In the cron package through 3.0pl1-128 on Debian, and through
3.0pl1-128ubuntu2 on Ubuntu, the postinst maintainer script allows for
group-crontab-to-root privilege escalation via symlink attacks against
unsafe usage of the chown and chmod programs.
jjThis appears to be mitigated by kernel symlink restrictions. The
crontabs dir has the sticky bit set
drwx-wx--T root crontab crontabs
which means symlinks within the dir must have the same uid as the
It is still possible that a cron package update could trigger this race.
sarnoldI believe that actually _exploiting_ the bug requires
updating the cron package. So long as there's no updates for cron,
the vulnerable code doesn't run. So if we find a second bug in
cron then we really should fix the race condition at the same
time, but so long as we don't push a cron update, the vulnerable
code just plain doesn't run.
the patch just narrows the time window for the race condition.
Source: cron (LP Ubuntu Debian)
Ubuntu 12.04 ESM (Precise Pangolin):needed
Ubuntu 14.04 ESM (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.04 (Disco Dingo):ignored (reached end-of-life)
Ubuntu 19.10 (Eoan Ermine):not-affected (3.0pl1-134ubuntu1)
Ubuntu 20.04 (Focal Fossa):not-affected (3.0pl1-134ubuntu1)
More Information

Updated: 2020-01-23 20:34:52 UTC (commit b4629892d998f2ede31f59bb7508dc50a92ac664)