CVE-2011-0441: arbitrary files removal via cronjob

Debian Bug report logs - #618489
CVE-2011-0441: arbitrary files removal via cronjob

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Stephane Chazelas <stephane.chazelas@seebyte.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: php5-common: priviledge escalation in /etc/cron.d/php5

Date: Tue, 15 Mar 2011 16:17:50 +0000

Package: php5-common
Version: 5.3.5-1
Severity: normal


/etc/cron.d/php5 has:
09,39 *     * * *     root   [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -n 200 -r -0 rm

$ ls -dl /var/lib/php5
drwx-wx-wt 2 root root 4096 Mar 15 15:40 /var/lib/php5/

That basically allows anyone to  have root  remove any file on
the file system.

For instance, by creating a:

/var/lib/php5/foo/passwd file, and then a million files in
/var/lib/php5/bar a few minutes later

when /var/lib/php5/foo/passwd has exceeded its maxlifetime but
not the ones in /var/lib/php5/bar, assuming foo appears before
bar, find will output /var/lib/php5/foo/passwd and then spend a
few minutes in /var/lib/php5/bar during which the attacker can
replace his /var/lib/php5/foo directory with a symlink to /etc.
Then xargs will remove /etc/passwd.

Some work arounds:
- do not descend into subdirectories
  find /var/lib/php5/. ! -name . -prune -type f -cmin +"$(/usr/lib/php5/maxlifetime)" -exec rm -f {} +
  (note the POSIX syntax instead of the non-standard GNU one)
- Or use non-standard find options -execdir or -delete.
  find /var/lib/php5/ -type f -cmin +"$(/usr/lib/php5/maxlifetime)" -delete
  or:
  find /var/lib/php5/ -type f -cmin +"$(/usr/lib/php5/maxlifetime)" -execdir rm -f {} \;

See info -n 'Security Considerations' -f find
for details

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.37-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages php5-common depends on:
ii  libc6                         2.11.2-13  Embedded GNU C Library: Shared lib
ii  sed                           4.2.1-9    The GNU sed stream editor

Versions of packages php5-common recommends:
ii  php5-suhosin                  0.9.32.1-1 advanced protection module for php

php5-common suggests no packages.

-- no debconf information

Message #12 received at 618489@bugs.debian.org (full text, mbox, reply):

From: sean finney <seanius@debian.org>

To: Stephane Chazelas <stephane.chazelas@seebyte.com>, 618489@bugs.debian.org

Subject: Re: [php-maint] Bug#618489: php5-common: priviledge escalation in /etc/cron.d/php5

Date: Wed, 16 Mar 2011 09:59:55 +0100

Hi Stephane,

On Tue, Mar 15, 2011 at 04:17:50PM +0000, Stephane Chazelas wrote:
> 09,39 *     * * *     root   [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -n 200 -r -0 rm
 
> when /var/lib/php5/foo/passwd has exceeded its maxlifetime but
> not the ones in /var/lib/php5/bar, assuming foo appears before
> bar, find will output /var/lib/php5/foo/passwd and then spend a
> few minutes in /var/lib/php5/bar during which the attacker can
> replace his /var/lib/php5/foo directory with a symlink to /etc.
> Then xargs will remove /etc/passwd.

Wouldn't xargs just remove the symlink?  I could see this being a
problem if xargs was putting something *into* the files, but don't
see the particular issue here.

	Sean

Message #17 received at 618489@bugs.debian.org (full text, mbox, reply):

From: Stephane Chazelas <stephane.chazelas@seebyte.com>

To: sean finney <seanius@debian.org>

Cc: 618489@bugs.debian.org

Subject: Re: [php-maint] Bug#618489: php5-common: priviledge escalation in /etc/cron.d/php5

Date: Wed, 16 Mar 2011 09:27:29 +0000

2011-03-16 09:59:55 +0100, sean finney:
> Hi Stephane,

Hi Sean,

> On Tue, Mar 15, 2011 at 04:17:50PM +0000, Stephane Chazelas wrote:
> > 09,39 *     * * *     root   [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -n 200 -r -0 rm
>  
> > when /var/lib/php5/foo/passwd has exceeded its maxlifetime but
> > not the ones in /var/lib/php5/bar, assuming foo appears before
> > bar, find will output /var/lib/php5/foo/passwd and then spend a
> > few minutes in /var/lib/php5/bar during which the attacker can
> > replace his /var/lib/php5/foo directory with a symlink to /etc.
> > Then xargs will remove /etc/passwd.
> 
> Wouldn't xargs just remove the symlink?  I could see this being a
> problem if xargs was putting something *into* the files, but don't
> see the particular issue here.
[...]

No, please look carefully. It's not "passwd" that's the
symlink, it's foo (to /etc). rm would remove
/var/lib/php5/foo/passwd, that is it would unlink the "passwd"
entry from the directory pointed to by "foo", that is "/etc".

It's such a common mistake that it is documented in GNU
findutils documentation which I gave a reference to.

