Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 15 Jul 2020 17:55:34 +0300
From: "Dmitry V. Levin" <>
Subject: Re: vixie-cron lost allow_error fix


I must have missed this message, sorry about that.

On Wed, May 20, 2020 at 04:52:18PM +0200, Solar Designer wrote:
> Hi,
> I recently learned that we inadvertently lost the fix for crontab's
> checking of /etc/cron.{allow,deny} files.  The issue was recently
> rediscovered and patched in Debian, and I went to check our code -
> finding that we no longer have the fix.  I think we lost it here:
> * Mon Mar 14 2005 Solar Designer <> 4.1.20040916-owl1
> - Applied many assorted corrections and cleanups.
> * Sun Feb 20 2005 Juan M. Bello Rivas <> 4.1.20040916-owl0.1
> - Updated to 4.1 as found in OpenBSD CVS snapshot dated 2004/09/16, with
> modifications by Jarno Huuskonen and Dmitry V. Levin.
> Looks like I wasn't careful enough in reviewing Juan's work here.
> Not having this fix is a clear bug (not just missing hardening), because
> the crontab(1) man page explicitly says:
> "If crontab is unable to read the files, users will not be allowed to
> use crontab."
> which without that fix is false.
> Dmitry, you might want to check ALT Linux's package and see if it needs
> the fix.  While you're at it, feel free to get it into Owl as well.  You
> even re-learned CVS recently for passwdqc 1.4.0, so may as well reuse
> this skill while it's not forgotten again. ;-)
> Looks like I had fixed this in Owl's package of Vixie Cron in 2000
> (before we released Owl publicly) by denying access on errors other than
> ENOENT, but we lost the fix in update to newer upstream (OpenBSD) code
> in 2005.  Oops.
> (search for "allow_error").

Yes, I confirm ALT's package also lost the fix in 2004.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.