Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2017-9525

Published: 9 June 2017

In the cron package through 3.0pl1-128 on Debian, and through 3.0pl1-128ubuntu2 on Ubuntu, the postinst maintainer script allows for group-crontab-to-root privilege escalation via symlink attacks against unsafe usage of the chown and chmod programs.

Notes

AuthorNote
jj
This appears to be mitigated by kernel symlink restrictions. The
crontabs dir has the sticky bit set
drwx-wx--T root crontab crontabs
which means symlinks within the dir must have the same uid as the
target.
It is still possible that a cron package update could trigger this race.
seth-arnold
I believe that actually _exploiting_ the bug requires
updating the cron package. So long as there's no updates for cron,
the vulnerable code doesn't run. So if we find a second bug in
cron then we really should fix the race condition at the same
time, but so long as we don't push a cron update, the vulnerable
code just plain doesn't run.
the patch just narrows the time window for the race condition.

Priority

Low

CVSS 3 base score: 6.7

Status

Package Release Status
cron
Launchpad, Ubuntu, Debian
artful Ignored
(reached end-of-life)
bionic
Released (3.0pl1-128.1ubuntu1.2)
cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan Not vulnerable
(3.0pl1-134ubuntu1)
focal Not vulnerable
(3.0pl1-134ubuntu1)
groovy Not vulnerable
(3.0pl1-134ubuntu1)
hirsute Not vulnerable
(3.0pl1-134ubuntu1)
impish Not vulnerable
(3.0pl1-134ubuntu1)
jammy Not vulnerable
(3.0pl1-134ubuntu1)
kinetic Not vulnerable
(3.0pl1-134ubuntu1)
precise Ignored
(end of ESM support, was needed)
trusty Needed

upstream
Released (3.0pl1-129)
xenial
Released (3.0pl1-128ubuntu2+esm2)
yakkety Ignored
(reached end-of-life)
zesty Ignored
(reached end-of-life)
Patches:
upstream: https://salsa.debian.org/debian/cron/-/commit/a10ab4e346e941aaa92f4b671a96895392b917af
upstream: https://salsa.debian.org/debian/cron/-/commit/230478512cc82d879d727f6dfc18040bdd48c9d9