Fedora has issued an advisory on March 21: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6DU7HAUAQR4E4AEBPYLUV6FZ4PHKH6A2/ The issues are fixed upstream in 1.5.3 (regression fix in 1.5.4).
Status comment: (none) => Fixed upstream in 1.5.3
Assigning to our registered cronie maintainer.
CC: (none) => marja11Assignee: bugsquad => shlomif
submitted updated 1.5.2 pkg to core6/updates-testing.
Advisory: ======================== Updated cronie packages fix security vulnerabilities: Cronie before 1.5.3 allows local users to cause a denial of service (daemon crash) via a large crontab file because the calloc return value is not checked (CVE-2019-9704). Cronie before 1.5.3 allows local users to cause a denial of service (memory consumption) via a large crontab file because an unlimited number of lines is accepted (CVE-2019-9705). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9704 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9705 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6DU7HAUAQR4E4AEBPYLUV6FZ4PHKH6A2/ ======================== Updated packages in core/updates_testing: ======================== cronie-1.5.4-1.mga6 cronie-anacron-1.5.4-1.mga6 from cronie-1.5.4-1.mga6.src.rpm
CC: (none) => shlomifAssignee: shlomif => qa-bugs
MGA6-32 MATE on IBM Thinkpad R50e No installation issues. # systemctl stop crond # systemctl start crond # systemctl -l status crond ● crond.service - Command Scheduler Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled) Active: active (running) since vr 2019-04-19 11:43:12 CEST; 4s ago Main PID: 27108 (crond) CGroup: /system.slice/crond.service ├─19657 /usr/sbin/anacron -s └─27108 /usr/sbin/crond -n apr 19 11:43:12 mach6.hviaene.thuis systemd[1]: Started Command Scheduler. apr 19 11:43:12 mach6.hviaene.thuis crond[27108]: (CRON) STARTUP (1.5.4) apr 19 11:43:12 mach6.hviaene.thuis crond[27108]: (CRON) INFO (RANDOM_DELAY will be scaled with fa apr 19 11:43:12 mach6.hviaene.thuis crond[27108]: (CRON) INFO (running with inotify support) apr 19 11:43:12 mach6.hviaene.thuis crond[27108]: (CRON) INFO (@reboot jobs will be run at compute # anacron -V Anacron from project cronie 1.5.4 Copyright (C) 1998 Itai Tzur <itzur@actcom.co.il> Copyright (C) 1999 Sean 'Shaleh' Perry <shaleh@debian.org> Copyright (C) 2004 Pascal Hakim <pasc@redellipse.net> Mail comments, suggestions and bug reports to <pasc@redellipse.net>. Looks OK
CC: (none) => herman.viaeneWhiteboard: (none) => MGA6-32-OK
Installed and tested without issue. System: Mageia 6, x86_64, Intel CPU. Seems to be working correctly, at least for the hourly cron jobs. $ uname -a Linux marte 4.14.106-desktop-1.mga6 #1 SMP Thu Mar 14 18:01:29 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep cronie cronie-anacron-1.5.4-1.mga6 cronie-1.5.4-1.mga6 $ systemctl status crond ● crond.service - Command Scheduler Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled) Active: active (running) since Dom 2019-04-28 10:22:43 WEST; 2min 11s ago Main PID: 4983 (crond) CGroup: /system.slice/crond.service ├─4108 /usr/sbin/anacron -s ├─4120 /usr/lib64/sa/sadc -F -L 600 6 /var/log/sa └─4983 /usr/sbin/crond -n Abr 28 10:22:43 marte crond[4983]: (CRON) STARTUP (1.5.4) Abr 28 10:22:43 marte systemd[1]: Started Command Scheduler. Abr 28 10:22:43 marte crond[4983]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 53% if used.) Abr 28 10:22:43 marte crond[4983]: (CRON) INFO (running with inotify support) Abr 28 10:22:43 marte crond[4983]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
CC: (none) => mageiaWhiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Looks good, then. Validating. Suggested advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0157.html
Status: NEW => RESOLVEDResolution: (none) => FIXED