fcrontab Information Disclosure Vulnerability

From: Dan Rosenberg <dan.j.rosenberg@gmail.com>
To: full-disclosure@lists.grok.org.uk,bugtraq@securityfocus.com
Subject: fcrontab Information Disclosure Vulnerability

fcrontab Information Disclosure Vulnerability
March 3, 2010


fcrontab, part of the fcron scheduler, is vulnerable to several race
conditions that allow a local attacker to use symbolic links to read
unauthorized files. On systems where fcrontab is installed with its
own "fcron" group, this allows an attacker to read other non-root
users' crontabs and fcron configuration files. On systems where
fcrontab is installed suid root, this allows an attacker to read arbitrary


The developer has released a new version, 3.0.5, to address these
vulnerabilities. It is available for download on the developer's
website, http://fcron.free.fr. Users are advised to recompile from
source or download updated packages from downstream distributors
when they become available.


This vulnerability was discovered by Dan Rosenberg
Thanks to Thibault Godouet for his prompt response and new release.


CVE identifier CVE-2010-0792 has been assigned to this issue.

Copyright © 1995-2020 LinuxRocket.net. All rights reserved.