[Secure-testing-team] Bug#770164: php5: /usr/lib/php5/sessionclean broken: passes incompatible argument to sed
Sven Herzberg
sven.herzberg at cluepunk.com
Wed Nov 19 09:47:28 UTC 2014
Package: php5
Version: 5.4.35-0+deb7u1
Severity: serious
Tags: security
Justification: Policy 10.4
With the latest update of the php5-package, the session cleaning script is broken. As
I'm unfamiliar with the session cleaning implementation, I guess this might cause a
security issue by potentially not deleting session information that should be deleted.
Here's some debugging information from manually running the script that is run by
the cron job.
> root at vm-b:~# set -x
> root at vm-b:~# . /usr/lib/php5/sessionclean /var/lib/php5 $(/usr/lib/php5/maxlifetime)
> ++ /usr/lib/php5/maxlifetime
> + . /usr/lib/php5/sessionclean /var/lib/php5 24
> ++ '[' -x /usr/bin/lsof ']'
> ++ xargs -0i echo touch -c -h ''\''{}'\'''
> ++ sed -zne 's/^n//p'
> sed: invalid option -- 'z'
> Usage: sed [OPTION]... {script-only-if-no-other-script} [input-file]...
>
> -n, --quiet, --silent
> suppress automatic printing of pattern space
> -e script, --expression=script
> add the script to the commands to be executed
> -f script-file, --file=script-file
> add the contents of script-file to the commands to be executed
> --follow-symlinks
> follow symlinks when processing in place
> -i[SUFFIX], --in-place[=SUFFIX]
> edit files in place (makes backup if extension supplied)
> -l N, --line-length=N
> specify the desired line-wrap length for the `l' command
> --posix
> disable all GNU extensions.
> -r, --regexp-extended
> use extended regular expressions in the script.
> -s, --separate
> consider files as separate rather than as a single continuous
> long stream.
> -u, --unbuffered
> load minimal amounts of data from the input files and flush
> the output buffers more often
> --help display this help and exit
> --version output version information and exit
>
> If no -e, --expression, -f, or --file option is given, then the first
> non-option argument is taken as the sed script to interpret. All
> remaining arguments are names of input files; if no input files are
> specified, then the standard input is read.
>
> GNU sed home page: <http://www.gnu.org/software/sed/>.
> General help using GNU software: <http://www.gnu.org/gethelp/>.
> ++ /usr/bin/lsof -w -l +d /var/lib/php5 -F0
> ++ find /var/lib/php5 -depth -mindepth 1 -maxdepth 1 -ignore_readdir_race -type f -cmin +24 -delete
-- System Information:
Debian Release: 7.7
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-042stab092.3 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages php5 depends on:
ii libapache2-mod-php5 5.4.35-0+deb7u1
ii php5-cgi 5.4.35-0+deb7u1
ii php5-common 5.4.35-0+deb7u1
php5 recommends no packages.
php5 suggests no packages.
-- no debconf information
More information about the Secure-testing-team
mailing list