Bug 1128935 (CVE-2019-9705) - VUL-1: CVE-2019-9705: cron,cronie: dos(memory consumption) via a large crontab file
Summary: VUL-1: CVE-2019-9705: cron,cronie: dos(memory consumption) via a large cronta...
Status: RESOLVED FIXED
Alias: CVE-2019-9705
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/226028/
Whiteboard: CVSSv3:SUSE:CVE-2019-9705:3.3:(AV:L/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2019-03-12 15:12 UTC by Karol Babioch
Modified: 2024-05-09 14:08 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2019-03-12 15:12:50 UTC 
Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (memory consumption) via a large crontab file because an unlimited number of lines is accepted.

Upstream commit:
https://salsa.debian.org/debian/cron/commit/26814a26

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1687694
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9705
Comment 1 Karol Babioch 2019-03-12 15:18:26 UTC 
Both cron (SLE-10 & SLE-11) as well as cronie (SLE-12 & SLE-15) are affected (as the code reading in those files is very similar and there is no such protection in place). The upstream commit should be applicable, might need some manual work, though. Not a huge issue, VUL-1 for now.
Comment 9 Swamp Workflow Management 2019-05-31 13:24:54 UTC 
SUSE-SU-2019:1389-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (low)
Bug References: 1128935,1128937,1130746,1133100
CVE References: CVE-2019-9704,CVE-2019-9705
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    cronie-1.5.1-6.7.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    cronie-1.5.1-6.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2019-06-05 19:15:29 UTC 
openSUSE-SU-2019:1520-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (low)
Bug References: 1128935,1128937,1130746,1133100
CVE References: CVE-2019-9704,CVE-2019-9705
Sources used:
openSUSE Leap 15.1 (src):    cronie-1.5.1-lp151.4.3.1
openSUSE Leap 15.0 (src):    cronie-1.5.1-lp150.3.3.1
Comment 11 Swamp Workflow Management 2019-07-03 13:14:37 UTC 
SUSE-SU-2019:1389-2: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (low)
Bug References: 1128935,1128937,1130746,1133100
CVE References: CVE-2019-9704,CVE-2019-9705
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    cronie-1.5.1-6.7.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    cronie-1.5.1-6.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2019-07-26 16:13:25 UTC 
SUSE-SU-2019:1990-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (low)
Bug References: 1128935,1128937,1130746,1133100
CVE References: CVE-2019-9704,CVE-2019-9705
Sources used:
SUSE Linux Enterprise Server 12-SP4 (src):    cronie-1.4.11-59.10.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    cronie-1.4.11-59.10.1
SUSE CaaS Platform 3.0 (src):    cronie-1.4.11-59.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.