The bug was introduced in vixie cron and that patch was incorporated into OpenBSD in 2023 but not in FreeBSD. The step value was no longer range checked since that patch. From the OP:
In May of 2023, significant changes were made to the range and step handling code of a crontab entry in Vixie Cron. A new function, set_range() was introduced in entry.c. This patch was incorporated into OpenBSD in June of 2023.
/edit
Funny to read that after that patch in 2023, FreeBSD did consider using the OpenBSD version of cron instead of their own fork but didn’t move over because of time constraints:
I like the idea of using OpenBSD as an upstream, but that would take a lot more time than I have right now. (Most or all of my FreeBSD time is on Dell’s clock.)
FreeBSD is among those that use Vixie cron, though alternative implementations can be installed via pkg. I don’t see any associated FreeBSD security advisory though, at least, not yet: https://www.freebsd.org/security/advisories/
I don’t know why this is marked as an OpenBSD vulnerability specifically. Vixie Cron is used in a lot of places.
The bug was introduced in vixie cron and that patch was incorporated into OpenBSD in 2023 but not in FreeBSD. The step value was no longer range checked since that patch. From the OP:
/edit Funny to read that after that patch in 2023, FreeBSD did consider using the OpenBSD version of cron instead of their own fork but didn’t move over because of time constraints:
FreeBSD is among those that use Vixie cron, though alternative implementations can be installed via pkg. I don’t see any associated FreeBSD security advisory though, at least, not yet: https://www.freebsd.org/security/advisories/