Bug 178863 – VUL-0: CVE-2006-2607: privilege escalation in vixie-cron

Bug 178863 - (CVE-2006-2607) VUL-0: CVE-2006-2607: privilege escalation in vixie-cron

(CVE-2006-2607)
Summary:	VUL-0: CVE-2006-2607: privilege escalation in vixie-cron

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Critical
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	179660
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2006-05-25 17:43 UTC by Marcus Meissner
Modified:	2018-12-06 12:59 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Other
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
xx.c (45 bytes, text/plain) 2006-05-31 09:17 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2006-05-25 17:43:34 UTC

To: coley@mitre.org
Cc: vendor-sec@lst.de
From: Josh Bressers <bressers@redhat.com>
Subject: [vendor-sec] CVE Request (vixie-cron)
Errors-To: vendor-sec-admin@lst.de
Date: Thu, 25 May 2006 13:27:22 -0400

Steve,

There is a public issue in vixie cron which can lead to a privilege
escalation.  A Gentoo bug was filed yesterday, which then after some
investigation I found it was reported to our BTS (but missed) earlier this
year:

http://bugs.gentoo.org/show_bug.cgi?id=134194
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178431

Thanks.

--
    JB

Comment 1 Marcus Meissner 2006-05-25 19:51:32 UTC

======================================================
Name: CVE-2006-2607
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2607
Reference: CONFIRM:http://bugs.gentoo.org/show_bug.cgi?id=134194
Reference: CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178431

do_command.c in Vixie cron (vixie-cron) 4.1 does not check the return
code of a setuid call, which might allow local users to gain root
privileges if setuid fails in cases such as PAM failures or resource
limits.

Comment 2 Klaus Singvogel 2006-05-29 08:42:24 UTC

Are there any official patches from author?

Comment 3 Thomas Biege 2006-05-29 10:27:09 UTC

http://bugs.gentoo.org/attachment.cgi?id=87472

Comment 4 Dirk Mueller 2006-05-29 13:34:14 UTC

packages, that also contain setuid calls without checking return value: 

openswan
NX
X
ppp
xinetd
arts
kdebase3
kdelibs3
kdemultimedia3
kdenetwork3
kdeedu3
icecream
valknut
emacs
openmotif
bitchx
tvtime
arpwatch
ZynAddSubFX
zsh
xterm
xemacs
openssh
dvgt
rarpd
libsmbclient3

Comment 5 Dirk Mueller 2006-05-29 13:41:49 UTC

taper
argus
avifile
ipgrab

Comment 6 Marcus Meissner 2006-05-29 13:56:31 UTC

this is not going to be a good week.

I succeeded in trivially exploiting this problem with CRON at least.

Comment 7 Dirk Mueller 2006-05-29 14:07:34 UTC

dump
openib
gridengine
pdsh
xglx
vocalbin
fte
falconseye
epic
amanda

Comment 8 Dirk Mueller 2006-05-29 14:16:46 UTC

ganglia-monitor-core
wterm
cvs
spamassassin
hanterm-xf

Comment 9 Klaus Singvogel 2006-05-29 16:17:01 UTC

fixed cron packages submitted for: UL1/SLES8, SLEC8, SLES9, SLES10, 9.1, 9.2, 9.3, 10.0, 10.1
security-team please handle rest of process, e.g. patchinfo

Comment 10 Marcus Meissner 2006-05-31 09:17:27 UTC

Created attachment 86044 [details]
xx.c

Comment 11 Marcus Meissner 2006-05-31 11:24:26 UTC

updates released. thanks!