--------------------------------------------------------------------- Red Hat, Inc. Security Advisory Synopsis: Buffer overflow in cron daemon Advisory ID: RHSA-1999:030-01 Issue date: 1999-08-25 Updated on: Keywords: vixie-cron crond MAILTO Cross references: --------------------------------------------------------------------- 1. Topic: A buffer overflow exists in crond, the cron daemon. This could allow local users to gain privilege. 2. Bug IDs fixed (http://developer.redhat.com/bugzilla/): 4706 3. Relevant releases/architectures: Red Hat Linux 4.2, 5.2, 6.0, all architectures 4. Obsoleted by: 5. Conflicts with: 6. RPMs required: Red Hat Linux 4.2: Intel: rpm -Uvh ftp://ftp.redhat.com/redhat/updates/4.2/i386/vixie-cron-3.0.1-36.4.2.i386.rpm Alpha: rpm -Uvh ftp://ftp.redhat.com/redhat/updates/4.2/alpha/vixie-cron-3.0.1-36.4.2.alpha.rpm Sparc: rpm -Uvh ftp://ftp.redhat.com/redhat/updates/4.2/sparc/vixie-cron-3.0.1-36.4.2.sparc.rpm Source packages: rpm -Uvh ftp://ftp.redhat.com/redhat/updates/4.2/SRPMS/vixie-cron-3.0.1-36.4.2.src.rpm Red Hat Linux 5.2: Intel: rpm -Uvh ftp://ftp.redhat.com/redhat/updates/5.2/i386/vixie-cron-3.0.1-36.5.2.i386.rpm Alpha: rpm -Uvh ftp://ftp.redhat.com/redhat/updates/5.2/alpha/vixie-cron-3.0.1-36.5.2.alpha.rpm Sparc: rpm -Uvh ftp://ftp.redhat.com/redhat/updates/5.2/sparc/vixie-cron-3.0.1-36.5.2.sparc.rpm Source packages: rpm -Uvh ftp://ftp.redhat.com/redhat/updates/5.2/SRPMS/vixie-cron-3.0.1-36.5.2.src.rpm Red Hat Linux 6.0: Intel: rpm -Uvh ftp://ftp.redhat.com/redhat/updates/6.0/i386/vixie-cron-3.0.1-37.i386.rpm Alpha: rpm -Uvh ftp://ftp.redhat.com/redhat/updates/6.0/alpha/vixie-cron-3.0.1-37.alpha.rpm Sparc: rpm -Uvh ftp://ftp.redhat.com/redhat/updates/6.0/sparc/vixie-cron-3.0.1-37.sparc.rpm Source packages: rpm -Uvh ftp://ftp.redhat.com/redhat/updates/6.0/SRPMS/vixie-cron-3.0.1-37.src.rpm 7. Problem description: By creating a crontab that runs with a specially formatted 'MAILTO' environment variable, it is possible for local users to overflow a fixed-length buffer in the cron daemon's cron_popen() function. Since the cron daemon runs as root, it would be theoretcially possible for local users to use this buffer overflow to gain root privilege. To the best of our knowledge, no known exploits exist at this time. Also, it was possible to use specially formatted 'MAILTO' environment variables to send commands to sendmail. 8. Solution: For each RPM for your particular architecture, run: rpm -Uvh <filename> where filename is the name of the RPM. 9. Verification: MD5 sum Package Name -------------------------------------------------------------------------- a90bf7adbc719fdb5a8ed335fda32a3c i386/vixie-cron-3.0.1-36.4.2.i386.rpm 2b6b0b00cdeca0381ab2893ddf2f2bd1 alpha/vixie-cron-3.0.1-36.4.2.alpha.rpm 02d183979b594a7e7a9c1bc8566b2f16 sparc/vixie-cron-3.0.1-36.4.2.sparc.rpm b8ac0c21e108ebd67925c224f7a0b82b SRPMS/vixie-cron-3.0.1-36.4.2.src.rpm 7df6884f0709b078d19f390db2a7e304 i386/vixie-cron-3.0.1-36.5.2.i386.rpm b51b4ea612c4f5a59c1bb4e76af95eeb alpha/vixie-cron-3.0.1-36.5.2.alpha.rpm 5ceeb614442bd4d4ce8a9680664d77e4 sparc/vixie-cron-3.0.1-36.5.2.sparc.rpm 9f411cb3c7c1c53423eebc9d5f64619a SRPMS/vixie-cron-3.0.1-36.5.2.src.rpm 39bbedeade7dc6da6f0ab5acfb3af6da i386/vixie-cron-3.0.1-37.i386.rpm addec82afbd131aef14fadf8cfb8ddcf alpha/vixie-cron-3.0.1-37.alpha.rpm b56db77c411f72825efbffed43780213 sparc/vixie-cron-3.0.1-37.sparc.rpm 243d9099bdb94bd0d075de4da4dbba12 SRPMS/vixie-cron-3.0.1-37.src.rpm These packages are PGP signed by Red Hat Inc. for security. Our key is available at: http://www.redhat.com/corp/contact.html You can verify each package with the following command: rpm --checksig <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nopgp <filename> 10. References:
On Wed, Aug 25, 1999 at 09:17:20PM -0400, Bill Nottingham wrote:> A buffer overflow exists in crond, the cron daemon. This > could allow local users to gain privilege.FYI, Caldera OpenLinux isn't vulnerable to this. This problem was first discovered two years ago by someone at Debian. Olaf -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax okir@caldera.de +-------------------- Why Not?! ----------------------- UNIX, n.: Spanish manufacturer of fire extinguishers.
Shaun Hedges
1999-Aug-27 01:24 UTC
[linux-security] Re: [RHSA-1999:030-01] Buffer overflow in cron daemon
I wonder, if this was discovered by another source such as Debian why haven't they made it public? That doesn't fit the stature of a commercial distributor in the Linux industry. It's more of an OpenBSD thing to discover bugs and say you fixed them two years ago when someone else finds them. [mod: Reformatted. Please watch your line lengths. -- REW] CYA. -----Original Message----- From: Olaf Kirch [SMTP:okir@monad.swb.de] Sent: Thursday, August 26, 1999 2:06 AM To: bugtraq@securityfocus.com; linux-security@redhat.com Subject: [linux-security] Re: [RHSA-1999:030-01] Buffer overflow in cron daemon On Wed, Aug 25, 1999 at 09:17:20PM -0400, Bill Nottingham wrote:> A buffer overflow exists in crond, the cron daemon. This > could allow local users to gain privilege.FYI, Caldera OpenLinux isn't vulnerable to this. This problem was first discovered two years ago by someone at Debian. Olaf -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax okir@caldera.de +-------------------- Why Not?! ----------------------- UNIX, n.: Spanish manufacturer of fire extinguishers. -- ---------------------------------------------------------------------- Please refer to the information about this list as well as general information about Linux security at http://www.aoy.com/Linux/Security. ---------------------------------------------------------------------- To unsubscribe: mail -s unsubscribe linux-security-request@redhat.com < /dev/null