Your submission was sent successfully! Close

CVE-2017-9525

Published: 9 June 2017

In the cron package through 3.0pl1-128 on Debian, and through 3.0pl1-128ubuntu2 on Ubuntu, the postinst maintainer script allows for group-crontab-to-root privilege escalation via symlink attacks against unsafe usage of the chown and chmod programs.

Priority

Low

CVSS 3 base score: 6.7

Status

Package Release Status
cron
Launchpad, Ubuntu, Debian
artful Ignored
(reached end-of-life)
bionic
Released (3.0pl1-128.1ubuntu1.2)
cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan Not vulnerable
(3.0pl1-134ubuntu1)
focal Not vulnerable
(3.0pl1-134ubuntu1)
groovy Not vulnerable
(3.0pl1-134ubuntu1)
hirsute Not vulnerable
(3.0pl1-134ubuntu1)
impish Not vulnerable
(3.0pl1-134ubuntu1)
jammy Not vulnerable
(3.0pl1-134ubuntu1)
precise Ignored
(end of ESM support, was needed)
trusty Needed

upstream
Released (3.0pl1-129)
xenial
Released (3.0pl1-128ubuntu2+esm2)
yakkety Ignored
(reached end-of-life)
zesty Ignored
(reached end-of-life)

Notes

AuthorNote
jj
This appears to be mitigated by kernel symlink restrictions. The
crontabs dir has the sticky bit set
drwx-wx--T root crontab crontabs
which means symlinks within the dir must have the same uid as the
target.
It is still possible that a cron package update could trigger this race.
seth-arnold
I believe that actually _exploiting_ the bug requires
updating the cron package. So long as there's no updates for cron,
the vulnerable code doesn't run. So if we find a second bug in
cron then we really should fix the race condition at the same
time, but so long as we don't push a cron update, the vulnerable
code just plain doesn't run.
the patch just narrows the time window for the race condition.

References

Bugs