CVE-2006-2607
Published: 25 May 2006
do_command.c in Vixie cron (vixie-cron) 4.1 does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid fails in cases such as PAM failures or resource limits, as originally demonstrated by a program that exceeds the process limits as defined in /etc/security/limits.conf.
Notes
Author | Note |
---|---|
jdstrand | was mistakenly marked not-affected. 3.0pl1-64 added checks for setuid() failing, but did not add the checks for setgid() or initgroups() |
Priority
Status
Package | Release | Status |
---|---|---|
cron Launchpad, Ubuntu, Debian |
dapper |
Released
(3.0pl1-92ubuntu1.1)
|
edgy |
Ignored
(end of life, was needed)
|
|
feisty |
Ignored
(end of life, was needed)
|
|
gutsy |
Ignored
(end of life, was needed)
|
|
hardy |
Released
(3.0pl1-100ubuntu2.1)
|
|
intrepid |
Released
(3.0pl1-104+ubuntu5.1)
|
|
jaunty |
Released
(3.0pl1-105ubuntu1.1)
|
|
upstream |
Released
(3.0pl1-106)
|
|
Patches: other: http://bugs.gentoo.org/show_bug.cgi?id=134194 |