Cheers,
Stephane

Message #22 received at 618489@bugs.debian.org (full text, mbox, reply):

From: sean finney <seanius@debian.org>

To: Stephane Chazelas <stephane.chazelas@seebyte.com>

Cc: 618489@bugs.debian.org

Subject: Re: [php-maint] Bug#618489: php5-common: priviledge escalation in /etc/cron.d/php5

Date: Wed, 16 Mar 2011 10:40:29 +0100

On Wed, Mar 16, 2011 at 09:27:29AM +0000, Stephane Chazelas wrote:
> No, please look carefully. It's not "passwd" that's the
> symlink, it's foo (to /etc). rm would remove
> /var/lib/php5/foo/passwd, that is it would unlink the "passwd"
> entry from the directory pointed to by "foo", that is "/etc".

oh, right.  well good catch then, i guess we'll need to prepare
a stable security update...


	sean

Message #27 received at 618489@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: 618489@bugs.debian.org

Cc: Stephane Chazelas <stephane.chazelas@seebyte.com>

Subject: Re: [php-maint] Bug#618489: Bug#618489: php5-common: priviledge escalation in /etc/cron.d/php5

Date: Wed, 16 Mar 2011 21:57:50 -0600

On 16 March 2011 03:40, sean finney <seanius@debian.org> wrote:
> On Wed, Mar 16, 2011 at 09:27:29AM +0000, Stephane Chazelas wrote:
>> No, please look carefully. It's not "passwd" that's the
>> symlink, it's foo (to /etc). rm would remove
>> /var/lib/php5/foo/passwd, that is it would unlink the "passwd"
>> entry from the directory pointed to by "foo", that is "/etc".
>
> oh, right.  well good catch then, i guess we'll need to prepare
> a stable security update...

Yes, I'm on it.
For sid I'm inclined to make /var/lib/php5 uid: root, gid: www-data,
and remove the world-rw mode. Why would we want to allow anyone else
to use that dir anyway? perhaps I'm missing some bits of history.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Message #34 received at 618489@bugs.debian.org (full text, mbox, reply):

From: Sean Finney <seanius@debian.org>

To: Raphael Geissert <geissert@debian.org>, 618489@bugs.debian.org

Cc: Stephane Chazelas <stephane.chazelas@seebyte.com>

Subject: Re: [php-maint] Bug#618489: Bug#618489: Bug#618489: php5-common: priviledge escalation in /etc/cron.d/php5

Date: Thu, 17 Mar 2011 08:41:28 +0100

[Message part 1 (text/plain, inline)]

On Wed, 2011-03-16 at 21:57 -0600, Raphael Geissert wrote:
> On 16 March 2011 03:40, sean finney <seanius@debian.org> wrote:
> > On Wed, Mar 16, 2011 at 09:27:29AM +0000, Stephane Chazelas wrote:
> >> No, please look carefully. It's not "passwd" that's the
> >> symlink, it's foo (to /etc). rm would remove
> >> /var/lib/php5/foo/passwd, that is it would unlink the "passwd"
> >> entry from the directory pointed to by "foo", that is "/etc".
> >
> > oh, right.  well good catch then, i guess we'll need to prepare
> > a stable security update...
> 
> Yes, I'm on it.
> For sid I'm inclined to make /var/lib/php5 uid: root, gid: www-data,
> and remove the world-rw mode. Why would we want to allow anyone else
> to use that dir anyway? perhaps I'm missing some bits of history.

I would suggest instead of using -delete, that we use -maxdepth 1.  I
think technically there's still some small window of oppurtunity (maybe
not exploitable, but still) in between the find comparisons and the
delete action, and i don't think we need to decend into directories in
the first place since the session files are all in the top level of
that directory.  i made a patch last night but my colo'd server has been
up and down for the past few days :/  i'll attach it here instead of
pushing it, so we can decide what makes the most sense.

Regarding the permissions, I also agree and don't know why they were
world read/writable, whether someone was just copying the perms
from /tmp or had a reason to do so.  Not sure whether that also warrants
going into stable or not, but we could at least try it out in unstable
and see if anyohne complains :)

thoughts?

	sean

[0001-Fix-session-gc-cronjob-to-prevent-race-condition-wit.patch (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #39 received at 618489@bugs.debian.org (full text, mbox, reply):

From: Stephane Chazelas <stephane.chazelas@seebyte.com>

To: Sean Finney <seanius@debian.org>

Cc: Raphael Geissert <geissert@debian.org>, 618489@bugs.debian.org

Subject: Re: [php-maint] Bug#618489: Bug#618489: Bug#618489: php5-common: priviledge escalation in /etc/cron.d/php5

Date: Thu, 17 Mar 2011 09:45:23 +0000

2011-03-17 08:41:28 +0100, Sean Finney:
> On Wed, 2011-03-16 at 21:57 -0600, Raphael Geissert wrote:
> > On 16 March 2011 03:40, sean finney <seanius@debian.org> wrote:
> > > On Wed, Mar 16, 2011 at 09:27:29AM +0000, Stephane Chazelas wrote:
> > >> No, please look carefully. It's not "passwd" that's the
> > >> symlink, it's foo (to /etc). rm would remove
> > >> /var/lib/php5/foo/passwd, that is it would unlink the "passwd"
> > >> entry from the directory pointed to by "foo", that is "/etc".
> > >
> > > oh, right.  well good catch then, i guess we'll need to prepare
> > > a stable security update...
> > 
> > Yes, I'm on it.
> > For sid I'm inclined to make /var/lib/php5 uid: root, gid: www-data,
> > and remove the world-rw mode. Why would we want to allow anyone else
> > to use that dir anyway? perhaps I'm missing some bits of history.
> 
> I would suggest instead of using -delete, that we use -maxdepth 1.

