[php-maint] Bug#766147: Bug#766147: php5-common: session cleanup can be misused to change modification time of arbitrary files to "now" when symlink protection not enabled
Ondřej Surý
ondrej at sury.org
Tue Oct 21 08:49:44 UTC 2014
Hi,
TL;DR: "s/touch -c/touch -c -h/", right?
Cheers,
Ondrej
On Tue, Oct 21, 2014, at 09:52, Fiedler Roman wrote:
> Package: php5-common
> Version: 5.4.4-14+deb7u14
> Tags: security
>
> /usr/lib/php5/sessionclean from [1] enables any process allowed to create
> entries in /var/lib/php5 to adjust the modification time of any file by
> waiting for the /etc/cron.d/php5 session cleanup job to run. This
> requires
> /proc/sys/fs/protected_symlinks to be set to 0 (off), which is not the
> default in Debian 7 Wheezy and up according to information from Debian
> security team.
>
> Even for affected systems, the impact might be small, just annoying:
>
> * backup/IDS might be unhappy when file modification time is changed
> every
> 30min
> * some spoolers might work differently since stale file could be
> prevented
> from reaching required age for next action
> * some privileged /proc or /sys entries might not handle modification
> time
> update correctly or react in a strange way
> * Sudo credentials cache might be affected (not checked)
>
> To my judgement, the session cleanup code does _NOT_ allow to create
> arbitrary files ("touch -c" is used), hence it would not be possible to
> use
> this to create e.g. /etc/suid-debug
>
> POC:
>
> su -s /bin/bash nobody
> cd /var/lib/php5
> ln -s /etc/passwd xxx
> cat > "xxx yyy"
> # wait
>
> [1]
> http://http.us.debian.org/debian/pool/main/p/php5/php5-common_5.4.4-14+deb7u
> 14_i386.deb
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
> Email had 1 attachment:
> + smime.p7s
> 8k (application/pkcs7-signature)
--
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
More information about the pkg-php-maint
mailing list