AOH :: HP Unsorted F :: BU-1934.HTM

fcrontab Information Disclosure Vulnerability



fcrontab Information Disclosure Vulnerability
fcrontab Information Disclosure Vulnerability



=========================================== fcrontab Information Disclosure Vulnerability
 March 3, 2010
 CVE-2010-0792
===========================================
==Description=
fcrontab, part of the fcron scheduler, is vulnerable to several race
conditions that allow a local attacker to use symbolic links to read
unauthorized files.  On systems where fcrontab is installed with its
own "fcron" group, this allows an attacker to read other non-root
users' crontabs and fcron configuration files.  On systems where
fcrontab is installed suid root, this allows an attacker to read arbitrary
files.

==Solution=
The developer has released a new version, 3.0.5, to address these
vulnerabilities.  It is available for download on the developer's
website, http://fcron.free.fr.  Users are advised to recompile from
source or download updated packages from downstream distributors
when they become available.

==Credits=
This vulnerability was discovered by Dan Rosenberg
(dan.j.rosenberg@gmail.com). 
Thanks to Thibault Godouet for his prompt response and new release.

==References=
CVE identifier CVE-2010-0792 has been assigned to this issue.

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.