[php-maint] Bug#766147: Fwd: Re: Fixed php5 package for CVE-2014-3710

Ondřej Surý ondrej at sury.org
Wed Nov 19 11:08:48 UTC 2014


Hi,

this is suggestion from Stefan Fritsch how to improve the security of
the script even without "sed -z".

Cheers,
-- 
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

----- Original message -----
From: Stefan Fritsch <sf at sfritsch.de>
To: Ondřej Surý <ondrej at sury.org>
Cc: Debian Security Team <team at security.debian.org>
Subject: Re: Fixed php5 package for CVE-2014-3710
Date: Wed, 19 Nov 2014 12:00:55 +0100 (CET)

On Wed, 19 Nov 2014, Ondřej Surý wrote:
> -[ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "${1}" -F0 | sed -zne
> "s/^n//p" | xargs -0i echo touch -c -h "'{}'"
> +[ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "${1}" | awk -- '{ if
> (NR > 1) { print $9; } }' | xargs -i touch -c {}

What is the echo in there for? That seems wrong. Also escaping arguments 
with ' ' is insecure, filenames may contain single quotes, too. Much 
better to let xargs do the splitting of the args.

You can use perl to replace the sed -z, though:

[ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "${1}" -F0 | perl -0 -n
-e 's/^n// and print'|xargs -0 -r touch -c -h

xargs -r: If  the  standard  input does not contain any nonblanks, do
not 
run the command.

xargs -i is not neessary because the args are at the end of the command.

Cheers,
Stefan



More information about the pkg-php-maint mailing list