blob: 65fc90ec54e5defe7f17ab75573bac12c789d35e [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200704-11">
<title>Vixie Cron: Denial of Service</title>
The Gentoo implementation of Vixie Cron is vulnerable to a local Denial of
<product type="ebuild">vixie-cron</product>
<announced>April 16, 2007</announced>
<revised>April 16, 2007: 01</revised>
<package name="sys-process/vixie-cron" auto="yes" arch="*">
<unaffected range="ge">4.1-r10</unaffected>
<vulnerable range="lt">4.1-r10</vulnerable>
Vixie Cron is a command scheduler with extended syntax over cron.
During an internal audit, Raphael Marichez of the Gentoo Linux Security
Team found that Vixie Cron has weak permissions set on Gentoo, allowing
for a local user to create hard links to system and users cron files,
while a st_nlink check in database.c will generate a superfluous error.
<impact type="low">
Depending on the partitioning scheme and the "cron" group membership, a
malicious local user can create hard links to system or users cron
files that will trigger the st_link safety check and prevent the
targeted cron file from being run from the next restart or database
There is no known workaround at this time.
All Vixie Cron users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=sys-process/vixie-cron-4.1-r10&quot;</code>
<uri link="">CVE-2007-1856</uri>
<metadata tag="requester" timestamp="Fri, 13 Apr 2007 15:58:28 +0000">
<metadata tag="submitter" timestamp="Fri, 13 Apr 2007 21:36:24 +0000">
<metadata tag="bugReady" timestamp="Mon, 16 Apr 2007 18:10:18 +0000">