Note that the standard equivalent of find ... -maxdepth 1 is (as
I suggested in my initial report):

find .../. ! -name . -prune ...

(stricktly speaking, that would be more -mindepth 1 -maxdepth 1)

> I think technically there's still some small window of oppurtunity (maybe
> not exploitable, but still) in between the find comparisons and the
> delete action

GNU's -delete does some unlinkat(2) and find would use O_NOFOLLOW to
descend into subdirs, so I don't think there would be race
conditions there.

> and i don't think we need to decend into directories in
> the first place since the session files are all in the top level of
> that directory.

Agreed.

> i made a patch last night but my colo'd server has been
> up and down for the past few days :/  i'll attach it here instead of
> pushing it, so we can decide what makes the most sense.
> 
> Regarding the permissions, I also agree and don't know why they were
> world read/writable, whether someone was just copying the perms
> from /tmp or had a reason to do so.  Not sure whether that also warrants
> going into stable or not, but we could at least try it out in unstable
> and see if anyohne complains :)


[...]
> +09,39 *     * * *     root   [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -maxdepth 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -n 200 -r -0 rm

Note that I gave a POSIX equivalent of that command.

Another reason for using -delete (you're using GNU syntax
anyway) is that files are removed just after their time stamp is
checked.

Cheers,
Stephane

Message #44 received at 618489@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: Stephane Chazelas <stephane.chazelas@seebyte.com>, 618489@bugs.debian.org

Subject: Re: [php-maint] Bug#618489: Bug#618489: Bug#618489: Bug#618489: php5-common: priviledge escalation in /etc/cron.d/php5

Date: Thu, 17 Mar 2011 08:47:56 -0600

On 17 March 2011 03:45, Stephane Chazelas <stephane.chazelas@seebyte.com> wrote:
> 2011-03-17 08:41:28 +0100, Sean Finney:
>> I would suggest instead of using -delete, that we use -maxdepth 1.

That was my first thought, but I don't want to break any system that
is using subdirs in that directory in {,old}stable. For sid I'm okay
with using -maxdepth.

>> I think technically there's still some small window of oppurtunity (maybe
>> not exploitable, but still) in between the find comparisons and the
>> delete action
>
> GNU's -delete does some unlinkat(2) and find would use O_NOFOLLOW to
> descend into subdirs, so I don't think there would be race
> conditions there.

Yes, that's correct.

>> Regarding the permissions, I also agree and don't know why they were
>> world read/writable, whether someone was just copying the perms
>> from /tmp or had a reason to do so.  Not sure whether that also warrants
>> going into stable or not, but we could at least try it out in unstable
>> and see if anyohne complains :)

I think we should only make that change in unstable. If anyone
complains I'd tell them to use a per-user directory.

> Another reason for using -delete (you're using GNU syntax
> anyway) is that files are removed just after their time stamp is
> checked.

And it avoids extra forks, yes.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Message #49 received at 618489@bugs.debian.org (full text, mbox, reply):

From: Sean Finney <seanius@debian.org>

To: Stephane Chazelas <stephane.chazelas@seebyte.com>

Cc: Raphael Geissert <geissert@debian.org>, 618489@bugs.debian.org

Subject: Re: [php-maint] Bug#618489: Bug#618489: Bug#618489: php5-common: priviledge escalation in /etc/cron.d/php5

Date: Thu, 17 Mar 2011 22:37:52 +0100

[Message part 1 (text/plain, inline)]

On Thu, 2011-03-17 at 09:45 +0000, Stephane Chazelas wrote:
> 
> Note that I gave a POSIX equivalent of that command.
> 
> Another reason for using -delete (you're using GNU syntax
> anyway) is that files are removed just after their time stamp is
> checked.

okay, so then i think we're all in agreement to use -delete and throw
out the -print0|xargs.  i double checked on kFreeBSD and find is also
built with O_NOFOLLOW there btw.

so regarding the maxdepth/prune... not sure that we have agreement on
whether this should go at stable/oldstable or not.  do we limit it to
unstable, or do we make the change and maybe add some notes for
-security to put in the DSA?

likewise, with the permissions change?


	sean

[signature.asc (application/pgp-signature, inline)]

Message #54 received at 618489@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: 618489@bugs.debian.org

Cc: Stephane Chazelas <stephane.chazelas@seebyte.com>

Subject: Re: [php-maint] Bug#618489: Bug#618489: Bug#618489: Bug#618489: php5-common: priviledge escalation in /etc/cron.d/php5

Date: Thu, 17 Mar 2011 20:18:44 -0600

On 17 March 2011 15:37, Sean Finney <seanius@debian.org> wrote:
> so regarding the maxdepth/prune... not sure that we have agreement on
> whether this should go at stable/oldstable or not.  do we limit it to
> unstable, or do we make the change and maybe add some notes for
> -security to put in the DSA?
>
> likewise, with the permissions change?

