Vixie Cron: Denial of service — GLSA 200704-11

The Gentoo implementation of Vixie Cron is vulnerable to a local Denial of Service.

Affected packages

sys-process/vixie-cron on all architectures
Affected versions < 4.1-r10
Unaffected versions >= 4.1-r10

Background

Vixie Cron is a command scheduler with extended syntax over cron.

Description

During an internal audit, Raphael Marichez of the Gentoo Linux Security Team found that Vixie Cron has weak permissions set on Gentoo, allowing for a local user to create hard links to system and users cron files, while a st_nlink check in database.c will generate a superfluous error.

Impact

Depending on the partitioning scheme and the "cron" group membership, a malicious local user can create hard links to system or users cron files that will trigger the st_link safety check and prevent the targeted cron file from being run from the next restart or database reload.

Workaround

There is no known workaround at this time.

Resolution

All Vixie Cron users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-process/vixie-cron-4.1-r10"

References

Release date
April 16, 2007

Latest revision
April 16, 2007: 01

Severity
low

Exploitable
local

Bugzilla entries