[php-maint] Bug#770105: Bug#770105: sed in wheezy doesn't have -z option

[Ondřej Surý]

Hi Aaron,

On Wed, Nov 19, 2014, at 01:18, Aaron Schrab wrote:
> On Wed, 19 Nov 2014 00:21:19 +0100 Piotr Ożarowski <piotr at debian.org>
> wrote:
> > sed in wheezy (v4.2.1) doesn't have -z (AKA --null-data).
> > 
> > removing this option and -0 from xargs call in
> > /usr/lib/php5/sessionclean fixed this for me, but I'm not sure if it's
> > the proper fix (can php5 session file names contain special 
> > characters?)
> 
> Besides those changes, I you'd also need to change `-F0` argument for 
> lsof to just `-F`.  This would have problems if there are filenames 
> which contain newlines, but I suspect that wouldn't happen.
> 
> Even with the above it just echoes the touch command rather than 
> actually running it, so the `echo` needs to be removed as well.  This 
> wouldn't be noticed if the lsof command isn't modified, since sed will 
> fail to match anything leaving nothing for xargs to do.

There's a long-standing RFH bug open on PHP. Your comments are much
welcome, so would you be willing to subscribe to PHP BTS and help with
fixing the bugs in general? I really do not mean that as sarcasm, just
stating the fact, that such help is much sought.

> A better option may be just backing out the change that introduced this, 

Yup, I am just building deb7u2 version that backs out the change.
Unfortunately that also means that the security vulnerability described
in #766147 will be unfixed in wheezy.

> it definitely doesn't look like it was tested enough to have been 
> introduced in a security update.

For the history of this change see #766147. We did spend a quite lot of
time testing the change with the submitter, but unfortunatelly we missed
the fact that wheezy's sed doesn't have -z.

Cheers,
-- 
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server