Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20200520145218.GA18670@openwall.com>
Date: Wed, 20 May 2020 16:52:18 +0200
From: Solar Designer <solar@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: vixie-cron lost allow_error fix

Hi,

I recently learned that we inadvertently lost the fix for crontab's
checking of /etc/cron.{allow,deny} files.  The issue was recently
rediscovered and patched in Debian, and I went to check our code -
finding that we no longer have the fix.  I think we lost it here:

* Mon Mar 14 2005 Solar Designer <solar-at-owl.openwall.com> 4.1.20040916-owl1
- Applied many assorted corrections and cleanups.

* Sun Feb 20 2005 Juan M. Bello Rivas <jmbr-at-owl.openwall.com> 4.1.20040916-owl0.1
- Updated to 4.1 as found in OpenBSD CVS snapshot dated 2004/09/16, with
modifications by Jarno Huuskonen and Dmitry V. Levin.

Looks like I wasn't careful enough in reviewing Juan's work here.
Not having this fix is a clear bug (not just missing hardening), because
the crontab(1) man page explicitly says:

"If crontab is unable to read the files, users will not be allowed to
use crontab."

which without that fix is false.

Dmitry, you might want to check ALT Linux's package and see if it needs
the fix.  While you're at it, feel free to get it into Owl as well.  You
even re-learned CVS recently for passwdqc 1.4.0, so may as well reuse
this skill while it's not forgotten again. ;-)

https://twitter.com/solardiz/status/1227223685989388289

Looks like I had fixed this in Owl's package of Vixie Cron in 2000
(before we released Owl publicly) by denying access on errors other than
ENOENT, but we lost the fix in update to newer upstream (OpenBSD) code
in 2005.  Oops.
https://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/vixie-cron/Attic/vixie-cron-3.0.2.7-owl-linux.diff.diff?r1=1.1;r2=1.2
(search for "allow_error").

https://bugs.launchpad.net/ubuntu/+source/cron/+bug/1813833
https://git.launchpad.net/ubuntu/+source/cron/commit/?id=c0bed5493f4ce1d1e60d12c2e459d32ebcd433be

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.