rpms/cronie/F-12 cronie-CVE-2010-0424.patch, NONE, 1.1 cronie.spec, 1.31, 1.32

Fri Feb 19 06:47:43 UTC 2010

Author: mmaslano

Update of /cvs/pkgs/rpms/cronie/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv22356

Modified Files:
	cronie.spec 
Added Files:
	cronie-CVE-2010-0424.patch 
Log Message:
* Fri Feb 19 2010 Marcela Mašláňová <mmaslano at redhat.com> - 1.4.3-4
- 565809 CVE-2010-0424 Race condition by setting timestamp


cronie-CVE-2010-0424.patch:
 crontab.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- NEW FILE cronie-CVE-2010-0424.patch ---
>From dda8fcf99026db645fe7776dba49cf804e8ed370 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcela=20Ma=C5=A1l=C3=A1=C5=88ov=C3=A1?= <mmaslano at redhat.com>
Date: Wed, 17 Feb 2010 11:51:45 +0100
Subject: [PATCH] Race condition by setting timestamp of user's crontab file

When run as "crontab -e", crontab creates a temporary file in /tmp, copies the
contents of an existing crontab to this file, and then calls utime() on the
temporary file name to set its mtime and atime to 0, in order to check after
editing whether or not the file has been modified.
Since the file is created with the user's euid, and because utime is called on
the file as root, an attacker can replace the temporary file after it is
created with a symlink to any file or folder on disk, which will then have its
atime and mtime set to 0. This is certainly not a critical issue, but this
action can be used to deny service in many scenarios. For example, the cron
daemon checks the mtime of the crontab spool folder and its contents to
determine whether or not it needs to update its database of cronjobs, and if
these times are reset to 0, no new cronjobs will be added. Other daemons
relying on accurate timestamps may be similarly affected. Finally, build tools
such as make could be tricked into not re-compiling source, based on an old
timestamp.
Thanks to: Dan Rosenberg
---
 src/crontab.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/src/crontab.c b/src/crontab.c
index d39b8f2..d99cf24 100644
--- cronie-1.4.3/src/crontab.c.old
+++ cronie-1.4.3/src/crontab.c
@@ -436,10 +436,18 @@ static void edit_cmd(void) {
 		perror(Filename);
 		exit(ERROR_EXIT);
 	}
+        if (swap_uids() == -1) {
+                perror("swapping uids");
+                exit(ERROR_EXIT);
+        }
 	/* Set it to 1970 */
 	utimebuf.actime = 0;
 	utimebuf.modtime = 0;
 	utime(Filename, &utimebuf);
+	if (swap_uids_back() == -1) {
+		perror("swapping uids");
+		exit(ERROR_EXIT);
+	}
   again:
 	rewind(NewCrontab);
 	if (ferror(NewCrontab)) {
-- 
1.6.6.1



Index: cronie.spec
===================================================================
RCS file: /cvs/pkgs/rpms/cronie/F-12/cronie.spec,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -p -r1.31 -r1.32
--- cronie.spec	20 Jan 2010 14:15:06 -0000	1.31
+++ cronie.spec	19 Feb 2010 06:47:42 -0000	1.32
@@ -6,14 +6,15 @@
 Summary: Cron daemon for executing programs at set times
 Name: cronie
 Version: 1.4.3
-Release: 3%{?dist}
-License: MIT and BSD and GPLv2
+Release: 4%{?dist}
+License: MIT and BSD and GPLv2 and ISC
 Group: System Environment/Base
 URL: https://fedorahosted.org/cronie
 Source0: https://fedorahosted.org/releases/c/r/cronie/%{name}-%{version}.tar.gz
 Patch0: cronie-selinux_passwd.patch
 Patch1: cronie-pam.patch
 Patch2: NFShomes_cant_be_executed.patch
+Patch3: cronie-CVE-2010-0424.patch
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 Requires: syslog, bash >= 2.0
@@ -77,6 +78,7 @@ Old style of {hourly,daily,weekly,monthl
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 
 %build
 
@@ -199,6 +201,9 @@ cp -a /var/lock/subsys/crond /var/lock/s
 %attr(0644,root,root) %{_sysconfdir}/cron.d/dailyjobs
 
 %changelog
+* Fri Feb 19 2010 Marcela Mašláňová <mmaslano at redhat.com> - 1.4.3-4
+- 565809 CVE-2010-0424 Race condition by setting timestamp
+
 * Wed Jan 20 2010 Marcela Mašláňová <mmaslano at redhat.com> - 1.4.3-3
 - 554698  Cron jobs failing for some users with NFS mounted home directories
 

