CVE-2017-9525

Published: 09 June 2017

In the cron package through 3.0pl1-128 on Debian, and through 3.0pl1-128ubuntu2 on Ubuntu, the postinst maintainer script allows for group-crontab-to-root privilege escalation via symlink attacks against unsafe usage of the chown and chmod programs.

Priority

Low

CVSS 3 base score: 6.7

Status

Package Release Status
cron
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(3.0pl1-134ubuntu1)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(3.0pl1-134ubuntu1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(3.0pl1-134ubuntu1)
Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 LTS (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Needed

Notes

AuthorNote
jj
This appears to be mitigated by kernel symlink restrictions. The
crontabs dir has the sticky bit set
drwx-wx--T root crontab crontabs
which means symlinks within the dir must have the same uid as the
target.
It is still possible that a cron package update could trigger this race.
seth-arnold
I believe that actually _exploiting_ the bug requires
updating the cron package. So long as there's no updates for cron,
the vulnerable code doesn't run. So if we find a second bug in
cron then we really should fix the race condition at the same
time, but so long as we don't push a cron update, the vulnerable
code just plain doesn't run.
the patch just narrows the time window for the race condition.

References

Bugs