Bug 11784 - fcron missing an update for security issue CVE-2010-0792
Summary: fcron missing an update for security issue CVE-2010-0792
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/380900/
Whiteboard: advisory mga3-32-ok mga3-64-ok
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-11-26 19:41 CET by David Walser
Modified: 2013-12-18 23:58 CET (History)
5 users (show)

See Also:
Source RPM: fcron-3.0.4-14.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2013-11-26 19:41:36 CET 
Fedora has issued an advisory on March 10, 2010:
https://lists.fedoraproject.org/pipermail/package-announce/2010-March/038150.html

The issue is fixed upstream in 3.0.5.

Mageia 3 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2013-11-26 19:41:43 CET

Whiteboard: (none) => MGA3TOO

David Walser 2013-11-26 20:07:56 CET

Blocks: (none) => 11726

Comment 1 Oden Eriksson 2013-11-28 12:28:50 CET 
fixed with fcron-3.0.5-1.mga3

fcron-3.0.5-1.mga4 needs to be submitted.

CC: (none) => oe

Comment 2 David Walser 2013-11-28 16:40:08 CET 
Thanks Oden!  I've sent a freeze push request to the dev ml.
Comment 3 David Walser 2013-11-30 18:22:23 CET 
fcron-3.0.5-1.mga4 uploaded for Cauldron.

Assigning Mageia 3 update to QA.

Advisory:
========================

Updated fcron package fixes security vulnerability:

fcrontab in fcron before 3.0.5 allows local users to read arbitrary files via
a symlink attack on an unspecified file (CVE-2010-0792).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0792
https://lists.fedoraproject.org/pipermail/package-announce/2010-March/038150.html
========================

Updated packages in core/updates_testing:
========================
fcron-3.0.5-1.mga3

from fcron-3.0.5-1.mga3.src.rpm

Version: Cauldron => 3
Blocks: 11726 => (none)
Assignee: nanardon => qa-bugs
Whiteboard: MGA3TOO => (none)

Comment 4 Dave Hodgins 2013-11-30 18:39:35 CET 
Advisory 11784.adv committed to svn

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 5 Dave Hodgins 2013-11-30 20:09:26 CET 
Fails to start due to /etc/rc.d/init.d/fcron having the line
SBIN=/usr/sbinDESTSBIN@
so when it tries to run ...
+ status fcron
+ '[' -x /usr/sbinDESTSBIN@/fcron ']'
+ exit 5

Whiteboard: advisory => advisory feedback

Comment 6 Dave Hodgins 2013-11-30 20:55:31 CET 
Note that the problem in the init script is not a regression.

As this is a security update, I'm willing to manually fix the script for
testing, if need be, but I think it would be better to fix the script.
Comment 7 David Walser 2013-11-30 21:18:47 CET 
As this update is already a few years late, a few more days won't hurt :o)
Comment 8 claire robinson 2013-12-12 17:38:18 CET 
This one too David please.
Comment 9 David Walser 2013-12-12 18:17:05 CET 
I don't understand what's going wrong here, as the SPEC has:
perl -pi -e 's|SBIN=@@DESTSBIN@|SBIN=%{_sbindir}|' \
    %{buildroot}%{_initrddir}/fcron

Furthermore, there's actually an fcron 3.0.6, which Fedora had updated to, as well as switching to systemd services for it, and Fedora has dropped this package since due to be unmaintained.  I'm not sure what to do here.
Comment 10 claire robinson 2013-12-12 18:44:27 CET 
Missing semi-colons I think, looking at the other bits.
Comment 11 David Walser 2013-12-12 19:27:12 CET 
(In reply to claire robinson from comment #10)
> Missing semi-colons I think, looking at the other bits.

Since that command only runs one -e 's' command, it doesn't need a semicolon.
Comment 12 claire robinson 2013-12-13 10:52:08 CET 
Possibly need to escape the @'s
Comment 13 David Walser 2013-12-13 17:21:04 CET 
That was trickier than I thought.  I had to change it to this:
perl -pi -e 's|SBIN=@\@DESTSBIN@|SBIN=%{_sbindir}|' \
    %{buildroot}%{_initrddir}/fcron

I also updated it to 3.0.6, and sent a freeze push request to the dev ml.

Advisory:
========================

Updated fcron package fixes security vulnerability:

fcrontab in fcron before 3.0.5 allows local users to read arbitrary files via
a symlink attack on an unspecified file (CVE-2010-0792).

An error in the init script has also been corrected.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0792
https://lists.fedoraproject.org/pipermail/package-announce/2010-March/038150.html
========================

Updated packages in core/updates_testing:
========================
fcron-3.0.6-1.mga3

from fcron-3.0.6-1.mga3.src.rpm

Whiteboard: advisory feedback => (none)

Comment 14 claire robinson 2013-12-16 15:13:07 CET 
Seems to still be some issue there David.

Before
------
installing fcron-3.0.4-13.mga3.i586.rpm from /var/cache/urpmi/rpms               
Preparing...                     ###############################################
      1/1: fcron                 ###############################################
Starting fcron (via systemctl):  Failed to issue method call: Unit fcron.service failed to load: No such file or directory. See system logs and 'systemctl status fcron.service' for details.
                                                                [FAILED]
fcron.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig fcron on

It is actually started though
# ps aux | grep fcron
root  29092  0.0  0.0   2980   476 ?   Ss   13:36   0:00 /usr/sbin/fcron -b


After
-----
After a several minute timeout reminiscent of a missing pid the %post script fails.

installing fcron-3.0.6-1.mga3.i586.rpm from /var/cache/urpmi/rpms                
Preparing...                     ###############################################
      1/1: fcron                 ###############################################
fcron: no process found
Starting fcron (via systemctl):  Warning: Unit file of fcron.service changed on disk, 'systemctl --system daemon-reload' recommended.
                                                                [  OK  ]
<INSERT 5 MINS>

warning: %post(fcron-3.0.6-1.mga3.i586) scriptlet failed, exit status 1
ERROR: 'script' failed for fcron-3.0.6-1.mga3.i586: 
      1/1: removing fcron-3.0.4-13.mga3.i586
                                 ###############################################

Again, it is actually running. I'm not certain the PID is the same as I started/stopped it after pasting the 'Before' and before updating.