My opinion is to only make the -delete change in old/stable. Making
any of the other changes would change current behaviour and has the
risk of breaking setups (even if they rely on undocumented behaviour.)

Unless there's any compelling argument to do make those changes with
the risk of breaking setups, I'm going to release the DSA without
them.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Message #59 received at 618489@bugs.debian.org (full text, mbox, reply):

From: Sean Finney <seanius@debian.org>

To: Raphael Geissert <geissert@debian.org>, 618489@bugs.debian.org

Cc: Stephane Chazelas <stephane.chazelas@seebyte.com>

Subject: Re: [php-maint] Bug#618489: Bug#618489: Bug#618489: Bug#618489: Bug#618489: php5-common: priviledge escalation in /etc/cron.d/php5

Date: Fri, 18 Mar 2011 07:26:25 +0100

[Message part 1 (text/plain, inline)]

On Thu, 2011-03-17 at 20:18 -0600, Raphael Geissert wrote:
> 
> My opinion is to only make the -delete change in old/stable. Making
> any of the other changes would change current behaviour and has the
> risk of breaking setups (even if they rely on undocumented behaviour.)
> 
> Unless there's any compelling argument to do make those changes with
> the risk of breaking setups, I'm going to release the DSA without
> them.

okay, no objection here.  sounds like you're on top of things so i'll
just leave you to it :)

[signature.asc (application/pgp-signature, inline)]

Message #64 received at 618489@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>

To: 618489@bugs.debian.org

Cc: ,control@bugs.debian.org

Subject: [debian/debian-sid] CVE-2011-0441: Be more careful when removing session files (Closes: #618489)

Date: Fri, 18 Mar 2011 14:56:46 +0000

tag 618489 pending
thanks

Date: Fri Mar 18 13:40:48 2011 +0100
Author: Ondřej Surý <ondrej@sury.org>
Commit ID: d09fd04ed7bfcf7f008360c6a42025108925df09
Commit URL: http://git.debian.org/?p=pkg-php/php.git;a=commitdiff;h=d09fd04ed7bfcf7f008360c6a42025108925df09
Patch URL: http://git.debian.org/?p=pkg-php/php.git;a=commitdiff_plain;h=d09fd04ed7bfcf7f008360c6a42025108925df09

    CVE-2011-0441: Be more careful when removing session files (Closes: #618489)

      

Message #71 received at 618489-close@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>

To: 618489-close@bugs.debian.org

Subject: Bug#618489: fixed in php5 5.3.6-1

Date: Fri, 18 Mar 2011 22:03:08 +0000

Source: php5
Source-Version: 5.3.6-1

We believe that the bug you reported is fixed in the latest version of
php5, which is due to be installed in the Debian FTP archive:

