Debian Bug report logs - #686650
bcron: CVE-2012-6110: bcron file descriptors not closed

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Anton Khalikov <anton@khalikov.ru>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: bcron: Possible bcron security breach

Date: Tue, 04 Sep 2012 16:49:14 +0600

Package: bcron
Version: 0.09-12
Severity: normal
Tags: upstream

Dear Maintainer,

I think I have found a security breach in bcron. Bcron-exec program does not close 
its file descriptors when does fork()/exec() to run scheduled jobs. When used in 
untrusted environment such as shared hosting, it is possible for one user to send
spam from neighbour user's accounts or read other's cron job stdout.

In deeper details. If any user's program runs through cron and generates some output to
stdout/stderr, cron must send its output to owner's e-mail. Bcron uses start_slot()
function to create a temp file, write e-mail message headers in there to prepare
this mail to be sent and then does fork/exec to run scheduled task and redirects 
its stdout/stderr to this particular file. After this task done its work,
bcron in end_slot() compares the length of temp file with stored length of empty
temp file with only headers filled in and if they differ, end_slot() runs sendmail
to deliver this message.

start_slot() calls forkexec_slot() to fork and forkexec_slot() calls exec_cmd() 
to exec corresponding task. But before calling execv() it must close all open fds
execpt stdin/stdout/stderr. Unfortunatelly, there is no such code in exec_cmd().

If one creates 2 tasks and runs them simultaneously using bcron, the following 
situation occurs:

1. First task (cron1.sh):

root@debian:~# lsof -p 14230
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF  NODE NAME
cron1.sh 14230 root  cwd    DIR  254,0     4096   902 /root
cron1.sh 14230 root  rtd    DIR  254,0     4096     2 /
cron1.sh 14230 root  txt    REG  254,0   106920   624 /bin/dash
cron1.sh 14230 root  mem    REG  254,0  1583120   732 /lib/x86_64-linux-gnu/libc-2.13.so
cron1.sh 14230 root  mem    REG  254,0   136936   977 /lib/x86_64-linux-gnu/ld-2.13.so
cron1.sh 14230 root    0u   CHR    1,3      0t0  1199 /dev/null
cron1.sh 14230 root    1u   REG   0,17   479453 22716 /tmp/bcron.14096.1346752020.105007 (deleted)
cron1.sh 14230 root    2u   REG   0,17   479453 22716 /tmp/bcron.14096.1346752020.105007 (deleted)
cron1.sh 14230 root    3r  FIFO    0,8      0t0 55752 pipe
cron1.sh 14230 root   10r   REG  254,0       45   115 /root/cron1.sh

2. second task (cron2.sh):

root@debian:~# lsof -p 14231
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF  NODE NAME
cron2.sh 14231 root  cwd    DIR  254,0     4096   902 /root
cron2.sh 14231 root  rtd    DIR  254,0     4096     2 /
cron2.sh 14231 root  txt    REG  254,0   106920   624 /bin/dash
cron2.sh 14231 root  mem    REG  254,0  1583120   732 /lib/x86_64-linux-gnu/libc-2.13.so
cron2.sh 14231 root  mem    REG  254,0   136936   977 /lib/x86_64-linux-gnu/ld-2.13.so
cron2.sh 14231 root    0u   CHR    1,3      0t0  1199 /dev/null
cron2.sh 14231 root    1u   REG   0,17   316908 22717 /tmp/bcron.14096.1346752020.105958 (deleted)
cron2.sh 14231 root    2u   REG   0,17   316908 22717 /tmp/bcron.14096.1346752020.105958 (deleted)
cron2.sh 14231 root    3r  FIFO    0,8      0t0 44757 pipe
cron2.sh 14231 root    6u   REG   0,17   318938 22716 /tmp/bcron.14096.1346752020.105007 (deleted)
cron2.sh 14231 root   10r   REG  254,0       45   112 /root/cron2.sh

Notice fd #6 is temp file created for gathering output of cron1.sh but cron2.sh 
has access to it and may overwrite it with its own content. And this message 
would be sent from cron1 while cron1 never generated it.

Speaking about shared hosting environment, it is possible for malicious user
to send spam without any traces showing this spam was sent from his/her account.

I'm going to attach path fixing this issue after it is tested and considered stable.


-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages bcron depends on:
ii  libbg1  1.106-1
ii  libc6   2.13-35

Versions of packages bcron recommends:
ii  bcron-run                       0.09-12
ii  postfix [mail-transport-agent]  2.9.3-2.1
ii  runit                           2.1.1-6.2
ii  ucspi-unix                      0.36-4

bcron suggests no packages.

-- no debconf information

Message #10 received at 686650@bugs.debian.org (full text, mbox, reply):

From: Anton Khalikov <anton@khalikov.ru>

To: 686650@bugs.debian.org

Subject: PATCH

Date: Wed, 5 Sep 2012 13:11:09 +0600

Hello there,

the patch is as simple as follows:

$ diff bcron-exec.c.orig bcron-exec.c
108a109
>   int slot;
110d110
<   close(fdin);
113c113,115
<   close(fdout);
---
>   for (slot = 0; slot < SLOT_MAX; ++slot)
>     if (slots[slot].tmpfd != -1)
>       close(slots[slot].tmpfd);

I'm going to do more testing on production systems with heavy bcron usage (few thousands jobs per day) and report about success/failure after a couple of days.

---
Best regards,
Anton Khalikov

Message #15 received at 686650@bugs.debian.org (full text, mbox, reply):

From: Anton Khalikov <anton@khalikov.ru>

To: 686650@bugs.debian.org

Subject: PATCH worked ok

Date: Fri, 7 Sep 2012 14:07:47 +0600

[Message part 1 (text/plain, inline)]

Hello there,

looks like the provided patch works ok: no complaints received. It has been tested on 7 production servers within 2 days.

---
Best regards,
Anton Khalikov

[Message part 2 (text/html, inline)]

Message #20 received at 686650@bugs.debian.org (full text, mbox, reply):

From: Gerrit Pape <pape@smarden.org>

To: Anton Khalikov <anton@khalikov.ru>, 686650@bugs.debian.org

Subject: Re: Bug#686650: PATCH worked ok

Date: Fri, 7 Sep 2012 08:47:47 +0000

On Fri, Sep 07, 2012 at 02:07:47PM +0600, Anton Khalikov wrote:
> Hello there,
> 
> looks like the provided patch works ok: no complaints received. It has been tested on 7 production servers within 2 days.

Thanks you very much, Anton.  I'll take this upstream.

Regards, Gerrit.

Message #29 received at 686650-close@bugs.debian.org (full text, mbox, reply):

From: Gerrit Pape <pape@smarden.org>

To: 686650-close@bugs.debian.org

Subject: Bug#686650: fixed in bcron 0.09-13

Date: Wed, 16 Jan 2013 15:02:28 +0000

Source: bcron
Source-Version: 0.09-13

We believe that the bug you reported is fixed in the latest version of
bcron, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 686650@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gerrit Pape <pape@smarden.org> (supplier of updated bcron package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 16 Jan 2013 10:13:37 +0000
Source: bcron
Binary: bcron bcron-run
Architecture: all source
Version: 0.09-13
Distribution: unstable
Urgency: medium
Maintainer: Gerrit Pape <pape@smarden.org>
Changed-By: Gerrit Pape <pape@smarden.org>
Description: 
 bcron      - Bruce's cron system (programs)
 bcron-run  - Bruce's cron system
Closes: 686650
Changes: 
 bcron (0.09-13) unstable; urgency=medium
 .
   * debian/diff/0008-bcron-exec-Mark-all-temporary-files-close-...diff:
     new; from upstream git; bcron-exec: Mark all temporary files
     close-on-exec and close selfpipe; this fixes a security bug in
     bcron where cron jobs get access to the temporary output files from
     all other jobs that are still running (closes: #686650).
Checksums-Sha1: 
 acf2f180ec33b25510d373a00edcb8057221548b 1042 bcron_0.09-13.dsc
 13967b5f9bc815f44da4d3c57dfcae0155da00d1 9893 bcron_0.09-13.diff.gz
 f3b7353f6e83f25e2a0015d8bf01793ea1decfec 8930 bcron-run_0.09-13_all.deb
Checksums-Sha256: 
 4ce05a73efee27ba75d6a95efdb5ff8f9915ca70c041a0ef15182c4fb7e8e878 1042 bcron_0.09-13.dsc
 d7a5c0da1e7cb92faa1fa9a29ef4c6636f1f9df158acd9f94ae35e7e5b304f52 9893 bcron_0.09-13.diff.gz
 f7700963d863fdaa08f30360b6ceaa1ec303e9fb10185beef4e29bce98d1c3ce 8930 bcron-run_0.09-13_all.deb
Files: 
 4617fcc0b0c088ea88656e22f6588e3f 1042 admin optional bcron_0.09-13.dsc
 d2fc2b72ebd095d55764e8f6e6ad2e67 9893 admin optional bcron_0.09-13.diff.gz
 2dea60dad96f5c0d3843bab5000527d6 8930 admin optional bcron-run_0.09-13_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlD2gFMACgkQGJoyQbxwpv/DPACfWNiOscyMpSz8wj03EMExC5CX
SsIAn2nS3o4wWZqwjHU7AIB3IdWioS87
=8npn
-----END PGP SIGNATURE-----

Message #36 received at 686650@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 686650@bugs.debian.org

Subject: Re: bcron: Possible bcron security breach

Date: Thu, 17 Jan 2013 11:42:08 -0000

Package: bcron

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.7) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/686650/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Message #41 received at 686650@bugs.debian.org (full text, mbox, reply):

From: Gerrit Pape <pape@dbnbgs.smarden.org>

To: debian-release@lists.debian.org

Cc: Jonathan Wiltshire <jmw@debian.org>, 686650@bugs.debian.org

Subject: bcron update for stable

Date: Fri, 18 Jan 2013 14:57:29 +0000

[Message part 1 (text/plain, inline)]

Hi,

as suggested by Jonathan below, I prepared a bcron package fixing
#686650 as candidate for the next squeeze point release.  A debdiff is
attached, the package ready for upload.

Regards, Gerrit.


On Thu, Jan 17, 2013 at 11:42:08AM -0000, Jonathan Wiltshire wrote:
> Package: bcron
> 
> Dear maintainer,
> 
> Recently you fixed one or more security problems and as a result you closed
> this bug. These problems were not serious enough for a Debian Security
> Advisory, so they are now on my radar for fixing in the following suites
> through point releases:
> 
> squeeze (6.0.7) - use target "stable"
> 
> Please prepare a minimal-changes upload targetting each of these suites,
> and submit a debdiff to the Release Team [0] for consideration. They will
> offer additional guidance or instruct you to upload your package.
> 
> I will happily assist you at any stage if the patch is straightforward and
> you need help. Please keep me in CC at all times so I can
> track [1] the progress of this request.
> 
> For details of this process and the rationale, please see the original
> announcement [2] and my blog post [3].
> 
> 0: debian-release@lists.debian.org
> 1: http://prsc.debian.net/tracker/686650/
> 2: <201101232332.11736.thijs@debian.org>
> 3: http://deb.li/prsc
> 
> Thanks,
> 
> with his security hat on:
> --
> Jonathan Wiltshire                                      jmw@debian.org
> Debian Developer                         http://people.debian.org/~jmw
> 
> 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

[debdiff (text/plain, attachment)]

Message #46 received at 686650@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: Gerrit Pape <pape@dbnbgs.smarden.org>

Cc: debian-release@lists.debian.org, Jonathan Wiltshire <jmw@debian.org>, 686650@bugs.debian.org

Subject: Re: bcron update for stable

Date: Fri, 18 Jan 2013 20:28:53 +0000

Control: found -1 0.09-11

On Fri, 2013-01-18 at 14:57 +0000, Gerrit Pape wrote:

> as suggested by Jonathan below, I prepared a bcron package fixing
> #686650 as candidate for the next squeeze point release.  A debdiff is
> attached, the package ready for upload.

