Re: bcron: cron jobs get access to the temporary output files from all other jobs that are still running

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/16/2013 01:42 PM, Salvatore Bonaccorso wrote:
> Hi
>
> I haven't found if there was already a request for this.
>
> In Debian Bugtracker it was closed [1] today. It is possible due to
> a bug in bcron-exec that cron jobs get access to the temporary
> output files from other jobs that are still running. This is also
> mentioned in upstream's NEWS[2]. The commit to fix this on github
> should be[3]. Even it looks bcron is not broadly used, could the
> above get a CVE?
>
> [1]: http://bugs.debian.org/686650 [2]:
> http://untroubled.org/bcron/NEWS [3]:
> https://github.com/bruceg/bcron/commit/7e3b8d7a82a6712f4607aae151a3ba8843dc6c86
>
>  Regards, Salvatore

This is news to me. Please use CVE-2012-6110 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ921iAAoJEBYNRVNeJnmTtJAQAJtLMNijkSacXS9sBLZkl4ZX
tNKQCvxGl0irz6hxv57yXqRYu+Xtv5USJ4Jdnwcq6ng0MJQG3I1p2ArNS+vElsx5
UyqTfqpVaLgaSWthnUSM6ictetTPS+onsHI/UJNmUXFvqktiAF+Ff2ca8fzGgDeM
27lwJALQfcPZCjeXJU1xRaWbBsV415uv0eQFnHPPYNaImLeVHTw5JU64ub+K7NuZ
4erMqEhu92mB87qo/FzAO3++iDDN5uujxhKOEqW8Hk5cF3K83ySwYr8dzs4DFFwO
aocWUVcdJ9JJfDGt4ACtUeQH7mSXCcz2E9XdKhTaA8k6KEh1P4h1ehWEwVyZvrp7
wc983Iiw2Pvrxmzy2FepaxBdBTroqHHPW//Ib/tQ60b6Dwaxoiqj1isyTcig9cw2
9thMhNv6fzJD1dIW37UjUM3DbTPXDX8JDRGA/zW0BlZGjhwAKg5TV1+rvOuk9LlO
hmyptiAyUtPPBT8O0iKd/UHpTPtsN/Smf5wQQFlVvqV8zVqz1l2quycqIenaQ8wK
Pel/LBGhvWMqDAX8kqNZWritXn2U0H09gWLzl1QZweYp2cdywXB5Zcna+jLxYtmB
2ehOPISfTd16txgzJ7mEe3yXMOfcuYCFRFYvUcepVhGiPOESziXulg5evU+1miUD
1zuBsv2npGIJDwYJi6lM
=uUL2
-----END PGP SIGNATURE-----