Mageia Bugzilla – Bug 8652
cronie: fd leak in 1.4.8 (CVE-2012-6097)
Last modified: 2013-02-06 22:41:26 CET
"Vincent Danen 2013-01-09 10:58:17 EST
It was reported , that cronie would leak certain fd's. On systems where /etc/crontab is not world-readable this could be an information disclosure concern.
This was introduced upstream in cronie 1.4.8  and fixed in 1.4.9 , so the only version of cronie that is affected by this issue is 1.4.8. It was also patched in Fedora via cronie-1.4.8-2.fc15 (see  for those details).
Not vulnerable. This issue did not affect the versions of cronie as shipped with Red Hat Enterprise Linux 6."
Fixed in r345483 (mga2, updates_testing, cronie-1.4.8-5.1.mga2)
Can you give a Mageia advisory please Oden. Thanks.
This is an extremely low-impact vulnerability, and would only affect systems where /etc/crontab wasn't world readable (as is the case in the msec secure level, for instance) and the sysadmin has made local modifications to the /etc/crontab file itself, and doesn't want users on the system to know about it. This sounds unlikely to affect anybody IMO.
Here's the advisory text:
It was reported that cronie 1.4.8 would leak certain file descriptors. On
systems where /etc/crontab is not world-readable this could be an information
disclosure concern (CVE-2012-6097).
OpenSuSE has issued an advisory for this today (January 29):
Testing info here: https://bugzilla.novell.com/show_bug.cgi?id=786096
tested successfully with description on i586 from #5:
Feb 3 19:15:01 MGA2_32BIT /USR/SBIN/CROND: (root) CMD ($HOME/lvm_cron)
Feb 3 19:15:01 MGA2_32BIT /USR/SBIN/CROND: (root) CMDOUT (File descriptor 6 (/var/spool/cron) leaked on lvm2 invocation. Parent PID 8211: /bin/sh)
Feb 3 19:15:01 MGA2_32BIT /USR/SBIN/CROND: (root) CMDOUT (File descriptor 7 (/etc/cron.d) leaked on lvm2 invocation. Parent PID 8211: /bin/sh)
Feb 3 19:17:01 MGA2_32BIT /USR/SBIN/CROND: (root) CMD ($HOME/lvm_cron)
cannot reproduce error message in mga2-64bit with old package. But no error message also for updated packages.