CVE-2017-9525

Priority
Description
In the cron package through 3.0pl1-128 on Debian, and through
3.0pl1-128ubuntu2 on Ubuntu, the postinst maintainer script allows for
group-crontab-to-root privilege escalation via symlink attacks against
unsafe usage of the chown and chmod programs.
Notes
jjThis appears to be mitigated by kernel symlink restrictions. The
crontabs dir has the sticky bit set
drwx-wx--T root crontab crontabs
which means symlinks within the dir must have the same uid as the
target.
It is still possible that a cron package update could trigger this race.
sarnoldI believe that actually _exploiting_ the bug requires
updating the cron package. So long as there's no updates for cron,
the vulnerable code doesn't run. So if we find a second bug in
cron then we really should fix the race condition at the same
time, but so long as we don't push a cron update, the vulnerable
code just plain doesn't run.
the patch just narrows the time window for the race condition.
Package
Source: cron (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):needed
Ubuntu 14.04 ESM (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.04 (Disco Dingo):needed
Ubuntu 19.10 (Eoan Ermine):not-affected (3.0pl1-134ubuntu1)
Ubuntu 20.04 (Focal Fossa):not-affected (3.0pl1-134ubuntu1)
More Information

Updated: 2019-12-05 19:51:06 UTC (commit 0aa5e7c87c8b55d2ec5c7f4ca1179cf75de91961)