On Fri, Mar 22, 2019 at 11:38:44AM +0100, Christian Kastner wrote: > Hi, > > On 2019-03-22 09:51, Antti Salmela wrote: > > Package: cron > > Version: 3.0pl1-127+deb8u2 > > Severity: normal > > > > Dear Maintainer, > > > > fix for CVE-2019-9705 is also limiting cron.d files > > under /etc/cron.d. I think following patch should be applied. > > Thanks for the suggestion; at first glance, I am inclined to > agree with you. > > I'm wondering as to the practical significance, though. Were you > affected by this limit (in which case I would increase the severity), > or is this more of an observation?
I was affected, in one instance programmatically generated crontab file was over limit. > > I picked 1.000 out of a hat, because I never thought that any > reasonable crontab would reach this limit, with maybe the > exception of a heavily commented one. I don't know if this is reasonable use of cron, but I do know that I would be either reimplementing cron or adding complexity and fragility to other parts of the system if doing this without cron. Nowadays systemd timers would probably be a better option, but systemd was not yet available when this was developed. -- Antti Salmela

