Re: [SECURITY] [DSA 3074-1] php5 security update

[Christoph Biedl <debian.axhn@manchmal.in-ulm.de>]

Yves-Alexis Perez wrote...

> -------------------------------------------------------------------------
> Debian Security Advisory DSA-3074-1                   security@debian.org
> http://www.debian.org/security/                         Yves-Alexis Perez
> November 18, 2014                      http://www.debian.org/security/faq
> -------------------------------------------------------------------------
> 
> Package        : php5
> CVE ID         : CVE-2014-3710
> Debian Bug     : 68283

Um, that number is wrong. It isn't #768283 either.


Worse, that update broke things:

| From: root@<host-redacted> (Cron Daemon)
| To: root@<host-redacted>
| Subject: Cron <root@<host-redacted>>   [ -x /usr/lib/php5/maxlifetime ] && [ -x /usr/lib/php5/sessionclean ] && [ -d /var/lib/php5 ] && /usr/lib/php5/sessionclean /var/lib/php5 $(/usr/lib/php5/maxlifetime)
| 
| sed: invalid option -- 'z'
| Usage: sed [OPTION]... {script-only-if-no-other-script} [input-file]...
| 
|   -n, --quiet, --silent
|                  suppress automatic printing of pattern space

The -z option isn't available in the wheezy version of sed. For the
records, this is the change in sessionclean:

--- /tmp/sessionclean   2014-10-20 11:03:53.000000000 +0200
+++ /usr/lib/php5/sessionclean  2014-11-18 08:02:56.000000000 +0100
@@ -1,7 +1,7 @@
 #!/bin/sh
 
 # first find all used files and touch them (hope it's not massive amount of files)
-[ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "${1}" | awk -- '{ if (NR > 1) { print $9; } }' | xargs -i touch -c {}
+[ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "${1}" -F0 | sed -zne "s/^n//p" | xargs -0i echo touch -c -h "'{}'"
 
 # find all files older then maxlifetime
 find "${1}" -depth -mindepth 1 -maxdepth 1 -ignore_readdir_race -type f -cmin "+${2}" -delete

Regards,

    Christoph

Attachment: signature.asc
Description: Digital signature