libapache2-mod-php5_5.3.6-1_amd64.deb
  to main/p/php5/libapache2-mod-php5_5.3.6-1_amd64.deb
libapache2-mod-php5filter_5.3.6-1_amd64.deb
  to main/p/php5/libapache2-mod-php5filter_5.3.6-1_amd64.deb
php-pear_5.3.6-1_all.deb
  to main/p/php5/php-pear_5.3.6-1_all.deb
php5-cgi_5.3.6-1_amd64.deb
  to main/p/php5/php5-cgi_5.3.6-1_amd64.deb
php5-cli_5.3.6-1_amd64.deb
  to main/p/php5/php5-cli_5.3.6-1_amd64.deb
php5-common_5.3.6-1_amd64.deb
  to main/p/php5/php5-common_5.3.6-1_amd64.deb
php5-curl_5.3.6-1_amd64.deb
  to main/p/php5/php5-curl_5.3.6-1_amd64.deb
php5-dbg_5.3.6-1_amd64.deb
  to main/p/php5/php5-dbg_5.3.6-1_amd64.deb
php5-dev_5.3.6-1_amd64.deb
  to main/p/php5/php5-dev_5.3.6-1_amd64.deb
php5-enchant_5.3.6-1_amd64.deb
  to main/p/php5/php5-enchant_5.3.6-1_amd64.deb
php5-fpm_5.3.6-1_amd64.deb
  to main/p/php5/php5-fpm_5.3.6-1_amd64.deb
php5-gd_5.3.6-1_amd64.deb
  to main/p/php5/php5-gd_5.3.6-1_amd64.deb
php5-gmp_5.3.6-1_amd64.deb
  to main/p/php5/php5-gmp_5.3.6-1_amd64.deb
php5-imap_5.3.6-1_amd64.deb
  to main/p/php5/php5-imap_5.3.6-1_amd64.deb
php5-interbase_5.3.6-1_amd64.deb
  to main/p/php5/php5-interbase_5.3.6-1_amd64.deb
php5-intl_5.3.6-1_amd64.deb
  to main/p/php5/php5-intl_5.3.6-1_amd64.deb
php5-ldap_5.3.6-1_amd64.deb
  to main/p/php5/php5-ldap_5.3.6-1_amd64.deb
php5-mcrypt_5.3.6-1_amd64.deb
  to main/p/php5/php5-mcrypt_5.3.6-1_amd64.deb
php5-mysql_5.3.6-1_amd64.deb
  to main/p/php5/php5-mysql_5.3.6-1_amd64.deb
php5-odbc_5.3.6-1_amd64.deb
  to main/p/php5/php5-odbc_5.3.6-1_amd64.deb
php5-pgsql_5.3.6-1_amd64.deb
  to main/p/php5/php5-pgsql_5.3.6-1_amd64.deb
php5-pspell_5.3.6-1_amd64.deb
  to main/p/php5/php5-pspell_5.3.6-1_amd64.deb
php5-recode_5.3.6-1_amd64.deb
  to main/p/php5/php5-recode_5.3.6-1_amd64.deb
php5-snmp_5.3.6-1_amd64.deb
  to main/p/php5/php5-snmp_5.3.6-1_amd64.deb
php5-sqlite_5.3.6-1_amd64.deb
  to main/p/php5/php5-sqlite_5.3.6-1_amd64.deb
php5-sybase_5.3.6-1_amd64.deb
  to main/p/php5/php5-sybase_5.3.6-1_amd64.deb
php5-tidy_5.3.6-1_amd64.deb
  to main/p/php5/php5-tidy_5.3.6-1_amd64.deb
php5-xmlrpc_5.3.6-1_amd64.deb
  to main/p/php5/php5-xmlrpc_5.3.6-1_amd64.deb
php5-xsl_5.3.6-1_amd64.deb
  to main/p/php5/php5-xsl_5.3.6-1_amd64.deb
php5_5.3.6-1.diff.gz
  to main/p/php5/php5_5.3.6-1.diff.gz
php5_5.3.6-1.dsc
  to main/p/php5/php5_5.3.6-1.dsc
php5_5.3.6-1_all.deb
  to main/p/php5/php5_5.3.6-1_all.deb
php5_5.3.6.orig.tar.gz
  to main/p/php5/php5_5.3.6.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 618489@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated php5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 18 Mar 2011 15:51:50 +0100
Source: php5
Binary: php5 php5-common libapache2-mod-php5 libapache2-mod-php5filter php5-cgi php5-cli php5-fpm php5-dev php5-dbg php-pear php5-curl php5-enchant php5-gd php5-gmp php5-imap php5-interbase php5-intl php5-ldap php5-mcrypt php5-mysql php5-odbc php5-pgsql php5-pspell php5-recode php5-snmp php5-sqlite php5-sybase php5-tidy php5-xmlrpc php5-xsl
Architecture: source amd64 all
Version: 5.3.6-1
Distribution: unstable
Urgency: low
Maintainer: Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description: 
 libapache2-mod-php5 - server-side, HTML-embedded scripting language (Apache 2 module)
 libapache2-mod-php5filter - server-side, HTML-embedded scripting language (apache 2 filter mo
 php-pear   - PEAR - PHP Extension and Application Repository
 php5       - server-side, HTML-embedded scripting language (metapackage)
 php5-cgi   - server-side, HTML-embedded scripting language (CGI binary)
