Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 15 Jul 2020 17:55:34 +0300
From: "Dmitry V. Levin" <ldv@...linux.org>
To: owl-dev@...ts.openwall.com
Subject: Re: vixie-cron lost allow_error fix

Hi,

I must have missed this message, sorry about that.

On Wed, May 20, 2020 at 04:52:18PM +0200, Solar Designer wrote:
> Hi,
> 
> I recently learned that we inadvertently lost the fix for crontab's
> checking of /etc/cron.{allow,deny} files.  The issue was recently
> rediscovered and patched in Debian, and I went to check our code -
> finding that we no longer have the fix.  I think we lost it here:
> 
> * Mon Mar 14 2005 Solar Designer <solar-at-owl.openwall.com> 4.1.20040916-owl1
> - Applied many assorted corrections and cleanups.
> 
> * Sun Feb 20 2005 Juan M. Bello Rivas <jmbr-at-owl.openwall.com> 4.1.20040916-owl0.1
> - Updated to 4.1 as found in OpenBSD CVS snapshot dated 2004/09/16, with
> modifications by Jarno Huuskonen and Dmitry V. Levin.
> 
> Looks like I wasn't careful enough in reviewing Juan's work here.
> Not having this fix is a clear bug (not just missing hardening), because
> the crontab(1) man page explicitly says:
> 
> "If crontab is unable to read the files, users will not be allowed to
> use crontab."
> 
> which without that fix is false.
> 
> Dmitry, you might want to check ALT Linux's package and see if it needs
> the fix.  While you're at it, feel free to get it into Owl as well.  You
> even re-learned CVS recently for passwdqc 1.4.0, so may as well reuse
> this skill while it's not forgotten again. ;-)
> 
> https://twitter.com/solardiz/status/1227223685989388289
> 
> Looks like I had fixed this in Owl's package of Vixie Cron in 2000
> (before we released Owl publicly) by denying access on errors other than
> ENOENT, but we lost the fix in update to newer upstream (OpenBSD) code
> in 2005.  Oops.
> https://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/vixie-cron/Attic/vixie-cron-3.0.2.7-owl-linux.diff.diff?r1=1.1;r2=1.2
> (search for "allow_error").
> 
> https://bugs.launchpad.net/ubuntu/+source/cron/+bug/1813833
> https://git.launchpad.net/ubuntu/+source/cron/commit/?id=c0bed5493f4ce1d1e60d12c2e459d32ebcd433be

Yes, I confirm ALT's package also lost the fix in 2004.


-- 
ldv

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.