“By creating a crontab that runs with a specially formatted
‘MAILTO’ environment variable, it is possible for local users to
overflow a fixed-length buffer in the cron daemon’s cron_popen()
function. Since the cron daemon runs as root, it would be
theoretcially possible for local users to use this buffer overflow
to gain root privilege.”
Date: Wed, 25 Aug 1999 21:17:20 -0400
From: Bill Nottingham @redhat.com
To: redhat-watch-list@redhat.com
Red Hat, Inc. Security Advisory
Synopsis: Buffer overflow in cron daemon
Advisory ID: RHSA-1999:030-01
Issue date: 1999-08-25
Updated on:
Keywords: vixie-cron crond MAILTO
Cross references:
1. Topic:
A buffer overflow exists in crond, the cron daemon. This could
allow local users to gain privilege.
2. Bug IDs fixed (http://developer.redhat.com/bugzilla/):
4706
3. Relevant releases/architectures:
Red Hat Linux 4.2, 5.2, 6.0, all architectures
4. Obsoleted by:
5. Conflicts with:
6. RPMs required:
Red Hat Linux 4.2:
Intel:
rpm -Uvh
ftp://ftp.redhat.com/redhat/updates/4.2/i386/vixie-cron-3.0.1-36.4.2.i386.rpm
Alpha:
rpm -Uvh
ftp://ftp.redhat.com/redhat/updates/4.2/alpha/vixie-cron-3.0.1-36.4.2.alpha.rpm
Sparc:
rpm -Uvh
ftp://ftp.redhat.com/redhat/updates/4.2/sparc/vixie-cron-3.0.1-36.4.2.sparc.rpm
Source packages:
rpm -Uvh
ftp://ftp.redhat.com/redhat/updates/4.2/SRPMS/vixie-cron-3.0.1-36.4.2.src.rpm
Red Hat Linux 5.2:
Intel:
rpm -Uvh
ftp://ftp.redhat.com/redhat/updates/5.2/i386/vixie-cron-3.0.1-36.5.2.i386.rpm
Alpha:
rpm -Uvh
ftp://ftp.redhat.com/redhat/updates/5.2/alpha/vixie-cron-3.0.1-36.5.2.alpha.rpm
Sparc:
rpm -Uvh
ftp://ftp.redhat.com/redhat/updates/5.2/sparc/vixie-cron-3.0.1-36.5.2.sparc.rpm
Source packages:
rpm -Uvh
ftp://ftp.redhat.com/redhat/updates/5.2/SRPMS/vixie-cron-3.0.1-36.5.2.src.rpm
Red Hat Linux 6.0:
Intel:
rpm -Uvh
ftp://ftp.redhat.com/redhat/updates/6.0/i386/vixie-cron-3.0.1-37.i386.rpm
Alpha:
rpm -Uvh
ftp://ftp.redhat.com/redhat/updates/6.0/alpha/vixie-cron-3.0.1-37.alpha.rpm
Sparc:
rpm -Uvh
ftp://ftp.redhat.com/redhat/updates/6.0/sparc/vixie-cron-3.0.1-37.sparc.rpm
Source packages:
rpm -Uvh
ftp://ftp.redhat.com/redhat/updates/6.0/SRPMS/vixie-cron-3.0.1-37.src.rpm
7. Problem description:
By creating a crontab that runs with a specially formatted
‘MAILTO’ environment variable, it is possible for local users to
overflow a fixed-length buffer in the cron daemon’s cron_popen()
function. Since the cron daemon runs as root, it would be
theoretcially possible for local users to use this buffer overflow
to gain root privilege.
To the best of our knowledge, no known exploits exist at this
time.
Also, it was possible to use specially formatted ‘MAILTO’
environment variables to send commands to sendmail.
8. Solution:
For each RPM for your particular architecture, run:
rpm -Uvh
where filename is the name of the RPM.
9. Verification:
MD5 sum Package Name
a90bf7adbc719fdb5a8ed335fda32a3c i386/vixie-cron-3.0.1-36.4.2.i386.rpm
2b6b0b00cdeca0381ab2893ddf2f2bd1 alpha/vixie-cron-3.0.1-36.4.2.alpha.rpm
02d183979b594a7e7a9c1bc8566b2f16 sparc/vixie-cron-3.0.1-36.4.2.sparc.rpm
b8ac0c21e108ebd67925c224f7a0b82b SRPMS/vixie-cron-3.0.1-36.4.2.src.rpm
7df6884f0709b078d19f390db2a7e304 i386/vixie-cron-3.0.1-36.5.2.i386.rpm
b51b4ea612c4f5a59c1bb4e76af95eeb alpha/vixie-cron-3.0.1-36.5.2.alpha.rpm
5ceeb614442bd4d4ce8a9680664d77e4 sparc/vixie-cron-3.0.1-36.5.2.sparc.rpm
9f411cb3c7c1c53423eebc9d5f64619a SRPMS/vixie-cron-3.0.1-36.5.2.src.rpm
39bbedeade7dc6da6f0ab5acfb3af6da i386/vixie-cron-3.0.1-37.i386.rpm
addec82afbd131aef14fadf8cfb8ddcf alpha/vixie-cron-3.0.1-37.alpha.rpm
b56db77c411f72825efbffed43780213 sparc/vixie-cron-3.0.1-37.sparc.rpm
243d9099bdb94bd0d075de4da4dbba12 SRPMS/vixie-cron-3.0.1-37.src.rpm
These packages are PGP signed by Red Hat Inc. for security. Our
key is available at:
http://www.redhat.com/corp/contact.html
You can verify each package with the following command:
rpm –checksig
If you only wish to verify that each package has not been
corrupted or tampered with, examine only the md5sum with the
following command:
rpm –checksig –nopgp
10. References:
Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.
LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.