Bug 8652 - cronie: fd leak in 1.4.8 (CVE-2012-6097)
: cronie: fd leak in 1.4.8 (CVE-2012-6097)
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: http://lwn.net/Vulnerabilities/534974/
: MGA2-32-OK, MGA2-64-OK
: validated_update
  Show dependency treegraph
Reported: 2013-01-11 06:25 CET by Oden Eriksson
Modified: 2013-02-06 22:41 CET (History)
3 users (show)

See Also:
Source RPM: cronie-1.4.8-5.1.mga2.src.rpm
Status comment:


Description Oden Eriksson 2013-01-11 06:25:56 CET

"Vincent Danen 2013-01-09 10:58:17 EST

It was reported [1],[2] that cronie would leak certain fd's.  On systems where /etc/crontab is not world-readable this could be an information disclosure concern.

This was introduced upstream in cronie 1.4.8 [3] and fixed in 1.4.9 [4], so the only version of cronie that is affected by this issue is 1.4.8.  It was also patched in Fedora via cronie-1.4.8-2.fc15 (see [2] for those details).

[1] https://bugzilla.novell.com/show_bug.cgi?id=786096
[2] https://bugzilla.redhat.com/show_bug.cgi?id=717505
[3] http://git.fedorahosted.org/cgit/cronie.git/commit/src/cron.c?id=acdf4ae8456888ed78201906ef528f4c28f54582
[4] http://git.fedorahosted.org/cgit/cronie.git/commit/src/cron.c?id=b19007ca9fddd62ecef3af4a7d2d252f1d5e0419


Not vulnerable. This issue did not affect the versions of cronie as shipped with Red Hat Enterprise Linux 6."
Comment 1 Oden Eriksson 2013-01-11 06:27:18 CET
Fixed in r345483 (mga2, updates_testing, cronie-1.4.8-5.1.mga2)
Comment 2 claire robinson 2013-01-14 15:59:06 CET
Can you give a Mageia advisory please Oden. Thanks.

SRPM: cronie-1.4.8-5.1.mga2.src.rpm
Comment 3 David Walser 2013-01-16 22:17:13 CET
This is an extremely low-impact vulnerability, and would only affect systems where /etc/crontab wasn't world readable (as is the case in the msec secure level, for instance) and the sysadmin has made local modifications to the /etc/crontab file itself, and doesn't want users on the system to know about it.  This sounds unlikely to affect anybody IMO.

Here's the advisory text:

It was reported that cronie 1.4.8 would leak certain file descriptors.  On
systems where /etc/crontab is not world-readable this could be an information
disclosure concern (CVE-2012-6097).

Comment 4 David Walser 2013-01-29 21:01:31 CET
OpenSuSE has issued an advisory for this today (January 29):
Comment 5 claire robinson 2013-02-03 16:51:39 CET
Testing info here: https://bugzilla.novell.com/show_bug.cgi?id=786096
Comment 6 Marc Lattemann 2013-02-03 19:21:22 CET
tested successfully with description on i586 from #5:

before update:
Feb  3 19:15:01 MGA2_32BIT /USR/SBIN/CROND[8211]: (root) CMD ($HOME/lvm_cron)
Feb  3 19:15:01 MGA2_32BIT /USR/SBIN/CROND[8210]: (root) CMDOUT (File descriptor 6 (/var/spool/cron) leaked on lvm2 invocation. Parent PID 8211: /bin/sh)
Feb  3 19:15:01 MGA2_32BIT /USR/SBIN/CROND[8210]: (root) CMDOUT (File descriptor 7 (/etc/cron.d) leaked on lvm2 invocation. Parent PID 8211: /bin/sh)

after update:
Feb  3 19:17:01 MGA2_32BIT /USR/SBIN/CROND[8356]: (root) CMD ($HOME/lvm_cron)
Comment 7 Marc Lattemann 2013-02-03 19:55:49 CET
cannot reproduce error message in mga2-64bit with old package. But no error message also for updated packages.

Therefore validating?
Comment 8 Thomas Backlund 2013-02-06 22:41:26 CET
Update pushed:

Note You need to log in before you can comment on or make changes to this bug.