Date: Sun, 02 Jan 2000 21:59:35 +0100 (CET) From: Przemyslaw Frasunek <venglin@FreeBSD.lublin.pl> To: Ole Pahl <op@pahl.net>, freebsd-bugs@freebsd.org, bugtraq@securityfocus.com Subject: RE: Bug in recent versions of Vixie cron Message-ID: <XFMail.000102215935.venglin@FreeBSD.lublin.pl> In-Reply-To: <Pine.LNX.4.05.10001022010080.12566-100000@muschel.global-phun.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 02-Jan-00 Ole Pahl wrote: > I've just discovered a bug in Vixie cron allowing local users with access > to their own crontabs to gain root access. > Sendmail is called as root, thus allowing users to specify the -C option > causing Sendmail to use a user-specified configuration file: This bug is known for about 6 months. Exploit is also widely accessible. > This problem seems to be present in current versions of Vixie cron, e.g. > those used in operating systems like FreeBSD 3.4-RC as well as certain > Linux distributions such as SuSE Linux 6.2. FreeBSD is and was NOT vulnerable to this problem. --- * Fido: 2:480/124 ** WWW: http://www.FreeBSD.lublin.pl ** NIC-HDL: PMF9-RIPE * * Inet: venglin@FreeBSD.lublin.pl ** PGP: D48684904685DF43 EA93AFA13BE170BF * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.000102215935.venglin>