|Summary:||CVE-2007-1856 crontab denial of service|
|Product:||Red Hat Enterprise Linux 5||Reporter:||Josh Bressers <bressers>|
|Component:||vixie-cron||Assignee:||Marcela Mašláňová <mmaslano>|
|Status:||CLOSED ERRATA||QA Contact:||Brock Organ <borgan>|
|Fixed In Version:||RHSA-2007-0345||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2007-05-17 14:26:06 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
Description Josh Bressers 2007-04-10 16:43:23 UTC
Raphael Marichez of Gentoo reported a denial of service flaw in vixie-cron. By creating a hardlink to /etc/crontab, cron will stop executing the /etc/crontab file and deposit an error message in /var/log/cron. This can be easily tested by running: ln /etc/crontab /tmp/crontab tail -f /var/log/cron Here is the patch from Open Wall Linux: http://cvsweb.openwall.com/cgi/cvsweb.cgi/~checkout~/Owl/packages/vixie-cron/vixie-cron-4.1.20060426-owl-st_nlink.diff?rev=1.1;content-type=text%2Fplain This flaw also affects RHEL 3 and 4.
Comment 5 RHEL Product and Program Management 2007-04-23 14:23:36 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Comment 6 Steve Grubb 2007-04-24 18:32:31 UTC
vixie-cron-4.1-68 was built to solve this issue.
Comment 19 Red Hat Bugzilla 2007-05-17 14:26:06 UTC
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0345.html