KSR[T] Advisory #005
Date: Dec 6, 1997
ID #: lin-dcrn-005
Operating System(s): Slackware 3.4
Affected Program: dillon crontab / crond ( dcron 2.2 )
Problem Description: The crond that comes with Slackware 3.4 contains
a locally exploitable buffer overflow. When crond
attempts to run a particular cronjob, it will take
the user specified command line and copy it into
an automatic variable via vsprintf(). ( This is
done when the function RunJob() calls fdprintf(),
in job.c and subs.c respectively. )
A quick glance shows another potential overflow
in subs.c, involving the logging functions. This
is also fixed in the patch below.
Compromise: Users with an account on the machine can gain
root access.
Patch/Fix: We would like to thank Erik Schorr for prividing
us with this patch:
-- cut here --
Slackware 3.4 crond fix
/usr/sbin/crond is installed with the bin.tgz package in Slackware 3.4. A
patched version of this package is available from the Slackware FTP site:
ftp://ftp.cdrom.com/pub/linux/slackware-3.4/slakware/a2/bin.tgz
The source and patch can also be found on the FTP site:
ftp://ftp.cdrom.com/pub/linux/slackware-3.4/source/a/bin/dcron22.tar.gz
ftp://ftp.cdrom.com/pub/linux/slackware-3.4/source/a/bin/dcron22.diff.gz
MD5 sums for the source, patch, and binary package follow:
a76744f19a9361cb5b5d93dcc2bf503f bin.tgz
9eb478dba39eb8a708dbd6764d6c6ad9 dcron22.tar.gz
c248f7871cf6ba84267cbd90c9c3f084 dcron22.diff.gz
-- cut here --