[Bug 1971895] Re: Warning messages from stat printed on installation with no user crontabs
Jeremy Chadwick
1971895 at bugs.launchpad.net
Thu May 5 23:17:59 UTC 2022
I was just in the process of writing David Fernandez Gonzalez an Email
about this problem when I came across this ticket.
I can confirm this problem on Ubuntu 18.04.6. My 20.x machines did not
get the update, so I cannot verify on other releases:
Unpacking cron (3.0pl1-128.1ubuntu1.1) over (3.0pl1-128.1ubuntu1) ...
Setting up cron (3.0pl1-128.1ubuntu1.1) ...
stat: cannot stat '*': No such file or directory
stat: cannot stat '*': No such file or directory
stat: cannot stat '*': No such file or directory
Warning: * is not a regular file!
Every single sysadmin should be concerned. ANY TIME we see asterisk
wildcards being used in this fashion, where [ or test operators are
behaving in this manner, we have reason to become concerned. To me,
this smells of a shell script trying to parse crontab entries, which is
inherently dangerous.
I am now questioning whether or not this postinst script potentially
nuked something it shouldn't have.
How this was missed is beyond me.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cron in Ubuntu.
https://bugs.launchpad.net/bugs/1971895
Title:
Warning messages from stat printed on installation with no user
crontabs
Status in cron package in Ubuntu:
Confirmed
Bug description:
On installation of cron on a new system, or (I expect) an upgrade with
no user crontab files the following is printed:
Setting up cron (3.0pl1-128.1ubuntu1.1) ...
stat: cannot stat '*': No such file or directory
stat: cannot stat '*': No such file or directory
stat: cannot stat '*': No such file or directory
Warning: * is not a regular file!
This is related to the fix for CVE-2017-9525 introduced in
3.0pl1-128.1ubuntu1.1. The for loop at line 66 of cron.postinst needs
to have a guard like the following added to it:
[ "$tab_name" = "*" ] && continue
We have observed this with Bionic, I haven't checked any other Ubuntu
releases.
Cheers,
Andrew
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cron/+bug/1971895/+subscriptions
More information about the foundations-bugs
mailing list