Security Advisory vixie-cron security update

Advisory: RHSA-2005:361-19
Type: Security Advisory
Severity: Low
Issued on: 2005-10-05
Last updated on: 2005-10-05
Affected Products: Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 4)
OVAL: N/A
CVEs (cve.mitre.org): CVE-2005-1038

Details

An updated vixie-cron package that fixes various bugs and a security issue
is now available.

This update has been rated as having low security impact by the Red Hat
Security Response Team.

The vixie-cron package contains the Vixie version of cron. Cron is a
standard UNIX daemon that runs specified programs at scheduled times.

A bug was found in the way vixie-cron installs new crontab files. It is
possible for a local attacker to execute the crontab command in such a way
that they can view the contents of another user's crontab file. The Common
Vulnerabilities and Exposures project assigned the name CAN-2005-1038 to
this issue.

Additionally, this update addresses the following issues:

o Fixed improper limits on filename and command line lengths
o Improved PAM access control conforming to EAL certification requirements
o Improved reliability when running in a chroot environment
o Mail recipient name checking disabled by default, can be re-enabled
o Added '-p' "permit all crontabs" option to disable crontab mode checking

All users of vixie-cron should upgrade to this updated package, which
contains backported patches and is not vulnerable to these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

Updated packages

Red Hat Desktop (v. 4)
SRPMS:
vixie-cron-4.1-36.EL4.src.rpm
File outdated by:  RHBA-2009:0025		     e3fd76e5ba9887c8e11e1bc82d5fd485
 
IA-32:
vixie-cron-4.1-36.EL4.i386.rpm
File outdated by:  RHBA-2009:0025		     e8243ed213f8cfa5b50ac8f42a7ec9c7
 
x86_64:
vixie-cron-4.1-36.EL4.x86_64.rpm
File outdated by:  RHBA-2009:0025		     b3e6bbc02843e4e09d6488ab9c962cc2
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
vixie-cron-4.1-36.EL4.src.rpm
File outdated by:  RHBA-2009:0025		     e3fd76e5ba9887c8e11e1bc82d5fd485
 
IA-32:
vixie-cron-4.1-36.EL4.i386.rpm
File outdated by:  RHBA-2009:0025		     e8243ed213f8cfa5b50ac8f42a7ec9c7
 
IA-64:
vixie-cron-4.1-36.EL4.ia64.rpm
File outdated by:  RHBA-2009:0025		     97380fd176e344f7df2d40d8e47f954c
 
PPC:
vixie-cron-4.1-36.EL4.ppc.rpm
File outdated by:  RHBA-2009:0025		     2388e466c3e485de7b9e0a340d55d3b2
 
s390:
vixie-cron-4.1-36.EL4.s390.rpm
File outdated by:  RHBA-2009:0025		     85d62715dd6471e87b7bfbc14463c8bd
 
s390x:
vixie-cron-4.1-36.EL4.s390x.rpm
File outdated by:  RHBA-2009:0025		     14772968639ea37dc713e2f73e3292e0
 
x86_64:
vixie-cron-4.1-36.EL4.x86_64.rpm
File outdated by:  RHBA-2009:0025		     b3e6bbc02843e4e09d6488ab9c962cc2
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
vixie-cron-4.1-36.EL4.src.rpm
File outdated by:  RHBA-2009:0025		     e3fd76e5ba9887c8e11e1bc82d5fd485
 
IA-32:
vixie-cron-4.1-36.EL4.i386.rpm
File outdated by:  RHBA-2009:0025		     e8243ed213f8cfa5b50ac8f42a7ec9c7
 
IA-64:
vixie-cron-4.1-36.EL4.ia64.rpm
File outdated by:  RHBA-2009:0025		     97380fd176e344f7df2d40d8e47f954c
 
x86_64:
vixie-cron-4.1-36.EL4.x86_64.rpm
File outdated by:  RHBA-2009:0025		     b3e6bbc02843e4e09d6488ab9c962cc2
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
vixie-cron-4.1-36.EL4.src.rpm
File outdated by:  RHBA-2009:0025		     e3fd76e5ba9887c8e11e1bc82d5fd485
 
IA-32:
vixie-cron-4.1-36.EL4.i386.rpm
File outdated by:  RHBA-2009:0025		     e8243ed213f8cfa5b50ac8f42a7ec9c7
 
IA-64:
vixie-cron-4.1-36.EL4.ia64.rpm
File outdated by:  RHBA-2009:0025		     97380fd176e344f7df2d40d8e47f954c
 
x86_64:
vixie-cron-4.1-36.EL4.x86_64.rpm
File outdated by:  RHBA-2009:0025		     b3e6bbc02843e4e09d6488ab9c962cc2
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

147636 - cron fails to run user jobs and gives vague error message
154920 - CAN-2005-1038 vixie-cron information leak
159216 - vixie-cron updates for new audit system
163881 - Cron no longer allows read-only crontabs, enforces write access
163882 - cron fails with pam_access
163885 - crontab truncates file names greater than 100 characters.
163888 - CAN-2005-1038 vixie-cron information leak
163889 - [PATCH] List corruption when items are removed from /etc/cron.d


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1038
http://www.securityfocus.com/archive/1/395093

Keywords

cron, vixie-cron

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/