Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20200715145534.GA21151@altlinux.org>
Date: Wed, 15 Jul 2020 17:55:34 +0300
From: "Dmitry V. Levin" <ldv@...linux.org>
To: owl-dev@...ts.openwall.com
Subject: Re: vixie-cron lost allow_error fix

Hi,

I must have missed this message, sorry about that.

On Wed, May 20, 2020 at 04:52:18PM +0200, Solar Designer wrote:
> Hi,
> 
> I recently learned that we inadvertently lost the fix for crontab's
> checking of /etc/cron.{allow,deny} files.  The issue was recently
> rediscovered and patched in Debian, and I went to check our code -
> finding that we no longer have the fix.  I think we lost it here:
> 
> * Mon Mar 14 2005 Solar Designer <solar-at-owl.openwall.com> 4.1.20040916-owl1
> - Applied many assorted corrections and cleanups.
> 
> * Sun Feb 20 2005 Juan M. Bello Rivas <jmbr-at-owl.openwall.com> 4.1.20040916-owl0.1
> - Updated to 4.1 as found in OpenBSD CVS snapshot dated 2004/09/16, with
> modifications by Jarno Huuskonen and Dmitry V. Levin.
> 
> Looks like I wasn't careful enough in reviewing Juan's work here.
> Not having this fix is a clear bug (not just missing hardening), because
> the crontab(1) man page explicitly says:
> 
> "If crontab is unable to read the files, users will not be allowed to
> use crontab."
> 
> which without that fix is false.
> 
> Dmitry, you might want to check ALT Linux's package and see if it needs
> the fix.  While you're at it, feel free to get it into Owl as well.  You
> even re-learned CVS recently for passwdqc 1.4.0, so may as well reuse
> this skill while it's not forgotten again. ;-)
> 
> https://twitter.com/solardiz/status/1227223685989388289
> 
> Looks like I had fixed this in Owl's package of Vixie Cron in 2000
> (before we released Owl publicly) by denying access on errors other than
> ENOENT, but we lost the fix in update to newer upstream (OpenBSD) code
> in 2005.  Oops.
> https://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/vixie-cron/Attic/vixie-cron-3.0.2.7-owl-linux.diff.diff?r1=1.1;r2=1.2
> (search for "allow_error").
> 
> https://bugs.launchpad.net/ubuntu/+source/cron/+bug/1813833
> https://git.launchpad.net/ubuntu/+source/cron/commit/?id=c0bed5493f4ce1d1e60d12c2e459d32ebcd433be

Yes, I confirm ALT's package also lost the fix in 2004.


-- 
ldv

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.