Debian Security Advisory

DSA-024-1 cron -- local insecure crontab handling

Date Reported:

27 Jan 2001

Affected Packages:

cron

Vulnerable:

Yes

Security database references:

In the Bugtraq database (at SecurityFocus): BugTraq ID 2332.
In Mitre's CVE dictionary: CVE-2001-0235.

More information:

The FreeBSD team has found a bug in the way new crontabs were handled which allowed malicious users to display arbitrary crontab files on the local system. This only affects valid crontab files so it can't be used to get access to /etc/shadow or something. crontab files are not especially secure anyway, as there are other ways they can leak. No passwords or similar sensitive data should be in there. We recommend you upgrade your cron packages.

Fixed in:

Debian 2.2 (potato)

Source:: http://security.debian.org/dists/stable/updates/main/source/cron_3.0pl1.orig.tar.gz; http://security.debian.org/dists/stable/updates/main/source/cron_3.0pl1-57.2.diff.gz; http://security.debian.org/dists/stable/updates/main/source/cron_3.0pl1-57.2.dsc
alpha:: http://security.debian.org/dists/stable/updates/main/binary-alpha/cron_3.0pl1-57.2_alpha.deb
arm:: http://security.debian.org/dists/stable/updates/main/binary-arm/cron_3.0pl1-57.2_arm.deb
i386:: http://security.debian.org/dists/stable/updates/main/binary-i386/cron_3.0pl1-57.2_i386.deb
m68k:: http://security.debian.org/dists/stable/updates/main/binary-m68k/cron_3.0pl1-57.2_m68k.deb
powerpc:: http://security.debian.org/dists/stable/updates/main/binary-powerpc/cron_3.0pl1-57.2_powerpc.deb
sparc:: http://security.debian.org/dists/stable/updates/main/binary-sparc/cron_3.0pl1-57.2_sparc.deb