From owner-freebsd-bugs Mon Dec 16 05:55:19 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id FAA02634 for bugs-outgoing; Mon, 16 Dec 1996 05:55:19 -0800 (PST) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id FAA02589; Mon, 16 Dec 1996 05:55:11 -0800 (PST) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.7.5/8.7.3) with UUCP id GAA06048; Mon, 16 Dec 1996 06:53:44 -0700 (MST) Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id GAA07865; Mon, 16 Dec 1996 06:51:33 -0700 (MST) Date: Mon, 16 Dec 1996 06:51:33 -0700 (MST) From: Marc Slemko X-Sender: marcs@alive.ampr.ab.ca To: Dmitry Valdov cc: freebsd-bugs@freebsd.org, freebsd-security@freebsd.org Subject: Re: crontab security hole In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 16 Dec 1996, Dmitry Valdov wrote: > Hello! > > Are there any fixes for crontab? I've exploit which allow any user to become > root using crontab security hole. > > Dmitry. > It was fixed in -stable the other day by pst. The patch, pulled from the CVS tree, follows. Index: cron/database.c =================================================================== RCS file: /usr/cvs/src/usr.sbin/cron/cron/database.c,v retrieving revision 1.1.1.1 retrieving revision 1.1.1.1.6.1 diff -c -r1.1.1.1 -r1.1.1.1.6.1 *** database.c 1994/08/27 13:43:03 1.1.1.1 --- database.c 1996/12/15 20:37:47 1.1.1.1.6.1 *************** *** 112,119 **** if (dp->d_name[0] == '.') continue; ! (void) strcpy(fname, dp->d_name); ! sprintf(tabname, CRON_TAB(fname)); process_crontab(fname, fname, tabname, &statbuf, &new_db, old_db); --- 112,119 ---- if (dp->d_name[0] == '.') continue; ! (void)snprintf(fname, sizeof fname, "%s", dp->d_name); ! (void)snprintf(tabname, sizeof tabname, CRON_TAB(fname)); process_crontab(fname, fname, tabname, &statbuf, &new_db, old_db); Index: crontab/crontab.c =================================================================== RCS file: /usr/cvs/src/usr.sbin/cron/crontab/crontab.c,v retrieving revision 1.3.4.1 retrieving revision 1.3.4.2 diff -c -r1.3.4.1 -r1.3.4.2 *** crontab.c 1996/04/09 21:23:11 1.3.4.1 --- crontab.c 1996/12/15 20:37:59 1.3.4.2 *************** *** 17,23 **** *************** *** 167,173 **** ProgramName, optarg); exit(ERROR_EXIT); } ! (void) strcpy(User, optarg); break; case 'l': if (Option != opt_unknown) --- 167,173 ---- ProgramName, optarg); exit(ERROR_EXIT); } ! (void) snprintf(User, sizeof(user), "%s", optarg); break; case 'l': if (Option != opt_unknown) *************** *** 198,204 **** } else { if (argv[optind] != NULL) { Option = opt_replace; ! (void) strcpy (Filename, argv[optind]); } else { usage("file name must be specified for replace"); } --- 198,205 ---- } else { if (argv[optind] != NULL) { Option = opt_replace; ! (void) snprintf(Filename, sizeof(Filename), "%s", ! argv[optind]); } else { usage("file name must be specified for replace"); } *************** *** 480,486 **** ProgramName, Filename); goto done; default: ! fprintf(stderr, "%s: panic: bad switch() in replace_cmd()\n"); goto fatal; } remove: --- 481,488 ---- ProgramName, Filename); goto done; default: ! fprintf(stderr, "%s: panic: bad switch() in replace_cmd()\n", ! ProgramName); goto fatal; } remove: