Bug#992748: systemd-cron: postinst error - CVE-2017-9525?
Salvatore Bonaccorso
carnil at debian.org
Sun Sep 5 16:41:54 BST 2021
Control: clone 992748 -1
Control: retitle -1 systemd-cron: CVE-2017-9525: group crontab to root escalation via postinst
Control: severity -1 important
Control: found -1 1.5.16-1
Control: found -1 1.5.14-2
Control: tags 992748 - security
Hi Chris,
On Sun, Sep 05, 2021 at 02:49:40PM +0200, Chris Hofstaedtler wrote:
> Control: tags -1 + security
>
> * Alexandre Detiste <alexandre.detiste at gmail.com> [210905 12:47]:
> > Le lun. 23 août 2021 à 04:57, Martin-Éric Racine
> > <martin-eric.racine at iki.fi> a écrit :
> > > Setting up systemd-cron (1.5.17-1) ...
> > > xargs: warning: options --max-args and --replace/-I/-i are mutually exclusive, ignoring previous --max-args value
> > > Thanks.
> >
> > This was copy-pasted from src:cron, which must have the same bug now.
>
> src:cron removed the offending code as part of a security fix in
> 2018:
>
> https://salsa.debian.org/debian/cron/-/commit/a10ab4e346e941aaa92f4b671a96895392b917af
>
> This would suggest CVE-2017-9525 also affects src:systemd-cron.
Looks right and confirmed in a quick test. If the attacher has gained
crontab group then further escalation is possible.
Though technically those two bugs will be resolved at the same step I
though to be good to separate the escalation issue and the error in
postinst (but as said, they will be fixed basically together).
Once fixed in unstable, can you please fix the issue as well via
upcoming point releases for bullseye and buster? Similarly as for the
src:cron case a DSA is not warranted.
Regards,
Salvatore
More information about the Pkg-systemd-maintainers
mailing list