Bug 24579

Assigning to our registered cronie maintainer.

CC: (none) => marja11
Assignee: bugsquad => shlomif

submitted updated 1.5.2 pkg to core6/updates-testing.

Advisory:
========================

Updated cronie packages fix security vulnerabilities:

Cronie before 1.5.3 allows local users to cause a denial of service (daemon
crash) via a large crontab file because the calloc return value is not checked
(CVE-2019-9704).

Cronie before 1.5.3 allows local users to cause a denial of service (memory
consumption) via a large crontab file because an unlimited number of lines is
accepted (CVE-2019-9705).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9704
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9705
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6DU7HAUAQR4E4AEBPYLUV6FZ4PHKH6A2/
========================

Updated packages in core/updates_testing:
========================
cronie-1.5.4-1.mga6
cronie-anacron-1.5.4-1.mga6

from cronie-1.5.4-1.mga6.src.rpm

CC: (none) => shlomif
Assignee: shlomif => qa-bugs

MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
# systemctl stop crond
# systemctl start crond
# systemctl -l status crond
● crond.service - Command Scheduler
   Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
   Active: active (running) since vr 2019-04-19 11:43:12 CEST; 4s ago
 Main PID: 27108 (crond)
   CGroup: /system.slice/crond.service
           ├─19657 /usr/sbin/anacron -s
           └─27108 /usr/sbin/crond -n

apr 19 11:43:12 mach6.hviaene.thuis systemd[1]: Started Command Scheduler.
apr 19 11:43:12 mach6.hviaene.thuis crond[27108]: (CRON) STARTUP (1.5.4)
apr 19 11:43:12 mach6.hviaene.thuis crond[27108]: (CRON) INFO (RANDOM_DELAY will be scaled with fa
apr 19 11:43:12 mach6.hviaene.thuis crond[27108]: (CRON) INFO (running with inotify support)
apr 19 11:43:12 mach6.hviaene.thuis crond[27108]: (CRON) INFO (@reboot jobs will be run at compute
# anacron -V
Anacron from project cronie 1.5.4
Copyright (C) 1998  Itai Tzur <itzur@actcom.co.il>
Copyright (C) 1999  Sean 'Shaleh' Perry <shaleh@debian.org>
Copyright (C) 2004  Pascal Hakim <pasc@redellipse.net>

Mail comments, suggestions and bug reports to <pasc@redellipse.net>.

Looks OK

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Installed and tested without issue.

System: Mageia 6, x86_64, Intel CPU.

Seems to be working correctly, at least for the hourly cron jobs.



$ uname -a
Linux marte 4.14.106-desktop-1.mga6 #1 SMP Thu Mar 14 18:01:29 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep cronie
cronie-anacron-1.5.4-1.mga6
cronie-1.5.4-1.mga6
$ systemctl status crond
● crond.service - Command Scheduler
   Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
   Active: active (running) since Dom 2019-04-28 10:22:43 WEST; 2min 11s ago
 Main PID: 4983 (crond)
   CGroup: /system.slice/crond.service
           ├─4108 /usr/sbin/anacron -s
           ├─4120 /usr/lib64/sa/sadc -F -L 600 6 /var/log/sa
           └─4983 /usr/sbin/crond -n

Abr 28 10:22:43 marte crond[4983]: (CRON) STARTUP (1.5.4)
Abr 28 10:22:43 marte systemd[1]: Started Command Scheduler.
Abr 28 10:22:43 marte crond[4983]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 53% if used.)
Abr 28 10:22:43 marte crond[4983]: (CRON) INFO (running with inotify support)
Abr 28 10:22:43 marte crond[4983]: (CRON) INFO (@reboot jobs will be run at computer's startup.)

CC: (none) => mageia
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK

Looks good, then. Validating. Suggested advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0157.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED