Debian Bug report logs - #864466
cron: CVE-2017-9525: group crontab to root escalation via postinst

version graph

Package: src:cron; Maintainer for src:cron is Georges Khaznadar <georgesk@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 9 Jun 2017 05:45:02 UTC

Severity: important

Tags: patch, security

Found in version cron/3.0pl1-127

Fixed in version cron/3.0pl1-129

Done: Javier Fernández-Sanguino Peña <jfs@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Javier Fernández-Sanguino Peña <jfs@debian.org>:
Bug#864466; Package src:cron. (Fri, 09 Jun 2017 05:45:04 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Javier Fernández-Sanguino Peña <jfs@debian.org>. (Fri, 09 Jun 2017 05:45:04 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: cron: group crontab to root escalation via postinst
Date: Fri, 09 Jun 2017 07:40:18 +0200
Source: cron
Version: 3.0pl1-127
Severity: important
Tags: security

Hi

There is reported a group crontab to root escalation via the postinst
in Debian and Ubuntu, as stated in the oss-security post:

http://www.openwall.com/lists/oss-security/2017/06/08/3

Our postinst contains:

| # Fixup crontab , directory and files for new group 'crontab'.
| # Can't use dpkg-statoverride for this because it doesn't cooperate nicely
| # with cron alternatives such as bcron
| if [ -d $crondir/crontabs ] ; then
|     chown root:crontab $crondir/crontabs
|     chmod 1730 $crondir/crontabs
|     # This used to be done conditionally. For versions prior to "3.0pl1-81"
|     # It has been disabled to suit cron alternative such as bcron.
|     cd $crondir/crontabs
|     set +e
|     ls -1 | xargs -r -n 1 --replace=xxx  chown 'xxx:crontab' 'xxx'
|     ls -1 | xargs -r -n 1 chmod 600
|     set -e
| fi

which can be used for group-crontab-to-root escalation of privileges
as described by Qualys team in the above reference.

(note that for the first issue, we have already the kernel hardening
in place since Debian Wheezy).

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, Javier Fernández-Sanguino Peña <jfs@debian.org>:
Bug#864466; Package src:cron. (Fri, 09 Jun 2017 18:27:02 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Javier Fernández-Sanguino Peña <jfs@debian.org>. (Fri, 09 Jun 2017 18:27:03 GMT) (full text, mbox, link).


Message #10 received at 864466@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 864466@bugs.debian.org
Subject: Re: Bug#864466: cron: group crontab to root escalation via postinst
Date: Fri, 9 Jun 2017 20:23:59 +0200
Control: retitle -1 cron: CVE-2017-9525: group crontab to root escalation via postinst

Hi,

On Fri, Jun 09, 2017 at 07:40:18AM +0200, Salvatore Bonaccorso wrote:
> There is reported a group crontab to root escalation via the postinst
> in Debian and Ubuntu, as stated in the oss-security post:
> 
> http://www.openwall.com/lists/oss-security/2017/06/08/3
> 
> Our postinst contains:
> 
> | # Fixup crontab , directory and files for new group 'crontab'.
> | # Can't use dpkg-statoverride for this because it doesn't cooperate nicely
> | # with cron alternatives such as bcron
> | if [ -d $crondir/crontabs ] ; then
> |     chown root:crontab $crondir/crontabs
> |     chmod 1730 $crondir/crontabs
> |     # This used to be done conditionally. For versions prior to "3.0pl1-81"
> |     # It has been disabled to suit cron alternative such as bcron.
> |     cd $crondir/crontabs
> |     set +e
> |     ls -1 | xargs -r -n 1 --replace=xxx  chown 'xxx:crontab' 'xxx'
> |     ls -1 | xargs -r -n 1 chmod 600
> |     set -e
> | fi
> 
> which can be used for group-crontab-to-root escalation of privileges
> as described by Qualys team in the above reference.

This has been assigned CVE-2017-9525.

Regards,
Salvatore



Changed Bug title to 'cron: CVE-2017-9525: group crontab to root escalation via postinst' from 'cron: group crontab to root escalation via postinst'. Request was from Salvatore Bonaccorso <carnil@debian.org> to 864466-submit@bugs.debian.org. (Fri, 09 Jun 2017 18:27:03 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Javier Fernández-Sanguino Peña <jfs@debian.org>:
Bug#864466; Package src:cron. (Mon, 12 Jun 2017 21:54:04 GMT) (full text, mbox, link).


Acknowledgement sent to Christian Kastner <ckk@debian.org>:
Extra info received and forwarded to list. Copy sent to Javier Fernández-Sanguino Peña <jfs@debian.org>. (Mon, 12 Jun 2017 21:54:05 GMT) (full text, mbox, link).


Message #17 received at 864466@bugs.debian.org (full text, mbox, reply):

From: Christian Kastner <ckk@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>, 864466@bugs.debian.org
Subject: Re: Bug#864466: cron: group crontab to root escalation via postinst
Date: Mon, 12 Jun 2017 23:17:50 +0200
[Message part 1 (text/plain, inline)]
Control: tag -1 +patch

Hi Salvatore,

On 2017-06-09 20:23, Salvatore Bonaccorso wrote:
> On Fri, Jun 09, 2017 at 07:40:18AM +0200, Salvatore Bonaccorso wrote:
>> There is reported a group crontab to root escalation via the postinst
>> in Debian and Ubuntu, as stated in the oss-security post:
>>
>> http://www.openwall.com/lists/oss-security/2017/06/08/3
>>
>> Our postinst contains:
>>
>> | # Fixup crontab , directory and files for new group 'crontab'.
>> | # Can't use dpkg-statoverride for this because it doesn't cooperate nicely
>> | # with cron alternatives such as bcron
>> | if [ -d $crondir/crontabs ] ; then
>> |     chown root:crontab $crondir/crontabs
>> |     chmod 1730 $crondir/crontabs
>> |     # This used to be done conditionally. For versions prior to "3.0pl1-81"
>> |     # It has been disabled to suit cron alternative such as bcron.
>> |     cd $crondir/crontabs
>> |     set +e
>> |     ls -1 | xargs -r -n 1 --replace=xxx  chown 'xxx:crontab' 'xxx'
>> |     ls -1 | xargs -r -n 1 chmod 600
>> |     set -e
>> | fi
>>
>> which can be used for group-crontab-to-root escalation of privileges
>> as described by Qualys team in the above reference.
> 
> This has been assigned CVE-2017-9525.

Please find attached a first draft of a (so far only rudimentally
tested) patch for this issue.

I replace the unconditional chown/chgrp of everything under
/var/spool/cron/crontabs with a conditional solution. A file in that
directory must now satisfy the following requirements:
  1. It must be a regular file
  2. It must have a hard link count of exactly 1
  3. It's name must match its owner (the daemon expects this)

We cannot really add a test for the group because the intention is to
change it from whatever it currently is to what we expect.

Adding a test for non-executability is something that could be
considered. We'd have to check interoperability with other cron
implementations.

Please let me know what you think.

Regards,
Christian



[cve-2017-9525.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Added tag(s) patch. Request was from Christian Kastner <ckk@debian.org> to 864466-submit@bugs.debian.org. (Mon, 12 Jun 2017 21:54:05 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Javier Fernández-Sanguino Peña <jfs@debian.org>:
Bug#864466; Package src:cron. (Mon, 12 Jun 2017 21:57:02 GMT) (full text, mbox, link).


Acknowledgement sent to Christian Kastner <ckk@debian.org>:
Extra info received and forwarded to list. Copy sent to Javier Fernández-Sanguino Peña <jfs@debian.org>. (Mon, 12 Jun 2017 21:57:02 GMT) (full text, mbox, link).


Message #24 received at 864466@bugs.debian.org (full text, mbox, reply):

From: Christian Kastner <ckk@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>, 864466@bugs.debian.org
Subject: Re: Bug#864466: cron: group crontab to root escalation via postinst
Date: Mon, 12 Jun 2017 23:53:12 +0200
[Message part 1 (text/plain, inline)]
On 2017-06-12 23:17, Christian Kastner wrote:
> Please find attached a first draft of a (so far only rudimentally
> tested) patch for this issue.

I attached an updated version in which I reverted a last-minute change
breaking the name comparison.

[cve-2017-9525.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Reply sent to Javier Fernández-Sanguino Peña <jfs@debian.org>:
You have taken responsibility. (Sun, 11 Mar 2018 23:06:20 GMT) (full text, mbox, link).


Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 11 Mar 2018 23:06:21 GMT) (full text, mbox, link).


Message #29 received at 864466-close@bugs.debian.org (full text, mbox, reply):

From: Javier Fernández-Sanguino Peña <jfs@debian.org>
To: 864466-close@bugs.debian.org
Subject: Bug#864466: fixed in cron 3.0pl1-129
Date: Sun, 11 Mar 2018 23:04:21 +0000
Source: cron
Source-Version: 3.0pl1-129

We believe that the bug you reported is fixed in the latest version of
cron, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 864466@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Javier Fernández-Sanguino Peña <jfs@debian.org> (supplier of updated cron package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 11 Mar 2018 22:38:06 +0100
Source: cron
Binary: cron
Architecture: source i386
Version: 3.0pl1-129
Distribution: unstable
Urgency: medium
Maintainer: Javier Fernández-Sanguino Peña <jfs@debian.org>
Changed-By: Javier Fernández-Sanguino Peña <jfs@debian.org>
Description:
 cron       - process scheduling daemon
Closes: 767016 783665 801384 819832 864466
Changes:
 cron (3.0pl1-129) unstable; urgency=medium
 .
   * Acknowledge NMU
   * debian/cron.init, debian/cron.service: Make sure cron is started last and
     stopped first, with patch provided by Harald Dunke
     (Closes: #767016, #801384, #783665) (LP: #1593317)
   * crontab.1: Document limitation due to account renaming as described in
     Ubuntu's bug 73398
   * crontab.5: Document the need to set the DISPLAY environment when running
     scheduled tasks that interact with the user's desktop environment
     (LP: #891869)
   * cron.8: Fix typo (Closes: 819832)
   * debian/control: Replace dh-systemd dependency with debhelper (lintian fix)
   * debian/README.Debian: Update maintainer address
 .
   [ Christian Kastner ]
   * debian/postinst: Fix for CVE-2017-9525: group crontab to root escalation via postinst
   as described by Alexander Peslyak (Solar Designer) in
   http://www.openwall.com/lists/oss-security/2017/06/08/3
   (Closes: 864466)
Checksums-Sha1:
 c39da58d644fe25595757acf8a36e551c52e1f97 1923 cron_3.0pl1-129.dsc
 f4c9296f8f8e37b439eca312fd837b729349f0b8 99872 cron_3.0pl1-129.diff.gz
 1760612136fc7fa609daf5c158856f69016bdfaf 78752 cron-dbgsym_3.0pl1-129_i386.deb
 127dfa254c2cba86a08aadad86bfa9288e792c0e 6329 cron_3.0pl1-129_i386.buildinfo
 694978c4128ef70924dd3fabb963959c200806ca 98092 cron_3.0pl1-129_i386.deb
Checksums-Sha256:
 b21e922cdc5b0b2f5e623da7086a38f69f8d2e3b230640620bd9e1cbd831204a 1923 cron_3.0pl1-129.dsc
 996bce2be55c5c46d145946b8d6a9d86f56cc32a8ff8ba7bf8965512ee398a67 99872 cron_3.0pl1-129.diff.gz
 341d093492bf55a5c25270d8117376a69ec65426e459b63a8ee39d33faac3f37 78752 cron-dbgsym_3.0pl1-129_i386.deb
 794f1648462df67c749294923c1546d2968d582276c609677cda58333384216a 6329 cron_3.0pl1-129_i386.buildinfo
 fd55c3a3cc1291e833730888f19fbfa370635798b31296ad08af2dd069eff957 98092 cron_3.0pl1-129_i386.deb
Files:
 b9fea6c16c4154d0e500f6fb465a5118 1923 admin important cron_3.0pl1-129.dsc
 fbc47dd4bb66d84c3a37e8f712ecb019 99872 admin important cron_3.0pl1-129.diff.gz
 ca5e626233fd34fc3617d6e975989307 78752 debug optional cron-dbgsym_3.0pl1-129_i386.deb
 d43255a230a9288caa03089d2e3a44c1 6329 admin important cron_3.0pl1-129_i386.buildinfo
 e08efce3c6b00eb7caa779e0b28d002e 98092 admin important cron_3.0pl1-129_i386.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEFQ8Kq6ttIR3DT+AOix9vSKslf5gFAlqlsdcACgkQix9vSKsl
f5hfkhAAocm6FLihu56vY2kny+VbfUiKpPzoG5IZkogTUpQvYWJ4uVI8h8kCHXfO
qdVtAA++Jb/1aol2t2Qk8hju7FU0igF+yP+Hpgv7PHnjWg4CKiR2UFQh7ramNZaF
fjef9fztFOI6UQyfj8glESEe4wlOAhvrS2hNLHWsowcOA4iDF2uiw2WkffPZDi9w
KVGFyYQIlROA7FYP21gx3AMn64BL82uqQZTuoEXBlPHfW4Ji7Nt8t222IP+hSU9N
CnVWnwntlZ434MVGt1ArjFSR+4xU44WNQZjUiR6rxSXswheUfXMhKp3PHJ3jeGm7
z4omV+Um7CWZLDoHrhOYenweSk7+Q3UtuGR72dQSZQPIHhjIQGRCg7P/EwAr1FxS
jxXFjRYacYDVW5IHhQuQo5JOG4nMhYvSjbQ9grBxk7CM1REv2DnOGVGOVUAmQyrL
Na4H/2s+BISlAJIrGQmmdRcodLxKAPuRPKcLFRPgPXCI7Evk3m8K244UBY1IDFpw
hQ+yeMYOBGObSn3QcvZ8la3dX7V1t30Z+NfsQXbIhh06Oc10aF9hKSqw0Rr1Sc5S
//VC3pi/R//AfWWCUL7Dftqcy4Ke+T5IEuQMre+IHOMiKOFP7m7pErgpc32OI5qM
EW/diMdUVUoKMCw2ksZaAMy06IfREE66Bp/D1DtHc8wqk0yN7ac=
=eAvM
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 15 Apr 2018 07:29:01 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 16:12:56 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.