[php-maint] Bug#766147: Bug#766147: php5-common: session cleanup can be misused to change modification time of arbitrary files to "now" when symlink protection not enabled

[Ondřej Surý]

Hi,

TL;DR: "s/touch -c/touch -c -h/", right?

Cheers,
Ondrej

On Tue, Oct 21, 2014, at 09:52, Fiedler Roman wrote:
> Package: php5-common 
> Version: 5.4.4-14+deb7u14
> Tags: security
> 
> /usr/lib/php5/sessionclean from [1] enables any process allowed to create
> entries in /var/lib/php5 to adjust the modification time of any file by
> waiting for the /etc/cron.d/php5 session cleanup job to run. This
> requires
> /proc/sys/fs/protected_symlinks to be set to 0 (off), which is not the
> default in Debian 7 Wheezy and up according to information from Debian
> security team.
> 
> Even for affected systems, the impact might be small, just annoying:
> 
> * backup/IDS might be unhappy when file modification time is changed
> every
> 30min
> * some spoolers might work differently since stale file could be
> prevented
> from reaching required age for next action
> * some privileged /proc or /sys entries might not handle modification
> time
> update correctly or react in a strange way
> * Sudo credentials cache might be affected (not checked)
> 
> To my judgement, the session cleanup code does _NOT_ allow to create
> arbitrary files ("touch -c" is used), hence it would not be possible to
> use
> this to create e.g. /etc/suid-debug
> 
> POC:
> 
> su -s /bin/bash nobody
> cd /var/lib/php5
> ln -s /etc/passwd xxx
> cat > "xxx yyy"
> # wait
> 
> [1]
> http://http.us.debian.org/debian/pool/main/p/php5/php5-common_5.4.4-14+deb7u
> 14_i386.deb
> 
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
> Email had 1 attachment:
> + smime.p7s
>   8k (application/pkcs7-signature)


-- 
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server