This bug was fixed in the package cron - 3.0pl1-128ubuntu2+esm2
---------------
cron (3.0pl1-128ubuntu2+esm2) xenial-security; urgency=medium
* SECURITY REGRESSION: CVE-2017-9525 regression (LP: #1971895)
- debian/postinst: add tab_name emptiness check
- https://salsa.debian.org/debian/cron/-/commit/23047851
-- Rodrigo Figueiredo Zaiden <rodrigo.zai...@canonical.com> Tue, 10
May 2022 18:07:46 -0300
** Changed in: cron (Ubuntu Xenial)
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cron in Ubuntu.
https://bugs.launchpad.net/bugs/1971895
Title:
Warning messages from stat printed on installation with no user
crontabs
Status in cron package in Ubuntu:
Confirmed
Status in cron source package in Xenial:
Fix Released
Status in cron source package in Bionic:
Fix Released
Bug description:
On installation of cron on a new system, or (I expect) an upgrade with
no user crontab files the following is printed:
Setting up cron (3.0pl1-128.1ubuntu1.1) ...
stat: cannot stat '*': No such file or directory
stat: cannot stat '*': No such file or directory
stat: cannot stat '*': No such file or directory
Warning: * is not a regular file!
This is related to the fix for CVE-2017-9525 introduced in
3.0pl1-128.1ubuntu1.1. The for loop at line 66 of cron.postinst needs
to have a guard like the following added to it:
[ "$tab_name" = "*" ] && continue
We have observed this with Bionic, I haven't checked any other Ubuntu
releases.
Cheers,
Andrew
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cron/+bug/1971895/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
