CVE-2006-2607
Published: 25 May 2006
do_command.c in Vixie cron (vixie-cron) 4.1 does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid fails in cases such as PAM failures or resource limits, as originally demonstrated by a program that exceeds the process limits as defined in /etc/security/limits.conf.
Notes
| Author | Note |
|---|---|
| jdstrand | was mistakenly marked not-affected. 3.0pl1-64 added checks for setuid() failing, but did not add the checks for setgid() or initgroups() |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
cron Launchpad, Ubuntu, Debian |
dapper |
Released
(3.0pl1-92ubuntu1.1)
|
| edgy |
Ignored
(end of life, was needed)
|
|
| feisty |
Ignored
(end of life, was needed)
|
|
| gutsy |
Ignored
(end of life, was needed)
|
|
| hardy |
Released
(3.0pl1-100ubuntu2.1)
|
|
| intrepid |
Released
(3.0pl1-104+ubuntu5.1)
|
|
| jaunty |
Released
(3.0pl1-105ubuntu1.1)
|
|
| upstream |
Released
(3.0pl1-106)
|
|
|
Patches: other: http://bugs.gentoo.org/show_bug.cgi?id=134194 |
||