1. Gentoo Linux Security Advisory
| Advisory Reference | GLSA 200704-11 / vixie-cron |
| Release Date | April 16, 2007 |
| Latest Revision | April 16, 2007: 01 |
| Impact | low |
| Exploitable | local |
| Package | Vulnerable versions | Unaffected versions | Architecture(s) |
| sys-process/vixie-cron | < 4.1-r10 | >= 4.1-r10 | All supported architectures |
Related bugreports: #164466
The Gentoo implementation of Vixie Cron is vulnerable to a local Denial of Service.
Vixie Cron is a command scheduler with extended syntax over cron.
During an internal audit, Raphael Marichez of the Gentoo Linux Security Team found that Vixie Cron has weak permissions set on Gentoo, allowing for a local user to create hard links to system and users cron files, while a st_nlink check in database.c will generate a superfluous error.
Depending on the partitioning scheme and the "cron" group membership, a malicious local user can create hard links to system or users cron files that will trigger the st_link safety check and prevent the targeted cron file from being run from the next restart or database reload.
There is no known workaround at this time.
All Vixie Cron users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync # emerge --ask --oneshot --verbose ">=sys-process/vixie-cron-4.1-r10" |