Secure testing team - Mar 2010 - Bug#572587: CVE-2010-0792: Information disclosure

Package: fcron
Severity: important
Tags: security

The following was posted to full-disclosure. Since Debian''s fcron
package seems to use a fcron system group (correct me if I''m
wrong) we don''t need to fix this in a DSA. Feel free to update 
this in a point release, though.

Cheers,
        Moritz

===========================================?fcrontab Information Disclosure
Vulnerability
?March 3, 2010
?CVE-2010-0792
===========================================
==Description=
fcrontab, part of the fcron scheduler, is vulnerable to several race
conditions that allow a local attacker to use symbolic links to read
unauthorized files.? On systems where fcrontab is installed with its
own "fcron" group, this allows an attacker to read other non-root
users'' crontabs and fcron configuration files.? On systems where
fcrontab is installed suid root, this allows an attacker to read arbitrary
files.

==Solution=
The developer has released a new version, 3.0.5, to address these
vulnerabilities.? It is available for download on the developer''s
website, http://fcron.free.fr.? Users are advised to recompile from
source or download updated packages from downstream distributors
when they become available.

==Credits=
This vulnerability was discovered by Dan Rosenberg
(dan.j.rosenberg at gmail.com).
Thanks to Thibault Godouet for his prompt response and new release.

==References=
CVE identifier CVE-2010-0792 has been assigned to this issue.


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, ''unstable'')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-2-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages fcron depends on:
ii  adduser                       3.112      add and remove users and groups
ii  debconf [debconf-2.0]         1.5.28     Debian configuration management sy
ii  dpkg                          1.15.5.6   Debian package management system
ii  exim4-daemon-light [mail-tran 4.71-3     lightweight Exim MTA (v4) daemon
ii  libc6                         2.10.2-5   Embedded GNU C Library: Shared lib
ii  libpam-runtime                1.1.1-2    Runtime support for the PAM librar
ii  libpam0g                      1.1.1-2    Pluggable Authentication Modules l
ii  libselinux1                   2.0.89-4   SELinux runtime shared libraries

Versions of packages fcron recommends:
ii  sysklogd [system-log-daemon]  1.5-5      System Logging Daemon

fcron suggests no packages.