[Pkg-cron-devel] [pkg-cron] 03/10: Fix for CVE-2017-9525: group crontab to root escalation via postinst as described by Alexander Peslyak (Solar Designer) in http://www.openwall.com/lists/oss-security/2017/06/08/3 (Closes: 864466)

Javier Fernandez-Sanguino Peña jfs at moszumanska.debian.org
Sun Mar 11 22:37:12 UTC 2018 

This is an automated email from the git hooks/post-receive script.

jfs pushed a commit to branch master
in repository pkg-cron.

commit a10ab4e346e941aaa92f4b671a96895392b917af
Author: Javier Fernandez-Sanguino <jfs at debian.org>
Date:   Sun Mar 11 22:45:16 2018 +0100

    Fix for CVE-2017-9525: group crontab to root escalation via postinst as
    described by Alexander Peslyak (Solar Designer) in
    http://www.openwall.com/lists/oss-security/2017/06/08/3 (Closes: 864466)
    
    The fix: replaces the unconditional chown/chgrp of everything under
    /var/spool/cron/crontabs with a conditional solution. A file in that
    directory must now satisfy the following requirements:
      1. It must be a regular file
      2. It must have a hard link count of exactly 1
      3. It's name must match its owner (the daemon expects this)
---
 debian/changelog |  5 +++++
 debian/postinst  | 28 ++++++++++++++++++++++++++--
 2 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index a3eb408..dc5b4da 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,11 @@ cron (3.0pl1-129) unstable; urgency=medium
   * Acknowledge NMU
   * Make sure cron is started last and stopped first, with patch provided by
   Harald Dunke (Closes: #767016)
+  [ Christian Kastner ]
+  * Fix for CVE-2017-9525: group crontab to root escalation via postinst
+  as described by Alexander Peslyak (Solar Designer) in
+  http://www.openwall.com/lists/oss-security/2017/06/08/3
+  (Closes: 864466)
 
  -- Javier Fernández-Sanguino Peña <jfs at debian.org>  Sun, 11 Mar 2018 22:38:06 +0100
 
diff --git a/debian/postinst b/debian/postinst
index ac97c9e..5f3f8c6 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -60,8 +60,32 @@ if [ -d $crondir/crontabs ] ; then
     # It has been disabled to suit cron alternative such as bcron. 
     cd $crondir/crontabs
     set +e
-    ls -1 | xargs -r -n 1 --replace=xxx  chown 'xxx:crontab' 'xxx'
-    ls -1 | xargs -r -n 1 chmod 600
+
+    # Iterate over each entry in the spool directory, perform some sanity
+    # checks (see CVE-2017-9525), and chown/chgroup the crontabs
+    for tab_name in *
+    do
+        tab_type=`stat -c '%F' "$tab_name"`
+        tab_links=`stat -c '%h' "$tab_name"`
+        tab_owner=`stat -c '%U' "$tab_name"`
+
+        if [ "$tab_type" != "regular file" -a "$tab_type" != "regular empty file" ]
+        then
+            echo "Warning: $tab_name is not a regular file!"
+            continue
+        elif [ "$tab_links" -ne 1 ]
+        then
+            echo "Warning: $tab_name has more than one hard link!"
+            continue
+        elif [ "$tab_name" != "$tab_owner" ]
+        then
+            echo "Warning: $tab_name name differs from owner $tab_owner!"
+            continue
+        fi
+
+		chown "$tab_owner:crontab" "$tab_name"
+		chmod 600 "$tab_name"
+    done
     set -e
 fi
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-cron/pkg-cron.git

More information about the Pkg-cron-devel mailing list