Bug 1128937 (CVE-2019-9704) - VUL-1: CVE-2019-9704: cron,cronie: vixie-cron: calloc return value resulting in remote dos
Summary: VUL-1: CVE-2019-9704: cron,cronie: vixie-cron: calloc return value resulting ...
Status: RESOLVED FIXED
Alias: CVE-2019-9704
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/226027/
Whiteboard: CVSSv3:SUSE:CVE-2019-9704:3.3:(AV:L/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2019-03-12 15:22 UTC by Karol Babioch
Modified: 2024-05-07 09:14 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2019-03-12 15:22:53 UTC 
Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (daemon crash) via a large crontab file because the calloc return value is not checked.

Upstream commit:
https://salsa.debian.org/debian/cron/commit/f2525567

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1687688
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9704
Comment 1 Karol Babioch 2019-03-12 15:27:08 UTC 
Both cron (SLE-10 & SLE-11) as well as cronie (SLE-12 & SLE-15) contain the affected code. Not a huge issue, VUL-1 for now, so no immediate action required.
Comment 9 Swamp Workflow Management 2019-05-31 13:25:01 UTC 
SUSE-SU-2019:1389-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (low)
Bug References: 1128935,1128937,1130746,1133100
CVE References: CVE-2019-9704,CVE-2019-9705
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    cronie-1.5.1-6.7.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    cronie-1.5.1-6.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2019-06-05 19:15:38 UTC 
openSUSE-SU-2019:1520-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (low)
Bug References: 1128935,1128937,1130746,1133100
CVE References: CVE-2019-9704,CVE-2019-9705
Sources used:
openSUSE Leap 15.1 (src):    cronie-1.5.1-lp151.4.3.1
openSUSE Leap 15.0 (src):    cronie-1.5.1-lp150.3.3.1
Comment 11 Swamp Workflow Management 2019-07-03 13:14:45 UTC 
SUSE-SU-2019:1389-2: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (low)
Bug References: 1128935,1128937,1130746,1133100
CVE References: CVE-2019-9704,CVE-2019-9705
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    cronie-1.5.1-6.7.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    cronie-1.5.1-6.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2019-07-26 16:13:32 UTC 
SUSE-SU-2019:1990-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (low)
Bug References: 1128935,1128937,1130746,1133100
CVE References: CVE-2019-9704,CVE-2019-9705
Sources used:
SUSE Linux Enterprise Server 12-SP4 (src):    cronie-1.4.11-59.10.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    cronie-1.4.11-59.10.1
SUSE CaaS Platform 3.0 (src):    cronie-1.4.11-59.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Thomas Leroy 2024-05-07 09:14:21 UTC 
All done, closing.
Comment 14 Thomas Leroy 2024-05-07 09:14:48 UTC 
All done, closing.