Jamie Strandboge
2009-May-12 21:53 UTC
[Secure-testing-team] Bug#528434: cron: Incomplete fix for CVE-2006-2607 (setgid() and initgroups() not checked)
Package: cron
Version: 3.0pl1-105
Severity: grave
Tags: patch security
Justification: user security hole
User: ubuntu-devel at lists.ubuntu.com
Usertags: origin-ubuntu jaunty ubuntu-patch
Hi,
I was reviewing a list of old bugs in the Ubuntu bug tracker, and came across:
https://bugs.edge.launchpad.net/ubuntu/+source/cron/+bug/46649
I then reviewed the Ubuntu and Debian packages and found that while the most
serious issue of not checking setuid() was addressed in 3.0pl1-64, checks for
setgid() and initgroups() were not added. Other distributions (eg Gentoo and
RedHat) fixed these calls as well. I was then curious to see when these
two calls could fail and found that sys_setgid can fail via LSM and
CAP_SETGID and sys_setgroups() can fail via LSM, CAP_SETGID,
NGROUPS_MAX, and ENOMEM. As such, Ubuntu plans to release a fix for this
in our stable releases with the following changelog:
* SECURITY UPDATE: cron does not check the return code of setgid() and
initgroups(), which under certain circumstances could cause applications
to run with elevated group privileges. Note that the more serious issue
of not checking the return code of setuid() was fixed in 3.0pl1-64.
(LP: #46649)
- do_command.c: check return code of setgid() and initgroups()
- CVE-2006-2607
We thought you might be interested in doing the same.
-- System Information:
Debian Release: 5.0
APT prefers jaunty-updates
APT policy: (500, ''jaunty-updates''), (500,
''jaunty-security''), (500, ''jaunty'')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.28-11-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tmpLzJLLq
Type: text/x-diff
Size: 1017 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090512/0f638797/attachment.diff>