Debian: 'cron' vulnerability

    Date 17 Nov 2000
    Posted By LinuxSecurity Advisories
    The version of Vixie Cron shipped with Debian GNU/Linux 2.2 is vulnerable toa local attack, discovered by Michal Zalewski.
    - ----------------------------------------------------------------------------
    Debian Security Advisory                                 This email address is being protected from spambots. You need JavaScript enabled to view it.                            Daniel Jacobowitz
    November 17, 2000
    - ----------------------------------------------------------------------------
    Package: cron
    Vulnerability: local priviledge escalation
    Debian-specific: no
    Vulnerable: yes
    The version of Vixie Cron shipped with Debian GNU/Linux 2.2 is vulnerable to
    a local attack, discovered by Michal Zalewski.  Several problems, including
    insecure permissions on temporary files and race conditions in their
    deletion, allowed attacks from a denial of service (preventing the editing
    of crontabs) to an escalation of priviledge (when another user edited their
    As a temporary fix, "chmod go-rx /var/spool/cron/crontabs" prevents the only
    available exploit; however, it does not address the problem.  We recommend
    upgrading to version 3.0pl1-57.1, for Debian 2.2, or 3.0pl1-61, for Debian
    Also, in the new cron packages, it is no longer possible to specify special
    files (devices, named pipes, etc.) by name to crontab.  Note that this is
    not so much a security fix as a sanity check.
    Debian GNU/Linux 2.1 alias slink
    - --------------------------------
      Slink is no longer being supported by the Debian Security Team.  We highly
      recommend an upgrade to the current stable release.
    Debian GNU/Linux 2.2 (stable) alias potato
    - ------------------------------------------
      Fixes are currently available for the Alpha, ARM, Intel ia32, Motorola 680x0,
      PowerPC and Sun SPARC architectures, and will be included in 2.2r2.
      Source archives:
          MD5 checksum: 4fac4be2841908090d1c877a65cf5ef9
          MD5 checksum: caed3f1556203618544eec823347df30
          MD5 checksum: 4c64aece846f8483daf440f8e3dd210f
      Alpha architecture:
          MD5 checksum: 3b146f5227182343d3b20cf8fce8a86c
      ARM architecture:
          MD5 checksum: 559e80e83abf371a8d09759ee900daf5
      Intel IA32 architecture:
          MD5 checksum: 922bb72b07a05fb888771364697f52e1
      Motorola 680x0 architecture:
          MD5 checksum: 2e0d8152ec03a66bb88ba84215fe4de3
      PowerPC architecture:
          MD5 checksum: 16ad8c4a26436239e7a25260340be6d5
      Sun Sparc architecture:
          MD5 checksum: 2bd401a635eedc47e9f6dd1652f71e35
    Debian GNU/Linux Unstable alias woody
    - -------------------------------------
      This version of Debian is not yet released.
      Fixes will be made available for Alpha, ARM, Intel ia32, Motorola 680x0,
      PowerPC, and SPARC in the Debian archive over the next several days.
    - ----------------------------------------------------------------------------
    For apt-get: deb stable/updates main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.

    LinuxSecurity Poll

    How do you feel about the elimination of the terms 'blacklist' and 'slave' from the Linux kernel?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    [{"id":"112","title":"I strongly support this change - racially charged language should not be used in the code and documentation of the kernel and other open-source projects.","votes":"6","type":"x","order":"1","pct":18.75,"resources":[]},{"id":"113","title":"I'm indifferent - this small change will not affect broader issues of racial insensitivity and white privilege.","votes":"4","type":"x","order":"2","pct":12.5,"resources":[]},{"id":"114","title":"I'm opposed to this change - there is no need to change language that has been used for years. It doesn't make sense for people to take offense to terminology used in community projects.","votes":"22","type":"x","order":"3","pct":68.75,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.