Linux Today - Red Hat Security Advisory: Buffer overflow in cron daemon

search.internet.com

Become a Marketplace Partner

internet.commerce

Be a Commerce Partner

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices

Technology Jobs

LinuxToday Newsletters

Subscribe News
Subscribe PR
Subscribe Security

internet.com

IT
Developer
Internet News
Small Business
Personal Technology

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Current Newswire:

Amahi Linux Home Server 4.2

Matthias Ettrich Receives German Federal Cross of Merit

Using Windows Is Like...

Installing Ubuntu 9.10

Hands-on: OpenMoko WikiReader is simple, appealing

Perl far from dead, more popular than you think

Microsoft Exchange alternatives

Kubuntu 9.10: A Mixed Bag

Could Microsoft switch to Linux?

Red Hat Virtualization Manager for Windows Only?

UNIX System Administrator - SUN Solaris, Veritas, EMC, Shell Scripting, SAN (NYC)
Next Step Systems
US-NY-New York

Justtechjobs.com

Post A Job | Post A Resume

:Red Hat Security Advisory: Buffer overflow in cron daemon

Red Hat Security Advisory: Buffer overflow in cron daemon
Aug 26, 1999, 04 :45 UTC (0 Talkback[s]) (4764 reads)

"By creating a crontab that runs with a specially formatted 'MAILTO' environment variable, it is possible for local users to overflow a fixed-length buffer in the cron daemon's cron_popen() function. Since the cron daemon runs as root, it would be theoretcially possible for local users to use this buffer overflow to gain root privilege."

Date: Wed, 25 Aug 1999 21:17:20 -0400
From: Bill Nottingham @redhat.com
To: redhat-watch-list@redhat.com

Red Hat, Inc. Security Advisory

Synopsis: Buffer overflow in cron daemon
Advisory ID: RHSA-1999:030-01
Issue date: 1999-08-25
Updated on:
Keywords: vixie-cron crond MAILTO
Cross references:

1. Topic:

A buffer overflow exists in crond, the cron daemon. This could allow local users to gain privilege.

2. Bug IDs fixed (http://developer.redhat.com/bugzilla/):

4706

3. Relevant releases/architectures:

Red Hat Linux 4.2, 5.2, 6.0, all architectures

4. Obsoleted by:

5. Conflicts with:

6. RPMs required:

Red Hat Linux 4.2:

Intel:
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/4.2/i386/vixie-cron-3.0.1-36.4.2.i386.rpm

Alpha:
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/4.2/alpha/vixie-cron-3.0.1-36.4.2.alpha.rpm

Sparc:
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/4.2/sparc/vixie-cron-3.0.1-36.4.2.sparc.rpm

Source packages:
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/4.2/SRPMS/vixie-cron-3.0.1-36.4.2.src.rpm

Red Hat Linux 5.2:

Intel:
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/5.2/i386/vixie-cron-3.0.1-36.5.2.i386.rpm

Alpha:
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/5.2/alpha/vixie-cron-3.0.1-36.5.2.alpha.rpm

Sparc:
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/5.2/sparc/vixie-cron-3.0.1-36.5.2.sparc.rpm

Source packages:
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/5.2/SRPMS/vixie-cron-3.0.1-36.5.2.src.rpm

Red Hat Linux 6.0:

Intel:
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/6.0/i386/vixie-cron-3.0.1-37.i386.rpm

Alpha:
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/6.0/alpha/vixie-cron-3.0.1-37.alpha.rpm

Sparc:
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/6.0/sparc/vixie-cron-3.0.1-37.sparc.rpm

Source packages:
rpm -Uvh ftp://ftp.redhat.com/redhat/updates/6.0/SRPMS/vixie-cron-3.0.1-37.src.rpm

7. Problem description:

By creating a crontab that runs with a specially formatted 'MAILTO' environment variable, it is possible for local users to overflow a fixed-length buffer in the cron daemon's cron_popen() function. Since the cron daemon runs as root, it would be theoretcially possible for local users to use this buffer overflow to gain root privilege.

To the best of our knowledge, no known exploits exist at this time.

Also, it was possible to use specially formatted 'MAILTO' environment variables to send commands to sendmail.

8. Solution:

For each RPM for your particular architecture, run:

rpm -Uvh

where filename is the name of the RPM.

