> Red Hat, Inc. Security Advisory > > Synopsis: Buffer overflow in cron daemon > Advisory ID: RHSA-1999:030-01 > Issue date: 1999-08-25 > Updated on: > Keywords: vixie-cron crond MAILTO > Cross references: > --------------------------------------------------------------------- > > 1. Topic: > > A buffer overflow exists in crond, the cron daemon. This > could allow local users to gain privilege. > > 2. Bug IDs fixed (http://developer.redhat.com/bugzilla/): > > 4706 > > 3. Relevant releases/architectures: > > Red Hat Linux 4.2, 5.2, 6.0, all architectures > > 4. Obsoleted by: > > 5. Conflicts with: > > 6. RPMs required: > > Red Hat Linux 4.2: > > Intel: > rpm -Uvh ftp://ftp.redhat.com/redhat/updates/4.2/i386/vixie-cron-3.0.1-36.4.2.i386.rpm > > Alpha: > rpm -Uvh ftp://ftp.redhat.com/redhat/updates/4.2/alpha/vixie-cron-3.0.1-36.4.2.alpha.rpm > > Sparc: > rpm -Uvh ftp://ftp.redhat.com/redhat/updates/4.2/sparc/vixie-cron-3.0.1-36.4.2.sparc.rpm > > Source packages: > rpm -Uvh ftp://ftp.redhat.com/redhat/updates/4.2/SRPMS/vixie-cron-3.0.1-36.4.2.src.rpm > > Red Hat Linux 5.2: > > Intel: > rpm -Uvh ftp://ftp.redhat.com/redhat/updates/5.2/i386/vixie-cron-3.0.1-36.5.2.i386.rpm > > Alpha: > rpm -Uvh ftp://ftp.redhat.com/redhat/updates/5.2/alpha/vixie-cron-3.0.1-36.5.2.alpha.rpm > > Sparc: > rpm -Uvh ftp://ftp.redhat.com/redhat/updates/5.2/sparc/vixie-cron-3.0.1-36.5.2.sparc.rpm > > Source packages: > rpm -Uvh ftp://ftp.redhat.com/redhat/updates/5.2/SRPMS/vixie-cron-3.0.1-36.5.2.src.rpm > > Red Hat Linux 6.0: > > Intel: > rpm -Uvh ftp://ftp.redhat.com/redhat/updates/6.0/i386/vixie-cron-3.0.1-37.i386.rpm > > Alpha: > rpm -Uvh ftp://ftp.redhat.com/redhat/updates/6.0/alpha/vixie-cron-3.0.1-37.alpha.rpm > > Sparc: > rpm -Uvh ftp://ftp.redhat.com/redhat/updates/6.0/sparc/vixie-cron-3.0.1-37.sparc.rpm > > Source packages: > rpm -Uvh ftp://ftp.redhat.com/redhat/updates/6.0/SRPMS/vixie-cron-3.0.1-37.src.rpm > > 7. Problem description: > > By creating a crontab that runs with a specially formatted > 'MAILTO' environment variable, it is possible for local users > to overflow a fixed-length buffer in the cron daemon's > cron_popen() function. Since the cron daemon runs as root, > it would be theoretcially possible for local users to use > this buffer overflow to gain root privilege. > > To the best of our knowledge, no known exploits exist > at this time. > > Also, it was possible to use specially formatted 'MAILTO' > environment variables to send commands to sendmail. > > 8. Solution: > > For each RPM for your particular architecture, run: > > rpm -Uvh > > where filename is the name of the RPM. > > 9. Verification: > > MD5 sum Package Name > -------------------------------------------------------------------------- > a90bf7adbc719fdb5a8ed335fda32a3c i386/vixie-cron-3.0.1-36.4.2.i386.rpm > 2b6b0b00cdeca0381ab2893ddf2f2bd1 alpha/vixie-cron-3.0.1-36.4.2.alpha.rpm > 02d183979b594a7e7a9c1bc8566b2f16 sparc/vixie-cron-3.0.1-36.4.2.sparc.rpm > b8ac0c21e108ebd67925c224f7a0b82b SRPMS/vixie-cron-3.0.1-36.4.2.src.rpm > > 7df6884f0709b078d19f390db2a7e304 i386/vixie-cron-3.0.1-36.5.2.i386.rpm > b51b4ea612c4f5a59c1bb4e76af95eeb alpha/vixie-cron-3.0.1-36.5.2.alpha.rpm > 5ceeb614442bd4d4ce8a9680664d77e4 sparc/vixie-cron-3.0.1-36.5.2.sparc.rpm > 9f411cb3c7c1c53423eebc9d5f64619a SRPMS/vixie-cron-3.0.1-36.5.2.src.rpm > > 39bbedeade7dc6da6f0ab5acfb3af6da i386/vixie-cron-3.0.1-37.i386.rpm > addec82afbd131aef14fadf8cfb8ddcf alpha/vixie-cron-3.0.1-37.alpha.rpm > b56db77c411f72825efbffed43780213 sparc/vixie-cron-3.0.1-37.sparc.rpm > 243d9099bdb94bd0d075de4da4dbba12 SRPMS/vixie-cron-3.0.1-37.src.rpm > > These packages are PGP signed by Red Hat Inc. for security. Our key > is available at: > > http://www.redhat.com/corp/contact.html > > You can verify each package with the following command: > > rpm --checksig > > If you only wish to verify that each package has not been corrupted or > tampered with, examine only the md5sum with the following command: > > rpm --checksig --nopgp > > 10. References: