Date: Tue, 18 Jul 2006 08:23:09 -0400 From: Lowell Gilbert <freebsd-security-local@be-well.ilk.org> To: freebsd-security@FreeBSD.ORG Subject: Re: Vulnerability in vixie cron? Message-ID: <44ejwjrtjm.fsf@be-well.ilk.org> In-Reply-To: <200607181158.k6IBwsZJ099625@lurza.secnetix.de> (Oliver Fromme's message of "Tue, 18 Jul 2006 13:58:54 %2B0200 (CEST)") References: <200607181158.k6IBwsZJ099625@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Oliver Fromme <olli@lurza.secnetix.de> writes: > Recently there have been advisories and patches for > SuSE and RedHat (and probably a few others) regarding > a vulnerability in Vixie Cron. The details say that > there's insufficient checking of the return value of > setuid, which can lead to priviledge escalation and > lets users run cron jobs with root priviledges. > > As far as I know, FreBSD also uses Vixie Cron (at least > the cron(8) manpage says so). However, I haven't seen > any FreeBSD advisory regarding this, so I wonder if > FreeBSD's cron isn't affected for some reason? > > Any information would be appreciated. It looks to me like this wasn't exploitable in a default configuration anyway, but it was fixed on 1 June in HEAD and on 1 July in RELENG_6. http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.sbin/cron/cron/do_command.c
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44ejwjrtjm.fsf>