SecuriTeam - New cron packages released (Security update)

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

SecuriTeam
Beyond Security

SecuriTeam Home
Ask the Team
Mailing Lists
Advertising Info
Blogs

Black Box Testing
Vulnerability Assessment
Vulnerability Scanner

	SecuriTeam in Your Inbox

	E-mail this article to a friend

New vulnerability?
New tool?
Tell us

The version of Vixie Cron shipped with Debian GNU/Linux 2.2 is vulnerable to a local attack, discovered by Michal Zalewski. Several problems, including insecure permissions on temporary files and race conditions in their deletion, allowed attacks from a denial of service (preventing the editing of crontabs) to an escalation of privileges (when another user edited their crontab).

Credit:
The information has been provided by Debian security announce.

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Problem Description:
We already described this problem in detailed in our previous article: Vixie cron fopen() and preserved umask vulnerability.

Solution:
As a temporary fix, "chmod go-rx /var/spool/cron/crontabs" prevents the only available exploit; however, it does not address the problem. Debian recommends upgrading to version 3.0pl1-57.1, for Debian 2.2, or 3.0pl1-61, for Debian unstable.

Also, in the new cron packages, it is no longer possible to specify special files (devices, named pipes, etc.) by name to crontab. Note that this is not so much a security fix as a sanity check.

Patch:
Debian GNU/Linux 2.1 alias slink
Slink is no longer being supported by the Debian Security Team. Debian highly recommends an upgrade to the current stable release.

Debian GNU/Linux 2.2 (stable) alias potato
Fixes are currently available for the Alpha, ARM, Intel ia32, Motorola 680x0, PowerPC and Sun SPARC architectures, and will be included in 2.2r2.

Source archives:
http://security.debian.org/dists/potato/updates/main/source/cron_3.0pl1-57.1.diff.gz
http://security.debian.org/dists/potato/updates/main/source/cron_3.0pl1-57.1.dsc
http://security.debian.org/dists/potato/updates/main/source/cron_3.0pl1.orig.tar.gz

Alpha architecture:
http://security.debian.org/dists/potato/updates/main/binary-alpha/cron_3.0pl1-57.1_alpha.deb

ARM architecture:
http://security.debian.org/dists/potato/updates/main/binary-arm/cron_3.0pl1-57.1_arm.deb

Intel IA32 architecture:
http://security.debian.org/dists/potato/updates/main/binary-arm/cron_3.0pl1-57.1_i386.deb

Motorola 680x0 architecture:
http://security.debian.org/dists/potato/updates/main/binary-m68k/cron_3.0pl1-57.1_m68k.deb

PowerPC architecture:
http://security.debian.org/dists/potato/updates/main/binary-powerpc/cron_3.0pl1-57.1_powerpc.deb

Sun Sparc architecture:
http://security.debian.org/dists/potato/updates/main/binary-sparc/cron_3.0pl1-57.1_sparc.deb

	PHP dba_replace() Arbitrary File Destruction
	VLC Media Player RealText Processing Stack Overflow Vulnerability
	LibSPF2 DNS TXT Record Parsing Bug
	GNU Enscript "setfilename" Special Escape Buffer Overflow
	File-Find-Object Format String Vulnerability
	Veritas Storage Foundation Arbitrary File Read Vulnerability
	Sun Solstice AdminSuite sadmind adm_build_path() Buffer Overflow Vulnerability
	Apache Tomcat Information Disclosure (RemoteFilterValve)
	Apple CUPS HP-GL/2 filter Code Execution Vulnerability
	WordPress MU wpmu-Blogs.php Crose Site Scrpting Vulnerability
	strongSwan IKEv2 Denial of Service Vulnerability
	Cross-Site Scripting Filter Evasion in Various Frameworks / Applications
	MySQL Charset Truncation Vulnerability
	Wordpress user_login Column SQL Truncation Vulnerability
	Joomla Weak Random Password Reset Token Vulnerability