[php-maint] Bug#770164: php5: /usr/lib/php5/sessionclean broken: passes incompatible argument to sed

Sven Herzberg sven.herzberg at cluepunk.com
Wed Nov 19 09:47:28 UTC 2014 

Package: php5
Version: 5.4.35-0+deb7u1
Severity: serious
Tags: security
Justification: Policy 10.4

With the latest update of the php5-package, the session cleaning script is broken. As
I'm unfamiliar with the session cleaning implementation, I guess this might cause a
security issue by potentially not deleting session information that should be deleted.

Here's some debugging information from manually running the script that is run by
the cron job.

> root at vm-b:~# set -x
> root at vm-b:~# . /usr/lib/php5/sessionclean /var/lib/php5 $(/usr/lib/php5/maxlifetime)
> ++ /usr/lib/php5/maxlifetime
> + . /usr/lib/php5/sessionclean /var/lib/php5 24
> ++ '[' -x /usr/bin/lsof ']'
> ++ xargs -0i echo touch -c -h ''\''{}'\'''
> ++ sed -zne 's/^n//p'
> sed: invalid option -- 'z'
> Usage: sed [OPTION]... {script-only-if-no-other-script} [input-file]...
> 
>   -n, --quiet, --silent
>                  suppress automatic printing of pattern space
>   -e script, --expression=script
>                  add the script to the commands to be executed
>   -f script-file, --file=script-file
>                  add the contents of script-file to the commands to be executed
>   --follow-symlinks
>                  follow symlinks when processing in place
>   -i[SUFFIX], --in-place[=SUFFIX]
>                  edit files in place (makes backup if extension supplied)
>   -l N, --line-length=N
>                  specify the desired line-wrap length for the `l' command
>   --posix
>                  disable all GNU extensions.
>   -r, --regexp-extended
>                  use extended regular expressions in the script.
>   -s, --separate
>                  consider files as separate rather than as a single continuous
>                  long stream.
>   -u, --unbuffered
>                  load minimal amounts of data from the input files and flush
>                  the output buffers more often
>       --help     display this help and exit
>       --version  output version information and exit
> 
> If no -e, --expression, -f, or --file option is given, then the first
> non-option argument is taken as the sed script to interpret.  All
> remaining arguments are names of input files; if no input files are
> specified, then the standard input is read.
> 
> GNU sed home page: <http://www.gnu.org/software/sed/>.
> General help using GNU software: <http://www.gnu.org/gethelp/>.
> ++ /usr/bin/lsof -w -l +d /var/lib/php5 -F0
> ++ find /var/lib/php5 -depth -mindepth 1 -maxdepth 1 -ignore_readdir_race -type f -cmin +24 -delete


-- System Information:
Debian Release: 7.7
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-042stab092.3 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages php5 depends on:
ii  libapache2-mod-php5  5.4.35-0+deb7u1
ii  php5-cgi             5.4.35-0+deb7u1
ii  php5-common          5.4.35-0+deb7u1

php5 recommends no packages.

php5 suggests no packages.

-- no debconf information

More information about the pkg-php-maint mailing list