The Gentoo implementation of Vixie Cron is vulnerable to a local Denial of Service.
|Package||sys-process/vixie-cron on all architectures|
|Affected versions||< 4.1-r10|
|Unaffected versions||>= 4.1-r10|
Vixie Cron is a command scheduler with extended syntax over cron.
During an internal audit, Raphael Marichez of the Gentoo Linux Security Team found that Vixie Cron has weak permissions set on Gentoo, allowing for a local user to create hard links to system and users cron files, while a st_nlink check in database.c will generate a superfluous error.
Depending on the partitioning scheme and the "cron" group membership, a malicious local user can create hard links to system or users cron files that will trigger the st_link safety check and prevent the targeted cron file from being run from the next restart or database reload.
There is no known workaround at this time.
All Vixie Cron users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=sys-process/vixie-cron-4.1-r10"
April 16, 2007
April 16, 2007: 01