Hi, TL;DR: "s/touch -c/touch -c -h/", right?
Cheers, Ondrej On Tue, Oct 21, 2014, at 09:52, Fiedler Roman wrote: > Package: php5-common > Version: 5.4.4-14+deb7u14 > Tags: security > > /usr/lib/php5/sessionclean from [1] enables any process allowed to create > entries in /var/lib/php5 to adjust the modification time of any file by > waiting for the /etc/cron.d/php5 session cleanup job to run. This > requires > /proc/sys/fs/protected_symlinks to be set to 0 (off), which is not the > default in Debian 7 Wheezy and up according to information from Debian > security team. > > Even for affected systems, the impact might be small, just annoying: > > * backup/IDS might be unhappy when file modification time is changed > every > 30min > * some spoolers might work differently since stale file could be > prevented > from reaching required age for next action > * some privileged /proc or /sys entries might not handle modification > time > update correctly or react in a strange way > * Sudo credentials cache might be affected (not checked) > > To my judgement, the session cleanup code does _NOT_ allow to create > arbitrary files ("touch -c" is used), hence it would not be possible to > use > this to create e.g. /etc/suid-debug > > POC: > > su -s /bin/bash nobody > cd /var/lib/php5 > ln -s /etc/passwd xxx > cat > "xxx yyy" > # wait > > [1] > http://http.us.debian.org/debian/pool/main/p/php5/php5-common_5.4.4-14+deb7u > 14_i386.deb > > _______________________________________________ > pkg-php-maint mailing list > pkg-php-ma...@lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint > Email had 1 attachment: > + smime.p7s > 8k (application/pkcs7-signature) -- Ondřej Surý <ond...@sury.org> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org