From owner-freebsd-security@FreeBSD.ORG  Tue Jul 18 12:23:14 2006
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@FreeBSD.ORG
Delivered-To: freebsd-security@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id ED37E16A4DE
	for <freebsd-security@FreeBSD.ORG>;
	Tue, 18 Jul 2006 12:23:14 +0000 (UTC)
	(envelope-from freebsd-security-local@be-well.ilk.org)
Received: from mail8.sea5.speakeasy.net (mail8.sea5.speakeasy.net
	[69.17.117.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 11D5643D77
	for <freebsd-security@FreeBSD.ORG>;
	Tue, 18 Jul 2006 12:23:10 +0000 (GMT)
	(envelope-from freebsd-security-local@be-well.ilk.org)
Received: (qmail 22579 invoked from network); 18 Jul 2006 12:23:10 -0000
Received: from dsl092-078-145.bos1.dsl.speakeasy.net (HELO be-well.ilk.org)
	([66.92.78.145])
	(envelope-sender <freebsd-security-local@be-well.ilk.org>)
	by mail8.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP
	for <freebsd-security@FreeBSD.ORG>; 18 Jul 2006 12:23:10 -0000
Received: by be-well.ilk.org (Postfix, from userid 1147)
	id 7FD0928449; Tue, 18 Jul 2006 08:23:09 -0400 (EDT)
To: freebsd-security@FreeBSD.ORG
References: <200607181158.k6IBwsZJ099625@lurza.secnetix.de>
From: Lowell Gilbert <freebsd-security-local@be-well.ilk.org>
Date: Tue, 18 Jul 2006 08:23:09 -0400
In-Reply-To: <200607181158.k6IBwsZJ099625@lurza.secnetix.de> (Oliver Fromme's
	message of "Tue, 18 Jul 2006 13:58:54 +0200 (CEST)")
Message-ID: <44ejwjrtjm.fsf@be-well.ilk.org>
User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.50 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: 
Subject: Re: Vulnerability in vixie cron?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jul 2006 12:23:15 -0000

Oliver Fromme <olli@lurza.secnetix.de> writes:

> Recently there have been advisories and patches for
> SuSE and RedHat (and probably a few others) regarding
> a vulnerability in Vixie Cron.  The details say that
> there's insufficient checking of the return value of
> setuid, which can lead to priviledge escalation and
> lets users run cron jobs with root priviledges.
>
> As far as I know, FreBSD also uses Vixie Cron (at least
> the cron(8) manpage says so).  However, I haven't seen
> any FreeBSD advisory regarding this, so I wonder if
> FreeBSD's cron isn't affected for some reason?
>
> Any information would be appreciated.

It looks to me like this wasn't exploitable in a default configuration
anyway, but it was fixed on 1 June in HEAD and on 1 July in RELENG_6.

http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.sbin/cron/cron/do_command.c