No subject

code [3] in our own cron fork (based on the 3.0 codebase, not the 4.1)
I'm inclined to think that the CVE reference is not correct and our
cron package is NOT affected.

The problem seems to be related to the fact that in version 4.1, after
copying the crontab to the temporary file, the utime is modified and
set to 0 (as root). However, in version 3: the utime is not modified
but, rather, the utime of the temporary file is obtained when the
temporary file with the crontab is generated and then compared with
the utime of the crontab temporary file *after* being edited to
determine if something has changed.

Consequently, there is no operation there (no call to utime()) which
could be abused before cron drops its privileges to call the editor.

I would say that Debian is not affected by this issue, although I
would appreciate somebody to review the code and ratify that this is
correct.

Regards

Javier

[1] http://security-tracker.debian.org/tracker/CVE-2010-0424
[2] http://git.fedorahosted.org/git/cronie.git?p=cronie.git;a=commitdiff;h=9e4a8fa5f9171fb724981f53879c9b20264aeb61
[3] http://svn.debian.org/wsvn/pkg-cron/trunk/crontab.c