Bug 8652

Summary: cronie: fd leak in 1.4.8 (CVE-2012-6097)
Product: Mageia Reporter: Oden Eriksson <oe>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: luigiwalser, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/534974/
Whiteboard: MGA2-32-OK, MGA2-64-OK
Source RPM: cronie-1.4.8-5.1.mga2.src.rpm CVE:
Status comment:

Description Oden Eriksson 2013-01-11 06:25:56 CET 
https://bugzilla.redhat.com/show_bug.cgi?id=893661

"Vincent Danen 2013-01-09 10:58:17 EST

It was reported [1],[2] that cronie would leak certain fd's.  On systems where /etc/crontab is not world-readable this could be an information disclosure concern.

This was introduced upstream in cronie 1.4.8 [3] and fixed in 1.4.9 [4], so the only version of cronie that is affected by this issue is 1.4.8.  It was also patched in Fedora via cronie-1.4.8-2.fc15 (see [2] for those details).

[1] https://bugzilla.novell.com/show_bug.cgi?id=786096
[2] https://bugzilla.redhat.com/show_bug.cgi?id=717505
[3] http://git.fedorahosted.org/cgit/cronie.git/commit/src/cron.c?id=acdf4ae8456888ed78201906ef528f4c28f54582
[4] http://git.fedorahosted.org/cgit/cronie.git/commit/src/cron.c?id=b19007ca9fddd62ecef3af4a7d2d252f1d5e0419


Statement:

Not vulnerable. This issue did not affect the versions of cronie as shipped with Red Hat Enterprise Linux 6."
Comment 1 Oden Eriksson 2013-01-11 06:27:18 CET 
Fixed in r345483 (mga2, updates_testing, cronie-1.4.8-5.1.mga2)
Manuel Hiebel 2013-01-11 22:23:39 CET

Hardware: i586 => All
Assignee: bugsquad => qa-bugs
Source RPM: (none) => cronie-1.4.8-5.1.mga2.src.rpm

Comment 2 claire robinson 2013-01-14 15:59:06 CET 
Can you give a Mageia advisory please Oden. Thanks.

SRPM: cronie-1.4.8-5.1.mga2.src.rpm
-----------------------------------
cronie-anacron
cronie
cronie-debug
Comment 3 David Walser 2013-01-16 22:17:13 CET 
This is an extremely low-impact vulnerability, and would only affect systems where /etc/crontab wasn't world readable (as is the case in the msec secure level, for instance) and the sysadmin has made local modifications to the /etc/crontab file itself, and doesn't want users on the system to know about it.  This sounds unlikely to affect anybody IMO.

Here's the advisory text:

It was reported that cronie 1.4.8 would leak certain file descriptors.  On
systems where /etc/crontab is not world-readable this could be an information
disclosure concern (CVE-2012-6097).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6097
https://bugzilla.redhat.com/show_bug.cgi?id=893661

CC: (none) => luigiwalser

Comment 4 David Walser 2013-01-29 21:01:31 CET 
OpenSuSE has issued an advisory for this today (January 29):
http://lists.opensuse.org/opensuse-updates/2013-01/msg00087.html

URL: (none) => http://lwn.net/Vulnerabilities/534974/

David Walser 2013-02-01 19:42:57 CET

Summary: CVE-2012-6097: cronie: fd leak in 1.4.8 => cronie: fd leak in 1.4.8 (CVE-2012-6097)

Comment 5 claire robinson 2013-02-03 16:51:39 CET 
Testing info here: https://bugzilla.novell.com/show_bug.cgi?id=786096
Comment 6 Marc Lattemann 2013-02-03 19:21:22 CET 
tested successfully with description on i586 from #5:

before update:
Feb  3 19:15:01 MGA2_32BIT /USR/SBIN/CROND[8211]: (root) CMD ($HOME/lvm_cron)
Feb  3 19:15:01 MGA2_32BIT /USR/SBIN/CROND[8210]: (root) CMDOUT (File descriptor 6 (/var/spool/cron) leaked on lvm2 invocation. Parent PID 8211: /bin/sh)
Feb  3 19:15:01 MGA2_32BIT /USR/SBIN/CROND[8210]: (root) CMDOUT (File descriptor 7 (/etc/cron.d) leaked on lvm2 invocation. Parent PID 8211: /bin/sh)

after update:
Feb  3 19:17:01 MGA2_32BIT /USR/SBIN/CROND[8356]: (root) CMD ($HOME/lvm_cron)

CC: (none) => marc.lattemann
Whiteboard: (none) => MGA2-32-OK

Comment 7 Marc Lattemann 2013-02-03 19:55:49 CET 
cannot reproduce error message in mga2-64bit with old package. But no error message also for updated packages.

Therefore validating?

Whiteboard: MGA2-32-OK => MGA2-32-OK, MGA2-64-OK

Marc Lattemann 2013-02-03 19:56:31 CET

Keywords: (none) => validated_update
CC: marc.lattemann => sysadmin-bugs

Comment 8 Thomas Backlund 2013-02-06 22:41:26 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0023

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED