Bug 11784 - fcron missing an update for security issue CVE-2010-0792
: fcron missing an update for security issue CVE-2010-0792
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/380900/
: advisory mga3-32-ok mga3-64-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-11-26 19:41 CET by David Walser
Modified: 2013-12-18 23:58 CET (History)
5 users (show)

See Also:
Source RPM: fcron-3.0.4-14.mga4.src.rpm
CVE:


Attachments

Description David Walser 2013-11-26 19:41:36 CET
Fedora has issued an advisory on March 10, 2010:
https://lists.fedoraproject.org/pipermail/package-announce/2010-March/038150.html

The issue is fixed upstream in 3.0.5.

Mageia 3 is also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-11-28 12:28:50 CET
fixed with fcron-3.0.5-1.mga3

fcron-3.0.5-1.mga4 needs to be submitted.
Comment 2 David Walser 2013-11-28 16:40:08 CET
Thanks Oden!  I've sent a freeze push request to the dev ml.
Comment 3 David Walser 2013-11-30 18:22:23 CET
fcron-3.0.5-1.mga4 uploaded for Cauldron.

Assigning Mageia 3 update to QA.

Advisory:
========================

Updated fcron package fixes security vulnerability:

fcrontab in fcron before 3.0.5 allows local users to read arbitrary files via
a symlink attack on an unspecified file (CVE-2010-0792).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0792
https://lists.fedoraproject.org/pipermail/package-announce/2010-March/038150.html
========================

Updated packages in core/updates_testing:
========================
fcron-3.0.5-1.mga3

from fcron-3.0.5-1.mga3.src.rpm
Comment 4 Dave Hodgins 2013-11-30 18:39:35 CET
Advisory 11784.adv committed to svn
Comment 5 Dave Hodgins 2013-11-30 20:09:26 CET
Fails to start due to /etc/rc.d/init.d/fcron having the line
SBIN=/usr/sbinDESTSBIN@
so when it tries to run ...
+ status fcron
+ '[' -x /usr/sbinDESTSBIN@/fcron ']'
+ exit 5
Comment 6 Dave Hodgins 2013-11-30 20:55:31 CET
Note that the problem in the init script is not a regression.

As this is a security update, I'm willing to manually fix the script for
testing, if need be, but I think it would be better to fix the script.
Comment 7 David Walser 2013-11-30 21:18:47 CET
As this update is already a few years late, a few more days won't hurt :o)
Comment 8 claire robinson 2013-12-12 17:38:18 CET
This one too David please.
Comment 9 David Walser 2013-12-12 18:17:05 CET
I don't understand what's going wrong here, as the SPEC has:
perl -pi -e 's|SBIN=@@DESTSBIN@|SBIN=%{_sbindir}|' \
    %{buildroot}%{_initrddir}/fcron

Furthermore, there's actually an fcron 3.0.6, which Fedora had updated to, as well as switching to systemd services for it, and Fedora has dropped this package since due to be unmaintained.  I'm not sure what to do here.
Comment 10 claire robinson 2013-12-12 18:44:27 CET
Missing semi-colons I think, looking at the other bits.
Comment 11 David Walser 2013-12-12 19:27:12 CET
(In reply to claire robinson from comment #10)
> Missing semi-colons I think, looking at the other bits.

Since that command only runs one -e 's' command, it doesn't need a semicolon.
Comment 12 claire robinson 2013-12-13 10:52:08 CET
Possibly need to escape the @'s
Comment 13 David Walser 2013-12-13 17:21:04 CET
That was trickier than I thought.  I had to change it to this:
perl -pi -e 's|SBIN=@\@DESTSBIN@|SBIN=%{_sbindir}|' \
    %{buildroot}%{_initrddir}/fcron

I also updated it to 3.0.6, and sent a freeze push request to the dev ml.

Advisory:
========================

Updated fcron package fixes security vulnerability:

fcrontab in fcron before 3.0.5 allows local users to read arbitrary files via
a symlink attack on an unspecified file (CVE-2010-0792).

An error in the init script has also been corrected.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0792
https://lists.fedoraproject.org/pipermail/package-announce/2010-March/038150.html
========================

Updated packages in core/updates_testing:
========================
fcron-3.0.6-1.mga3

from fcron-3.0.6-1.mga3.src.rpm
Comment 14 claire robinson 2013-12-16 15:13:07 CET
Seems to still be some issue there David.

Before
------
installing fcron-3.0.4-13.mga3.i586.rpm from /var/cache/urpmi/rpms               
Preparing...                     ###############################################
      1/1: fcron                 ###############################################
Starting fcron (via systemctl):  Failed to issue method call: Unit fcron.service failed to load: No such file or directory. See system logs and 'systemctl status fcron.service' for details.
                                                                [FAILED]
fcron.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig fcron on

It is actually started though
# ps aux | grep fcron
root  29092  0.0  0.0   2980   476 ?   Ss   13:36   0:00 /usr/sbin/fcron -b


After
-----
After a several minute timeout reminiscent of a missing pid the %post script fails.

installing fcron-3.0.6-1.mga3.i586.rpm from /var/cache/urpmi/rpms                
Preparing...                     ###############################################
      1/1: fcron                 ###############################################
fcron: no process found
Starting fcron (via systemctl):  Warning: Unit file of fcron.service changed on disk, 'systemctl --system daemon-reload' recommended.
                                                                [  OK  ]
<INSERT 5 MINS>

warning: %post(fcron-3.0.6-1.mga3.i586) scriptlet failed, exit status 1
ERROR: 'script' failed for fcron-3.0.6-1.mga3.i586: 
      1/1: removing fcron-3.0.4-13.mga3.i586
                                 ###############################################

Again, it is actually running. I'm not certain the PID is the same as I started/stopped it after pasting the 'Before' and before updating.

