https://bugzilla.redhat.com/show_bug.cgi?id=893661 "Vincent Danen 2013-01-09 10:58:17 EST It was reported [1],[2] that cronie would leak certain fd's. On systems where /etc/crontab is not world-readable this could be an information disclosure concern. This was introduced upstream in cronie 1.4.8 [3] and fixed in 1.4.9 [4], so the only version of cronie that is affected by this issue is 1.4.8. It was also patched in Fedora via cronie-1.4.8-2.fc15 (see [2] for those details). [1] https://bugzilla.novell.com/show_bug.cgi?id=786096 [2] https://bugzilla.redhat.com/show_bug.cgi?id=717505 [3] http://git.fedorahosted.org/cgit/cronie.git/commit/src/cron.c?id=acdf4ae8456888ed78201906ef528f4c28f54582 [4] http://git.fedorahosted.org/cgit/cronie.git/commit/src/cron.c?id=b19007ca9fddd62ecef3af4a7d2d252f1d5e0419 Statement: Not vulnerable. This issue did not affect the versions of cronie as shipped with Red Hat Enterprise Linux 6."
Fixed in r345483 (mga2, updates_testing, cronie-1.4.8-5.1.mga2)
Hardware: i586 => AllAssignee: bugsquad => qa-bugsSource RPM: (none) => cronie-1.4.8-5.1.mga2.src.rpm
Can you give a Mageia advisory please Oden. Thanks. SRPM: cronie-1.4.8-5.1.mga2.src.rpm ----------------------------------- cronie-anacron cronie cronie-debug
This is an extremely low-impact vulnerability, and would only affect systems where /etc/crontab wasn't world readable (as is the case in the msec secure level, for instance) and the sysadmin has made local modifications to the /etc/crontab file itself, and doesn't want users on the system to know about it. This sounds unlikely to affect anybody IMO. Here's the advisory text: It was reported that cronie 1.4.8 would leak certain file descriptors. On systems where /etc/crontab is not world-readable this could be an information disclosure concern (CVE-2012-6097). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6097 https://bugzilla.redhat.com/show_bug.cgi?id=893661
CC: (none) => luigiwalser
OpenSuSE has issued an advisory for this today (January 29): http://lists.opensuse.org/opensuse-updates/2013-01/msg00087.html
URL: (none) => http://lwn.net/Vulnerabilities/534974/
Summary: CVE-2012-6097: cronie: fd leak in 1.4.8 => cronie: fd leak in 1.4.8 (CVE-2012-6097)
Testing info here: https://bugzilla.novell.com/show_bug.cgi?id=786096
tested successfully with description on i586 from #5: before update: Feb 3 19:15:01 MGA2_32BIT /USR/SBIN/CROND[8211]: (root) CMD ($HOME/lvm_cron) Feb 3 19:15:01 MGA2_32BIT /USR/SBIN/CROND[8210]: (root) CMDOUT (File descriptor 6 (/var/spool/cron) leaked on lvm2 invocation. Parent PID 8211: /bin/sh) Feb 3 19:15:01 MGA2_32BIT /USR/SBIN/CROND[8210]: (root) CMDOUT (File descriptor 7 (/etc/cron.d) leaked on lvm2 invocation. Parent PID 8211: /bin/sh) after update: Feb 3 19:17:01 MGA2_32BIT /USR/SBIN/CROND[8356]: (root) CMD ($HOME/lvm_cron)
CC: (none) => marc.lattemannWhiteboard: (none) => MGA2-32-OK
cannot reproduce error message in mga2-64bit with old package. But no error message also for updated packages. Therefore validating?
Whiteboard: MGA2-32-OK => MGA2-32-OK, MGA2-64-OK
Keywords: (none) => validated_updateCC: marc.lattemann => sysadmin-bugs
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0023
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED