Bug#992748: systemd-cron: postinst error - CVE-2017-9525?
Martin-Éric Racine
martin-eric.racine at iki.fi
Wed Sep 8 06:21:14 BST 2021
su 5. syysk. 2021 klo 18.41 Salvatore Bonaccorso (carnil at debian.org) kirjoitti:
>
> Control: clone 992748 -1
> Control: retitle -1 systemd-cron: CVE-2017-9525: group crontab to root escalation via postinst
> Control: severity -1 important
> Control: found -1 1.5.16-1
> Control: found -1 1.5.14-2
> Control: tags 992748 - security
>
> Hi Chris,
>
> On Sun, Sep 05, 2021 at 02:49:40PM +0200, Chris Hofstaedtler wrote:
> > Control: tags -1 + security
> >
> > * Alexandre Detiste <alexandre.detiste at gmail.com> [210905 12:47]:
> > > Le lun. 23 août 2021 à 04:57, Martin-Éric Racine
> > > <martin-eric.racine at iki.fi> a écrit :
> > > > Setting up systemd-cron (1.5.17-1) ...
> > > > xargs: warning: options --max-args and --replace/-I/-i are mutually exclusive, ignoring previous --max-args value
> > > > Thanks.
> > >
> > > This was copy-pasted from src:cron, which must have the same bug now.
> >
> > src:cron removed the offending code as part of a security fix in
> > 2018:
> >
> > https://salsa.debian.org/debian/cron/-/commit/a10ab4e346e941aaa92f4b671a96895392b917af
> >
> > This would suggest CVE-2017-9525 also affects src:systemd-cron.
>
> Looks right and confirmed in a quick test. If the attacher has gained
> crontab group then further escalation is possible.
>
> Though technically those two bugs will be resolved at the same step I
> though to be good to separate the escalation issue and the error in
> postinst (but as said, they will be fixed basically together).
>
> Once fixed in unstable, can you please fix the issue as well via
> upcoming point releases for bullseye and buster? Similarly as for the
> src:cron case a DSA is not warranted.
Alexandre,
Do you have time to fix this now? If not, would it be okay for the
security team to make an NMU for all affected releases?
Martin-Éric
More information about the Pkg-systemd-maintainers
mailing list