[MBT] new ticket for pkg vixie-cron "local insecure crontab handling"
bugs at pld.org.pl
bugs at pld.org.pl
Thu Jan 23 16:26:03 CET 2003
Date: 2003-01-23 16:26:02+01 Author: (kreutzm) <kreutzm at itp.uni-hannover.de>
Title: local insecure crontab handling
Ticket ID: #541
Ticket URL: http://bugs.pld.org.pl/?bug=541
Package: vixie-cron-3.0.1-76
Distribution: PLD-Ra.main PLD-1.0.devel.main PLD-1.0.devel.test PLD-1.0.devel.supported
Category: security problem
Current state: opened
Text:
This *might* be fixed already, but I only found very vague entries in the changelog which I could not decode.
The FreeBSD team has found a bug in the way new crontabs were handled which allowed malicious users to display arbitrary crontab files on the local system. This only affects valid crontab files so can't be used to get access to /etc/shadow or something. crontab files are not especially secure anyway, as there are other ways they can leak. No passwords or similar sensitive data should be in there.
This is from the security announcement of Debian:
DSA-024-1 (2001)
More information about the pld-bugs
mailing list