++++++++++++++++++++++++--
2 files changed, 31 insertions(+), 2 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index a3eb408..dc5b4da 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,11 @@ cron (3.0pl1-129) unstable; urgency=medium
* Acknowledge NMU
* Make sure cron is started last and stopped first, with patch provided by
Harald Dunke (Closes: #767016)
+ [ Christian Kastner ]
+ * Fix for CVE-2017-9525: group crontab to root escalation via postinst
+ as described by Alexander Peslyak (Solar Designer) in
+ http://www.openwall.com/lists/oss-security/2017/06/08/3
+ (Closes: 864466)
-- Javier Fernández-Sanguino Peña <jfs at debian.org> Sun, 11 Mar 2018 22:38:06 +0100
diff --git a/debian/postinst b/debian/postinst
index ac97c9e..5f3f8c6 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -60,8 +60,32 @@ if [ -d $crondir/crontabs ] ; then
# It has been disabled to suit cron alternative such as bcron.
cd $crondir/crontabs
set +e
- ls -1 | xargs -r -n 1 --replace=xxx chown 'xxx:crontab' 'xxx'
- ls -1 | xargs -r -n 1 chmod 600
+
+ # Iterate over each entry in the spool directory, perform some sanity
+ # checks (see CVE-2017-9525), and chown/chgroup the crontabs
+ for tab_name in *
+ do
+ tab_type=`stat -c '%F' "$tab_name"`
+ tab_links=`stat -c '%h' "$tab_name"`
+ tab_owner=`stat -c '%U' "$tab_name"`
+
+ if [ "$tab_type" != "regular file" -a "$tab_type" != "regular empty file" ]
+ then
+ echo "Warning: $tab_name is not a regular file!"
+ continue
+ elif [ "$tab_links" -ne 1 ]
+ then
+ echo "Warning: $tab_name has more than one hard link!"
+ continue
+ elif [ "$tab_name" != "$tab_owner" ]
+ then
+ echo "Warning: $tab_name name differs from owner $tab_owner!"
+ continue
+ fi
+
+ chown "$tab_owner:crontab" "$tab_name"
+ chmod 600 "$tab_name"
+ done
set -e
fi
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-cron/pkg-cron.git
More information about the Pkg-cron-devel
mailing list