CVE-2006-2607

Publication date 25 May 2006

Last updated 24 July 2024

Ubuntu priority

do_command.c in Vixie cron (vixie-cron) 4.1 does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid fails in cases such as PAM failures or resource limits, as originally demonstrated by a program that exceeds the process limits as defined in /etc/security/limits.conf.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
cron	9.04 jaunty	Fixed 3.0pl1-105ubuntu1.1
	8.10 intrepid	Fixed 3.0pl1-104+ubuntu5.1
	8.04 LTS hardy	Fixed 3.0pl1-100ubuntu2.1
	7.10 gutsy	Ignored end of life, was needed
	7.04 feisty	Ignored end of life, was needed
	6.10 edgy	Ignored end of life, was needed
	6.06 LTS dapper	Fixed 3.0pl1-92ubuntu1.1

Notes

jdstrand

was mistakenly marked not-affected. 3.0pl1-64 added checks for setuid() failing, but did not add the checks for setgid() or initgroups()

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
cron	Other: http://bugs.gentoo.org/show_bug.cgi?id=134194

CVE-2006-2607

Status

Notes

jdstrand

Patch details

References

Related Ubuntu Security Notices (USN)

Other references