Ubuntu
bsdmainutils package

/etc/cron.daily/bsdmainutils blocks if a user has a named pipe as a calendar

Bug #357055 reported by Stephane Chazelas
256
Affects Status Importance Assigned to Milestone
bsdmainutils (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

Binary package hint: bsdmainutils

Minor security issue.

$ apt-cache policy bsdmainutils
bsdmainutils:
  Installed: 6.1.10ubuntu2
  Candidate: 6.1.10ubuntu2
  Version table:
 *** 6.1.10ubuntu2 0
        500 http://gb.archive.ubuntu.com intrepid/main Packages
        100 /var/lib/dpkg/status

(same on 7.10)

If a user does a

mkdir -p ~/.calendar && mkfifo ~/.calendar/calendar

/etc/cron.daily/bsdmainutils will block. That could be considered a denial of service attack as the other cron.daily jobs after that one will not be run. It also allows a user to decide when to run those other cron jobs (by releasing the fifo when they like).

Also, maybe calendar -a should not consider user accounts without a valid shell or with world writable home directories?

Marc Deslauriers (mdeslaur)
Changed in bsdmainutils (Ubuntu):
status: New → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Setting as low priority as the cron job is not enabled by default.

visibility: private → public
Changed in bsdmainutils (Ubuntu):
importance: Undecided → Low
Revision history for this message
Michael Meskes (meskes) wrote :

Fixed in 8.0.10

Changed in bsdmainutils (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.