 php5-cli   - command-line interpreter for the php5 scripting language
 php5-common - Common files for packages built from the php5 source
 php5-curl  - CURL module for php5
 php5-dbg   - Debug symbols for PHP5
 php5-dev   - Files for PHP5 module development
 php5-enchant - Enchant module for php5
 php5-fpm   - server-side, HTML-embedded scripting language (FPM-CGI binary)
 php5-gd    - GD module for php5
 php5-gmp   - GMP module for php5
 php5-imap  - IMAP module for php5
 php5-interbase - interbase/firebird module for php5
 php5-intl  - internationalisation module for php5
 php5-ldap  - LDAP module for php5
 php5-mcrypt - MCrypt module for php5
 php5-mysql - MySQL module for php5
 php5-odbc  - ODBC module for php5
 php5-pgsql - PostgreSQL module for php5
 php5-pspell - pspell module for php5
 php5-recode - recode module for php5
 php5-snmp  - SNMP module for php5
 php5-sqlite - SQLite module for php5
 php5-sybase - Sybase / MS SQL Server module for php5
 php5-tidy  - tidy module for php5
 php5-xmlrpc - XML-RPC module for php5
 php5-xsl   - XSL module for php5
Closes: 546164 581170 601243 603012 615770 618489
Changes: 
 php5 (5.3.6-1) unstable; urgency=low
 .
   * Imported Upstream version 5.3.6
     + PEAR updated to 1.9.2 (CVE-2011-1072)
   * Cherry-pick CVE-2011-1144 from PEAR 1.9.3 (Closes: #546164)
   * Debian packaging:
     + Start using pristine-tar
     + Remove patches merged upstream or otherwise deprecated
     + Move php5-fpm.postrm extras to debian/rules
   * FPM SAPI changes:
     + Set initial chdir to /tmp in www pool (Closes: #601243)
     + Rename main configuration file to php-fpm.conf to match upstream
     + Enable error reporting in init.d file
     + Patch FPM SAPI to use Debian php-fpm.conf as default
   * Fix regression with missing CRYPT_SALT_LENGTH (Closes: #603012)
   * Generate SHA512 salt string when provided salt is null (Closes: #581170)
   * Fix FTBFS with gold or ld --no-add-needed (Closes: #615770)
   * Don't mmap large >4GB files
   * CVE-2011-0441: Be more careful when removing session files
     (Closes: #618489)
Checksums-Sha1: 
 ac0fec3613e3ccf55a10334e4f2fcb07dde379a9 2768 php5_5.3.6-1.dsc
 9abcdea458c096c789504727e90706d7085e9755 14368718 php5_5.3.6.orig.tar.gz
 122c49cd624c0ed4554da5dbe61c514d73bc22d9 188922 php5_5.3.6-1.diff.gz
 459ac30531ad372156ccaea59b5143aeaf3e041b 555076 php5-common_5.3.6-1_amd64.deb
 4144a0432e135d02933cbfe70b022404c3e9ca17 3089428 libapache2-mod-php5_5.3.6-1_amd64.deb
 8df9c39a583dce12b66348aadec15ca85be5074b 3088008 libapache2-mod-php5filter_5.3.6-1_amd64.deb
 eee8b39edfbdbc6e356452a4378022771c8a20b4 5995188 php5-cgi_5.3.6-1_amd64.deb
 0f21b3db69b153e395bf9f6d420800d8e76d258a 2994576 php5-cli_5.3.6-1_amd64.deb
 185994bb9286ad19a9cbda6c60f07b0faf0165ef 3032582 php5-fpm_5.3.6-1_amd64.deb
 0409de1157c4b97e20a63ffbeed91db3c5c6a024 411614 php5-dev_5.3.6-1_amd64.deb
 f7c913a3d85b4ee6e1f031914e9ee12e40dadbd7 12784592 php5-dbg_5.3.6-1_amd64.deb
 df9b0dbd9e0f1dc49e5306a2742507039b8e78b2 27382 php5-curl_5.3.6-1_amd64.deb
 a2297efe73b82d2bea6d83605a360b4d94b8d61f 9124 php5-enchant_5.3.6-1_amd64.deb
 06a12c0fa09a620bb8a572e5b7ec3dd0e43bdc9c 39660 php5-gd_5.3.6-1_amd64.deb
 fb1a81c1c8436827a50ebbb2ae18a290553f37ff 16582 php5-gmp_5.3.6-1_amd64.deb
 503aecbbe24937a909061a5136c3df6ed478eed7 35768 php5-imap_5.3.6-1_amd64.deb
 f2bdcda89d96346ef4b9a73cc38f7d8b2efc30aa 50082 php5-interbase_5.3.6-1_amd64.deb
 c769e4d21ef7e29cff671c223dc7f1db07ad97f3 61368 php5-intl_5.3.6-1_amd64.deb
