Date: Mon, 16 Dec 1996 06:51:33 -0700 (MST) From: Marc Slemko <marcs@znep.com> To: Dmitry Valdov <dv@kis.ru> Cc: freebsd-bugs@freebsd.org, freebsd-security@freebsd.org Subject: Re: crontab security hole Message-ID: <Pine.BSF.3.95.961216064624.7792B-100000@alive.ampr.ab.ca> In-Reply-To: <Pine.FBSD.3.95.961216110312.12040B-100000@xkis.kis.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 16 Dec 1996, Dmitry Valdov wrote:
> Hello!
>
> Are there any fixes for crontab? I've exploit which allow any user to become
> root using crontab security hole.
>
> Dmitry.
>
It was fixed in -stable the other day by pst. The patch, pulled
from the CVS tree, follows.
Index: cron/database.c
===================================================================
RCS file: /usr/cvs/src/usr.sbin/cron/cron/database.c,v
retrieving revision 1.1.1.1
retrieving revision 1.1.1.1.6.1
diff -c -r1.1.1.1 -r1.1.1.1.6.1
*** database.c 1994/08/27 13:43:03 1.1.1.1
--- database.c 1996/12/15 20:37:47 1.1.1.1.6.1
***************
*** 112,119 ****
if (dp->d_name[0] == '.')
continue;
! (void) strcpy(fname, dp->d_name);
! sprintf(tabname, CRON_TAB(fname));
process_crontab(fname, fname, tabname,
&statbuf, &new_db, old_db);
--- 112,119 ----
if (dp->d_name[0] == '.')
continue;
! (void)snprintf(fname, sizeof fname, "%s", dp->d_name);
! (void)snprintf(tabname, sizeof tabname, CRON_TAB(fname));
process_crontab(fname, fname, tabname,
&statbuf, &new_db, old_db);
Index: crontab/crontab.c
===================================================================
RCS file: /usr/cvs/src/usr.sbin/cron/crontab/crontab.c,v
retrieving revision 1.3.4.1
retrieving revision 1.3.4.2
diff -c -r1.3.4.1 -r1.3.4.2
*** crontab.c 1996/04/09 21:23:11 1.3.4.1
--- crontab.c 1996/12/15 20:37:59 1.3.4.2
***************
*** 17,23 ****
***************
*** 167,173 ****
ProgramName, optarg);
exit(ERROR_EXIT);
}
! (void) strcpy(User, optarg);
break;
case 'l':
if (Option != opt_unknown)
--- 167,173 ----
ProgramName, optarg);
exit(ERROR_EXIT);
}
! (void) snprintf(User, sizeof(user), "%s", optarg);
break;
case 'l':
if (Option != opt_unknown)
***************
*** 198,204 ****
} else {
if (argv[optind] != NULL) {
Option = opt_replace;
! (void) strcpy (Filename, argv[optind]);
} else {
usage("file name must be specified for replace");
}
--- 198,205 ----
} else {
if (argv[optind] != NULL) {
Option = opt_replace;
! (void) snprintf(Filename, sizeof(Filename), "%s",
! argv[optind]);
} else {
usage("file name must be specified for replace");
}
***************
*** 480,486 ****
ProgramName, Filename);
goto done;
default:
! fprintf(stderr, "%s: panic: bad switch() in replace_cmd()\n");
goto fatal;
}
remove:
--- 481,488 ----
ProgramName, Filename);
goto done;
default:
! fprintf(stderr, "%s: panic: bad switch() in replace_cmd()\n",
! ProgramName);
goto fatal;
}
remove:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.961216064624.7792B-100000>