Please go ahead; thanks.

Regards,

Adam

Message #53 received at 686650@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: Gerrit Pape <pape@dbnbgs.smarden.org>

Cc: debian-release@lists.debian.org, Jonathan Wiltshire <jmw@debian.org>, 686650@bugs.debian.org

Subject: Re: bcron update for stable

Date: Tue, 22 Jan 2013 20:41:45 +0000

On Fri, 2013-01-18 at 20:28 +0000, Adam D. Barratt wrote:
> On Fri, 2013-01-18 at 14:57 +0000, Gerrit Pape wrote:
> 
> > as suggested by Jonathan below, I prepared a bcron package fixing
> > #686650 as candidate for the next squeeze point release.  A debdiff is
> > attached, the package ready for upload.
> 
> Please go ahead; thanks.

Flagged for acceptance in to p-u.

Regards,

Adam

Message #58 received at 686650-close@bugs.debian.org (full text, mbox, reply):

From: Gerrit Pape <pape@smarden.org>

To: 686650-close@bugs.debian.org

Subject: Bug#686650: fixed in bcron 0.09-11+squeeze1

Date: Tue, 22 Jan 2013 20:47:09 +0000

Source: bcron
Source-Version: 0.09-11+squeeze1

We believe that the bug you reported is fixed in the latest version of
bcron, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 686650@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gerrit Pape <pape@smarden.org> (supplier of updated bcron package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 18 Jan 2013 03:21:49 +0000
Source: bcron
Binary: bcron bcron-run
Architecture: all source
Version: 0.09-11+squeeze1
Distribution: stable
Urgency: high
Maintainer: Gerrit Pape <pape@smarden.org>
Changed-By: Gerrit Pape <pape@smarden.org>
Description: 
 bcron      - Bruce's cron system (programs)
 bcron-run  - Bruce's cron system
Closes: 686650
Changes: 
 bcron (0.09-11+squeeze1) stable; urgency=high
 .
   * debian/diff/0008-bcron-exec-Mark-all-temporary-files-close-...diff:
     new; from upstream git; bcron-exec: Mark all temporary files
     close-on-exec and close selfpipe; this fixes a security bug in
     bcron where cron jobs get access to the temporary output files from
     all other jobs that are still running (CVE-2012-6110, closes:
     #686650).
Checksums-Sha1: 
 e43f2943ae85c6faed0e89f5239a35ebf0cbaa3e 1003 bcron_0.09-11+squeeze1.dsc
 c674016644770a244d2405add3dcc1eaf93fcd5c 9813 bcron_0.09-11+squeeze1.diff.gz
 0a11fa23a16081444c1d56f1a66ca41bccf4cb34 8856 bcron-run_0.09-11+squeeze1_all.deb
Checksums-Sha256: 
 ea4c3aee269124e0a22a1e005a40b11cfa8285bc84a2693917e18763a7f73319 1003 bcron_0.09-11+squeeze1.dsc
 22ec07febaafb47fc257cbd0db6df087fd957900ecef77b731df216c3520f630 9813 bcron_0.09-11+squeeze1.diff.gz
 f4dd528f70c8b92e72caf4bdb163525829b24673f3c655f36d9ee1593113392d 8856 bcron-run_0.09-11+squeeze1_all.deb
Files: 
 7bc703c6abe42b1605a2e7d9c83b498a 1003 admin optional bcron_0.09-11+squeeze1.dsc
 acfe940f0537953c7eda49b4cbfe9920 9813 admin optional bcron_0.09-11+squeeze1.diff.gz
 002a91faa6ebaf620ae4b3bb8a6df090 8856 admin optional bcron-run_0.09-11+squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlD74OkACgkQGJoyQbxwpv+vmwCfWFtwITNdvyYBelYH5jPN0pS9
vU8An2L9LHBFz6oM3Xnlq7KqE8VPLx7/
=5l6X
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.