# systemctl -a status fcron.service 
fcron.service - LSB: Fcron job service
          Loaded: loaded (/etc/rc.d/init.d/fcron)
          Active: failed (Result: timeout) since Mon, 2013-12-16 13:57:23 GMT; 12min ago
         Process: 30919 ExecStop=/etc/rc.d/init.d/fcron stop (code=exited, status=0/SUCCESS)
         Process: 30942 ExecStart=/etc/rc.d/init.d/fcron start (code=exited, status=0/SUCCESS)
        Main PID: 30895 (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/fcron.service
                  รข 30953 /usr/sbin/fcron -b

systemd[1]: Starting LSB: Fcron job service...
fcron[30953]: fcron[30953] 3.0.6 started
fcron[30953]: updating configuration from /var/spool/fcron
fcron[30942]: Starting fcron[  OK  ]
systemd[1]: Failed to start LSB: Fcron job service.
systemd[1]: Unit fcron.service entered failed state

# ps aux | grep fcron
root   30953  0.0  0.0   2980   476 ? Ss   13:52   0:00 /usr/sbin/fcron -b


Also removing..

# urpme fcron
removing fcron-3.0.6-1.mga3.i586
fcron.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig fcron off
removing package fcron-3.0.6-1.mga3.i586
      1/1: removing fcron-3.0.6-1.mga3.i586
                                 ################################warning: file /etc/rc.d/init.d/fcron: remove failed: No such file or directory
###############
Comment 15 claire robinson 2013-12-16 15:53:36 CET 
The initial fcron instance may have been pre-existing from messing around with it so repeating to confirm things.

Removed the package and killed the remaining fcron process. Also manually removed /run/fcron.

When installed, the release package says it fails to start but does actually start an instance, but without adding anything into /run/fcron/

# ps aux | grep fcron
root  3264  0.0  0.0   2980   476 ?  Ss   14:36   0:00 /usr/sbin/fcron -b

The update sits for 5 mins and times out with an error in %post. Interrupted with ctrl-c for expedience.

# ps aux | grep fcron
root  4372  0.0  0.0   2980   476 ?  Ss   14:43   0:00 /usr/sbin/fcron -b

So a different PID

Afterwards..

# ls /run/fcron/
fcron.fifo=  fcron.pid

timestamp of fcron.pid suggests it comes from the update.

# systemctl stop fcron.service 
# ll /run/fcron/
total 4
srwxrwxrwx 1 root root 0 Dec 16 14:43 fcron.fifo=
-rw-r--r-- 1 root root 5 Dec 16 14:43 fcron.pid

# ps aux | grep fcron
root  4372  0.0  0.0   2980   476 ?   Ss   14:43   0:00 /usr/sbin/fcron -b

Whiteboard: (none) => feedback

Comment 16 claire robinson 2013-12-16 16:07:00 CET 
Also I notice this creates a system user but appears to be running as root.
Comment 17 Colin Guthrie 2013-12-17 10:56:08 CET 
The reason it takes so long and times out is that fcron writes it's pid file in /var/run/fcron/fcron.pid but the initscript says to look for it in /var/run/fcron.pid.

Updating the initscript to correct the pidfile location should fix it.

FWIW The error on uninstall about missing file or directory is sadly a hacky fix for systemd stuff where we rm the init.d file when preun_service is called when we know the package is being uninstalled such that systemd is reloaded and sees the unit as gone. So while it's nasty, it's expected. We might be able to add a file trigger that simply does a systemd daemon-reload when files in /etc/init.d or /usr/lib/systemd change... if so we might be able to remove that nasty rm... anyway separate issue!

CC: (none) => mageia

Comment 18 David Walser 2013-12-18 01:31:37 CET 
Thanks Colin!  Hopefully this is the last one.

Advisory:
========================

Updated fcron package fixes security vulnerability:

fcrontab in fcron before 3.0.5 allows local users to read arbitrary files via
a symlink attack on an unspecified file (CVE-2010-0792).

An error in the init script has also been corrected.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0792
https://lists.fedoraproject.org/pipermail/package-announce/2010-March/038150.html
========================

Updated packages in core/updates_testing:
========================
fcron-3.0.6-1.1.mga3

from fcron-3.0.6-1.1.mga3.src.rpm

Whiteboard: feedback => (none)

Comment 19 claire robinson 2013-12-18 14:18:15 CET 
Testing complete Mga3 32 & 64.

Confirmed the fix, thankyou, just checking that the service now starts ok (and does really start) and stops ok (and does really stop).

Whiteboard: (none) => mga3-32-ok mga3-64-ok

Comment 20 claire robinson 2013-12-18 14:28:31 CET 
Validating. Advisory uploaded.

Could sysadmin please push from 3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: mga3-32-ok mga3-64-ok => advisory mga3-32-ok mga3-64-ok
CC: (none) => sysadmin-bugs

Comment 21 Thomas Backlund 2013-12-18 23:58:34 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0377.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.