From owner-freebsd-security  Thu Aug 26 22: 3:46 1999
Delivered-To: freebsd-security@freebsd.org
Received: from burka.carrier.kiev.ua (burka.carrier.kiev.ua [193.193.193.107])
	by hub.freebsd.org (Postfix) with ESMTP id 139DB1514E
	for <freebsd-security@FreeBSD.ORG>; Thu, 26 Aug 1999 22:03:34 -0700 (PDT)
	(envelope-from snar@lucky.net)
Received: (from snar@localhost)
	by burka.carrier.kiev.ua (8.Who.Cares/Guinness_Is_Better) id IAA15767;
	Fri, 27 Aug 1999 08:01:58 +0300 (EEST)
	(envelope-from snar)
Message-ID: <19990827080158.A15699@lucky.net>
Date: Fri, 27 Aug 1999 08:01:58 +0300
From: Alexandre Snarskii <snar@paranoia.ru>
To: Brian Tao <taob@risc.org>,
	FREEBSD-SECURITY <freebsd-security@FreeBSD.ORG>
Subject: Re: Buffer overflow in vixie cron?
References: <Pine.GSO.3.96.990826235646.6840S-100000@tor-dev1.nbc.netcom.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.90.11i
In-Reply-To: <Pine.GSO.3.96.990826235646.6840S-100000@tor-dev1.nbc.netcom.ca>; from Brian Tao on Thu, Aug 26, 1999 at 11:58:38PM -0400
X-NCC-RegID: ua.luckynet
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, Aug 26, 1999 at 11:58:38PM -0400, Brian Tao wrote:
>     RedHat published a security advisory for the version of vixie-cron
> included in RH 4.2, 5.2 and 6.0 today.  Is our version also
> vulnerable?  I haven't seen the diffs yet, but it is in the
> cron_popen() call in /usr/src/usr.sbin/cron/cron/popen.c .

That bug is not from cron_popen(), but from the paramerers
to that call. Really, in classic vixie cron there were a
chance to prepare _any_ command string to execute.

FreeBSD is not vulnerabile since 1995 (2.0.5-alpha) ( cite from: 
http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.sbin/cron/cron/do_command.c )
   1.4 Fri Apr 14 21:54:18 1995 UTC by ache                                     
   CVS Tags: RELENG_2_0_5_ALPHA                                                 
   Diffs to 1.3                                                                 
Fix MAILTO hole by passing -t to sendmail                                       
Submitted by: Mike Pritchard <pritc003@maroon.tc.umn.edu>                       
     _________________________________________________________________          
                                                                                
   1.3 Thu Apr 13 20:58:13 1995 UTC by ache                                     
   Diffs to 1.2                                                                 
Really fix MAILTO hole by parsing spaces.                                       
Remove local bitstring copy                                                     
     _________________________________________________________________          
                                                                                
   1.2 Wed Apr 12 18:57:37 1995 UTC by ache                                     
   Diffs to 1.1                                                                 
Close MAILTO security hole                                                

</cite>

-- 
Alexander Snarskii
the source code is included.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message