 a3de9a6a2367b54d5b64ef0b378157bd0e42e294 19970 php5-ldap_5.3.6-1_amd64.deb
 cbabd15f7a5b2efa654faf98f0d44bdd128b5e10 15362 php5-mcrypt_5.3.6-1_amd64.deb
 1f79244cd11108fa44ce9d28b6d0815fcba0ad5c 77768 php5-mysql_5.3.6-1_amd64.deb
 9d5afe996673e41fd7c12e9b2ecd5f64b71d53e3 36820 php5-odbc_5.3.6-1_amd64.deb
 accd1f2e568f9333945f20acbd7f17c798d458f8 61138 php5-pgsql_5.3.6-1_amd64.deb
 0afef8f1669dbde0ce874d4e51081c1710707241 8410 php5-pspell_5.3.6-1_amd64.deb
 a1c7c003a9232086c8bd6df9c94f9fe9c9381605 4348 php5-recode_5.3.6-1_amd64.deb
 94f6530606b61d3343bd6efff66431c6c5810e94 11158 php5-snmp_5.3.6-1_amd64.deb
 e658bbfb305086398ddf594fe9da66cf1325591a 57182 php5-sqlite_5.3.6-1_amd64.deb
 495560bb6efb4285e2846f69ab4934a63ef14c69 26918 php5-sybase_5.3.6-1_amd64.deb
 2d90327dfa639088b80f1f1ac437d643e22e93da 18468 php5-tidy_5.3.6-1_amd64.deb
 3fafa791fce56dd59f66d7ad81eb5406b2824073 35720 php5-xmlrpc_5.3.6-1_amd64.deb
 523d6de4c385471eddccf4d7aaaac72413130446 13662 php5-xsl_5.3.6-1_amd64.deb
 349d3f37c0f7c3b80379135458d9ac5a5a6133d5 1058 php5_5.3.6-1_all.deb
 463a4d9154894bd596f9ab21b640b5effa58859a 366050 php-pear_5.3.6-1_all.deb
Checksums-Sha256: 
 541da803c491e1b1f130795726da0eca6f385dd09423ec226fa0929a9739999c 2768 php5_5.3.6-1.dsc
 521a9d140b4cab324aeceed31409a797de20680842071016d60cc5ae3cc9462e 14368718 php5_5.3.6.orig.tar.gz
 0d1102f5c6f0c38d0e9f8a17fe6cc040c2cfbac132ccdfa7ab7852fe21e08bab 188922 php5_5.3.6-1.diff.gz
 3434953ca189a4ec00e57fde3500d3fc340bd648163c43bdea9559bf0756363b 555076 php5-common_5.3.6-1_amd64.deb
 80a52be523cad7c919f4c460d4b7a4f9dfa066f19d76e59ae9b45fe5dea80c77 3089428 libapache2-mod-php5_5.3.6-1_amd64.deb
 460b829b0b6ab4eef283b464805b82a93bac612add7e86ed12d65dc1d72ade02 3088008 libapache2-mod-php5filter_5.3.6-1_amd64.deb
 b03339908d984460cd2912d7825924c640ef614f33fc605d38a413f688d30e8d 5995188 php5-cgi_5.3.6-1_amd64.deb
 8ecbabfedd188144d0aa882340a97165c40987f2e8d7af44cb75912369f50cb4 2994576 php5-cli_5.3.6-1_amd64.deb
 ceaccaeb6b70718793c23c85f884dd61daae5cf3ccf873dba0bdbcb3267e04ca 3032582 php5-fpm_5.3.6-1_amd64.deb
 9a6ca1c3de6cba96b15135b21c902945ac70e6cd9223899991c3859729dce082 411614 php5-dev_5.3.6-1_amd64.deb
 4bfcd094eac19db64dd16eedc22a4dc4092ae2875795403e4820c6c3c786fa5e 12784592 php5-dbg_5.3.6-1_amd64.deb
 a7889e55262179a51c7f054608a44acf9f9914c3af8a86cbffba5eb173d27e30 27382 php5-curl_5.3.6-1_amd64.deb
 1803fb312f9d22d66d5b42dde5c299e079a392f519c5f5d6178f2e7c0cb7e53e 9124 php5-enchant_5.3.6-1_amd64.deb
 dd4f93487031468d449c3f95a5a6c6b679941224539a7e1f0122972a346bc3f0 39660 php5-gd_5.3.6-1_amd64.deb
 9ae892b6a11a12cbcb61630d41bafb1a0f389da74f383b80bc392f2934477d4d 16582 php5-gmp_5.3.6-1_amd64.deb
 55a3f4bc0157632d3d1d26a8dfa696647806504ab3548dea8b450cb7bc95f3a1 35768 php5-imap_5.3.6-1_amd64.deb
 cfec79678acaa7d4c44cf8bffd2095f95dc5822cb87cc16280e6401e88dc0dac 50082 php5-interbase_5.3.6-1_amd64.deb
 de00b2edafaf3550a823677beb63db331c2f8c081db8eae8a966f41065f11511 61368 php5-intl_5.3.6-1_amd64.deb
 a4ebae57000f491969103d8165989024b04f808cbd01902c5dc9fc1786b00ea3 19970 php5-ldap_5.3.6-1_amd64.deb
 e4e3494bd865b25763a49d223f75c0f2babf25b9bad8df3d0155a14812c6f560 15362 php5-mcrypt_5.3.6-1_amd64.deb
 7fb2036f68ccfdc3bd62e4a81f4f9efbb6c37d5ef7a6a6fea902cbcac701e44d 77768 php5-mysql_5.3.6-1_amd64.deb
 b282913d65b3dd263863f0fe0c4e5aa81a6424d59cc73ad45f24c63e2165f9cd 36820 php5-odbc_5.3.6-1_amd64.deb
 3cf841fe7d3ad6b0a2ec31bc0f4cd1c26d1f363b157e12b7bb1eb0bdbe2e52bb 61138 php5-pgsql_5.3.6-1_amd64.deb
