Bug 1043768 (CVE-2017-9525)

Summary: VUL-0: CVE-2017-9525: cron: postinst maintainer script allows for group-crontab-to-root privilege escalation via symlink
Product: [Novell Products] SUSE Security Incidents Reporter: Victor Pereira <vpereira>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: kstreitova, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/186528/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Victor Pereira 2017-06-12 05:43:11 UTC
CVE-2017-9525

In the cron package through 3.0pl1-128 on Debian, and through 3.0pl1-128ubuntu2
on Ubuntu, the postinst maintainer script allows for group-crontab-to-root
privilege escalation via symlink attacks against unsafe usage of the chown and
chmod programs.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9525
http://seclists.org/oss-sec/2017/q2/451
http://www.openwall.com/lists/oss-security/2017/06/08/3
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9525.html
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864466
http://www.cvedetails.com/cve/CVE-2017-9525/
Comment 1 Victor Pereira 2017-06-12 13:52:42 UTC
probably not affected.
Comment 2 Kristyna Streitova 2017-08-29 09:31:06 UTC
(In reply to Victor Pereira from comment #1)
> probably not affected.

Yes, we are not affected. We have no such unsafe chmod/chown calls in our specfile (neither cron nor cronie).

I'm reassigning it back to the security team. Feel free to close it.
Comment 3 Marcus Meissner 2017-10-26 06:16:31 UTC
not affected