# systemctl -a status fcron.service 
fcron.service - LSB: Fcron job service
          Loaded: loaded (/etc/rc.d/init.d/fcron)
          Active: failed (Result: timeout) since Mon, 2013-12-16 13:57:23 GMT; 12min ago
         Process: 30919 ExecStop=/etc/rc.d/init.d/fcron stop (code=exited, status=0/SUCCESS)
         Process: 30942 ExecStart=/etc/rc.d/init.d/fcron start (code=exited, status=0/SUCCESS)
        Main PID: 30895 (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/fcron.service
                  └ 30953 /usr/sbin/fcron -b

systemd[1]: Starting LSB: Fcron job service...
fcron[30953]: fcron[30953] 3.0.6 started
fcron[30953]: updating configuration from /var/spool/fcron
fcron[30942]: Starting fcron[  OK  ]
systemd[1]: Failed to start LSB: Fcron job service.
systemd[1]: Unit fcron.service entered failed state

# ps aux | grep fcron
root   30953  0.0  0.0   2980   476 ? Ss   13:52   0:00 /usr/sbin/fcron -b


Also removing..

# urpme fcron
removing fcron-3.0.6-1.mga3.i586
fcron.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig fcron off
removing package fcron-3.0.6-1.mga3.i586
      1/1: removing fcron-3.0.6-1.mga3.i586
                                 ################################warning: file /etc/rc.d/init.d/fcron: remove failed: No such file or directory
###############
Comment 15 claire robinson 2013-12-16 15:53:36 CET
The initial fcron instance may have been pre-existing from messing around with it so repeating to confirm things.

Removed the package and killed the remaining fcron process. Also manually removed /run/fcron.

When installed, the release package says it fails to start but does actually start an instance, but without adding anything into /run/fcron/

# ps aux | grep fcron
root  3264  0.0  0.0   2980   476 ?  Ss   14:36   0:00 /usr/sbin/fcron -b

The update sits for 5 mins and times out with an error in %post. Interrupted with ctrl-c for expedience.

# ps aux | grep fcron
root  4372  0.0  0.0   2980   476 ?  Ss   14:43   0:00 /usr/sbin/fcron -b

So a different PID

Afterwards..

# ls /run/fcron/
fcron.fifo=  fcron.pid

timestamp of fcron.pid suggests it comes from the update.

# systemctl stop fcron.service 
# ll /run/fcron/
total 4
srwxrwxrwx 1 root root 0 Dec 16 14:43 fcron.fifo=
-rw-r--r-- 1 root root 5 Dec 16 14:43 fcron.pid

# ps aux | grep fcron
root  4372  0.0  0.0   2980   476 ?   Ss   14:43   0:00 /usr/sbin/fcron -b
Comment 16 claire robinson 2013-12-16 16:07:00 CET
Also I notice this creates a system user but appears to be running as root.
Comment 17 Colin Guthrie 2013-12-17 10:56:08 CET
The reason it takes so long and times out is that fcron writes it's pid file in /var/run/fcron/fcron.pid but the initscript says to look for it in /var/run/fcron.pid.

Updating the initscript to correct the pidfile location should fix it.

FWIW The error on uninstall about missing file or directory is sadly a hacky fix for systemd stuff where we rm the init.d file when preun_service is called when we know the package is being uninstalled such that systemd is reloaded and sees the unit as gone. So while it's nasty, it's expected. We might be able to add a file trigger that simply does a systemd daemon-reload when files in /etc/init.d or /usr/lib/systemd change... if so we might be able to remove that nasty rm... anyway separate issue!
Comment 18 David Walser 2013-12-18 01:31:37 CET
Thanks Colin!  Hopefully this is the last one.

Advisory:
========================

Updated fcron package fixes security vulnerability:

fcrontab in fcron before 3.0.5 allows local users to read arbitrary files via
a symlink attack on an unspecified file (CVE-2010-0792).

An error in the init script has also been corrected.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0792
https://lists.fedoraproject.org/pipermail/package-announce/2010-March/038150.html
========================

Updated packages in core/updates_testing:
========================
fcron-3.0.6-1.1.mga3

from fcron-3.0.6-1.1.mga3.src.rpm
Comment 19 claire robinson 2013-12-18 14:18:15 CET
Testing complete Mga3 32 & 64.

Confirmed the fix, thankyou, just checking that the service now starts ok (and does really start) and stops ok (and does really stop).
Comment 20 claire robinson 2013-12-18 14:28:31 CET
Validating. Advisory uploaded.

Could sysadmin please push from 3 core/updates_testing to updates

Thanks!
Comment 21 Thomas Backlund 2013-12-18 23:58:34 CET
Update pushed:
http://advisories.mageia.org/MGASA-2013-0377.html

Note You need to log in before you can comment on or make changes to this bug.