Secure testing team - Mar 2010 - CVE-2010-0424: cron timestamp bug - not affected?

I''ve recently noticed CVE-2010-0424 [1] listed in the cron list of
"possible security bugs". Yesterday I did a fast review of the bug
information (not that much available) and the fix introduced by the
Fedora guys (from cronie 1.4.3 to cronie 1.4.4) which is available at
[2].

On Wed, 17 Mar 2010 12:43:26 +0100, Javier Fernandez-Sanguino
wrote:
> I''ve recently noticed CVE-2010-0424 [1] listed in the cron list of
> "possible security bugs". Yesterday I did a fast review of the
bug
> information (not that much available) and the fix introduced by the
> Fedora guys (from cronie 1.4.3 to cronie 1.4.4) which is available at
> [2].
> 
> From what I can tell from the diff and comparing it to the crontab.c
> code [3] in our own cron fork (based on the 3.0 codebase, not the 4.1)
> I''m inclined to think that the CVE reference is not correct and
our
> cron package is NOT affected.
> 
> The problem seems to be related to the fact that in version 4.1, after
> copying the crontab to the temporary file, the utime is modified and
> set to 0 (as root). However, in version 3: the utime is not modified
> but, rather, the utime of the temporary file is obtained when the
> temporary file with the crontab is generated and then compared with
> the utime of the crontab temporary file *after* being edited to
> determine if something has changed.
> 
> Consequently, there is no operation there (no call to utime()) which
> could be abused before cron drops its privileges to call the editor.
> 
> I would say that Debian is not affected by this issue, although I
> would appreciate somebody to review the code and ratify that this is
> correct.
i had checked this when it was first disclosed and came to the same
conclusions.  i marked it as an NFU, but it was later reopened and
reassigned to cron, so i probably should have used not-affected to
begin with. that''s what i''ve done now.

mike