[php-maint] Bug#766147: Bug#766147: php5-common: session cleanup can be misused to change modification time of arbitrary files to "now" when symlink protection not enabled
Ondřej Surý
ondrej at sury.org
Tue Oct 21 10:06:33 UTC 2014
Control: tags -1 +pending
On Tue, Oct 21, 2014, at 11:33, Ondřej Surý wrote:
> On Tue, Oct 21, 2014, at 11:16, Fiedler Roman wrote:
> > > Von: Ondřej Surý [mailto:ondrej at sury.org]
> > >
> > > On Tue, Oct 21, 2014, at 10:55, Fiedler Roman wrote:
> > > > > Von: Ondřej Surý [mailto:ondrej at sury.org]
> > > > >
> > > > > Hi,
> > > > >
> > > > > TL;DR: "s/touch -c/touch -c -h/", right?
> > > >
> > > > This will fix it for arbitrary symlinks, the only remaining issues would
> > > > be
> > > >
> > > > a) keeping open a file ".. xxxx", which will update the parent directory
> > > > modification time.
> > >
> > > Which parent directory? The session dir or the symlink targe parent
> > > directory?
> >
> > The /var/lib directory: Since the the parsing of the lsof output is
> > broken (awk uses "$9"), an open file ".. xxxx" will cause touch -c
> > "/var/lib/php5/.." without involving any symlinks.
>
> I see...
Thanks for the analysis, while the impact is very low, it's worth
updating.
> [ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "${1}" -Fn | grep -E "^n"
> | cut -b 2- | xargs -i touch -c -h {}
This change will be included in next wheezy update of PHP.
> JFTR jessie&sid has a new script that takes a different approach and
> might suffer from the same bug if you manage to open a file in
> /var/lib/php5/sessions/ with active php5 process.
If you find a similar vulnerability in the new session script, please
open a new bug.
Cheers,
--
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
More information about the pkg-php-maint
mailing list