9. Verification:

MD5 sum Package Name

a90bf7adbc719fdb5a8ed335fda32a3c  i386/vixie-cron-3.0.1-36.4.2.i386.rpm
2b6b0b00cdeca0381ab2893ddf2f2bd1  alpha/vixie-cron-3.0.1-36.4.2.alpha.rpm
02d183979b594a7e7a9c1bc8566b2f16  sparc/vixie-cron-3.0.1-36.4.2.sparc.rpm
b8ac0c21e108ebd67925c224f7a0b82b  SRPMS/vixie-cron-3.0.1-36.4.2.src.rpm

7df6884f0709b078d19f390db2a7e304  i386/vixie-cron-3.0.1-36.5.2.i386.rpm
b51b4ea612c4f5a59c1bb4e76af95eeb  alpha/vixie-cron-3.0.1-36.5.2.alpha.rpm
5ceeb614442bd4d4ce8a9680664d77e4  sparc/vixie-cron-3.0.1-36.5.2.sparc.rpm
9f411cb3c7c1c53423eebc9d5f64619a  SRPMS/vixie-cron-3.0.1-36.5.2.src.rpm

39bbedeade7dc6da6f0ab5acfb3af6da  i386/vixie-cron-3.0.1-37.i386.rpm
addec82afbd131aef14fadf8cfb8ddcf  alpha/vixie-cron-3.0.1-37.alpha.rpm
b56db77c411f72825efbffed43780213  sparc/vixie-cron-3.0.1-37.sparc.rpm
243d9099bdb94bd0d075de4da4dbba12  SRPMS/vixie-cron-3.0.1-37.src.rpm

These packages are PGP signed by Red Hat Inc. for security. Our key is available at:

http://www.redhat.com/corp/contact.html

You can verify each package with the following command:

rpm --checksig

If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command:

rpm --checksig --nopgp

10. References:

No talkbacks posted.

Home | Search Talkbacks | Customize View

Top of Page

Enter your comments below:

All times are recorded in UTC.
Linux is a trademark of Linus Torvalds.
Powered by Linux, Apache and PHP

Search:

WebMediaBrands Corporate Info

Legal Notices, Licensing, Reprints, Permissions, Privacy Policy.
Advertise | Newsletters | Shopping | E-mail Offers | Freelance Jobs

Solutions

Whitepapers and eBooks

Adobe Article: Adobe Helps PHP Developers Create Rich Internet Applications
Adobe Article: Java Developers Finding a Home at Adobe Flex
IBM Articles: A Smarter Business Needs Smarter Technology
Intel Xeon Processor Increases Server Efficiency and Capabilities
Intel Tech Brief: Automated Energy Efficiency for the Intelligent Enterprise
Oracle Whitepaper: Using Oracle In-Memory Database Cache to Accelerate the Oracle Database
Oracle Whitepapers - Innovation for IT Leaders
Avaya Article: Communication-Enabled Mashups--Empowering Both Business Owners and IT
Internet.com eBook: IT Manager's Guide to Social Networking
Internet.com eBook: Get Ready for Windows 7
Microsoft Article: Expression Web 3--New Features for PHP Developers
Whitepapers: Manage Your Business Infrastracture with IBM
Whitepaper: Maximize Your Storage Investment with HP
Internet.com eBook: Becoming a Better Project Manager
Microsoft Article: Stress Free and Efficient Designer/Developer Collaboration
MORE WHITEPAPERS, EBOOKS, AND ARTICLES

Webcasts

Webcast: Connecting PHP to Microsoft Technologies
Video: Microsoft Partner Program Benefits
Video: Windows Azure Debugging Tips
SAP BusinessObjects Webcast: Unlock the Power of Reporting with Crystal Reports
IBM Webcast: Speed Business Innovation with Reduced Cost and Risk
Video: Deploy Applications on Windows Azure
MORE WEBCASTS, PODCASTS, AND VIDEOS

Downloads and eKits

Downloads & Free Trials: Microsoft's New Efficiency Resource Center
Get the Windows 7 SDK
Free Trial: Red Gate SQL Backup Pro 6
Iron Speed Designer Application Generator
MORE DOWNLOADS, EKITS, AND FREE TRIALS

Tutorials and Demos

Virtual Lab: Migrating PHP Applications
Enabling Web Slices and Accelerators with a PHP Site
Internet.com Hot List: Get the Inside Scoop on the Hottest IT and Developer Products
All About Botnets
MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES