On Fri, Mar 22, 2019 at 11:38:44AM +0100, Christian Kastner wrote:
> Hi,
> 
> On 2019-03-22 09:51, Antti Salmela wrote:
> > Package: cron
> > Version: 3.0pl1-127+deb8u2
> > Severity: normal
> > 
> > Dear Maintainer,
> > 
> > fix for CVE-2019-9705 is also limiting cron.d files
> > under /etc/cron.d. I think following patch should be applied.
> 
> Thanks for the suggestion; at first glance, I am inclined to
> agree with you.
> 
> I'm wondering as to the practical significance, though. Were you
> affected by this limit (in which case I would increase the severity),
> or is this more of an observation?

I was affected, in one instance programmatically generated crontab
file was over limit.

> 
> I picked 1.000 out of a hat, because I never thought that any
> reasonable crontab would reach this limit, with maybe the
> exception of a heavily commented one.

I don't know if this is reasonable use of cron, but I do know
that I would be either reimplementing cron or adding complexity
and fragility to other parts of the system if doing this without
cron.

Nowadays systemd timers would probably be a better option, but systemd
was not yet available when this was developed.

-- 
Antti Salmela

Reply via email to