 036c512a03083bd7554b9d71a014de8d09bd2f0958890df26e82d8f72a744be9 8410 php5-pspell_5.3.6-1_amd64.deb
 386c035aff336861f7699eed00a97c792a5f63445a2f7213cd81644ea777b067 4348 php5-recode_5.3.6-1_amd64.deb
 78f6947e5aac2d55c145c05f428a4ee877a80621fb09b3f807e5d0d389ef01f2 11158 php5-snmp_5.3.6-1_amd64.deb
 13c6ff3085cf013759c8cde501ac18e12569e2f890ec88f7a3b846e795e40eb4 57182 php5-sqlite_5.3.6-1_amd64.deb
 7752553a02cbe76cf59473bd2fe3060369362d7c2884ff9f256fda9ecc71d91c 26918 php5-sybase_5.3.6-1_amd64.deb
 c56972ee80e216459c0b2fa3346615d475b0c29187c88134b334d4c8e68b678c 18468 php5-tidy_5.3.6-1_amd64.deb
 5da23e07f73c0a96d4f60057a225b4f2c2b66651a5e53656519e2ce8c9146156 35720 php5-xmlrpc_5.3.6-1_amd64.deb
 91256dfe493a7467dcee1b4fc96ac985997e840d1313226e17b7d0bb42c0b9a9 13662 php5-xsl_5.3.6-1_amd64.deb
 ddcd29fae4f3ede7bb78404bcc0a33bcd44bfe41f0be627c8bd9a64e6603c5f6 1058 php5_5.3.6-1_all.deb
 22f42b16a74aa206193bd97e8a48b973907bbcfc4e4e883cac3f5a3a23427724 366050 php-pear_5.3.6-1_all.deb
Files: 
 c5caae5a6ea1b44e6616198994e51841 2768 php optional php5_5.3.6-1.dsc
 88a2b00047bc53afbbbdf10ebe28a57e 14368718 php optional php5_5.3.6.orig.tar.gz
 d9f6365a2e1f3849a4ddfea61d9f92c1 188922 php optional php5_5.3.6-1.diff.gz
 9c21d652b09e32d090b077c071c01bb1 555076 php optional php5-common_5.3.6-1_amd64.deb
 24ea20c13e6a780acd5aa3dd358104a7 3089428 httpd optional libapache2-mod-php5_5.3.6-1_amd64.deb
 1c99432aaa3f391f060f1547715034cd 3088008 httpd optional libapache2-mod-php5filter_5.3.6-1_amd64.deb
 1391c85b75ea78229691546bd68c6204 5995188 php optional php5-cgi_5.3.6-1_amd64.deb
 d8c4ba74d3d0d37e21e0150ace2d29ba 2994576 php optional php5-cli_5.3.6-1_amd64.deb
 aff106de467354cf7bc4f7d85553f4a7 3032582 php optional php5-fpm_5.3.6-1_amd64.deb
 3584ff0dd9f2a5f6b9bac8b31b322978 411614 php optional php5-dev_5.3.6-1_amd64.deb
 e4e73d556e2917f2edff95224986209b 12784592 debug extra php5-dbg_5.3.6-1_amd64.deb
 ea4e5485183b8fa6b5b39ecd338787aa 27382 php optional php5-curl_5.3.6-1_amd64.deb
 93c578e055301e376cb98e37e63cefbf 9124 php optional php5-enchant_5.3.6-1_amd64.deb
 eaf69c32a867ec44f7fde9870b0014fe 39660 php optional php5-gd_5.3.6-1_amd64.deb
 87c0fd21b859ea728575e3805d611539 16582 php optional php5-gmp_5.3.6-1_amd64.deb
 e99575af4d000adb1b62766c1035a2e7 35768 php optional php5-imap_5.3.6-1_amd64.deb
 c61aa8f686d4dfefcc770f6b25a7c45f 50082 php optional php5-interbase_5.3.6-1_amd64.deb
 9e9b0d5fa8dbc426589ffed2980ddc11 61368 php optional php5-intl_5.3.6-1_amd64.deb
 6a54b54ecc94da5457f37c9bc5604f13 19970 php optional php5-ldap_5.3.6-1_amd64.deb
 9319f1f34cb626b81f3011ed05cfec76 15362 php optional php5-mcrypt_5.3.6-1_amd64.deb
 6f0d186a91e15498dca983c8dd67355a 77768 php optional php5-mysql_5.3.6-1_amd64.deb
 8f2cf7d7a2c3e0abb46749ee7f48c46d 36820 php optional php5-odbc_5.3.6-1_amd64.deb
 fe131ab767a611efcd41264134a5edb3 61138 php optional php5-pgsql_5.3.6-1_amd64.deb
 657943a76100576f4a02035e16189fe8 8410 php optional php5-pspell_5.3.6-1_amd64.deb
 216ef42422fdcc83ad84c066925ded87 4348 php optional php5-recode_5.3.6-1_amd64.deb
 6d35834b5f69770e40cb9ee2fff50cf6 11158 php optional php5-snmp_5.3.6-1_amd64.deb
 fb48a361614c9f5fc4d3ce721ee67414 57182 php optional php5-sqlite_5.3.6-1_amd64.deb
 a0a7c60f80b84c42cbdd6383f4be18eb 26918 php optional php5-sybase_5.3.6-1_amd64.deb
 42131f7103c4a9673f3b4c88d59eaad0 18468 php optional php5-tidy_5.3.6-1_amd64.deb
 7fd9764f79e614bf177b88735e48e7af 35720 php optional php5-xmlrpc_5.3.6-1_amd64.deb
 348dde8ed31748aa01039c4944733ba5 13662 php optional php5-xsl_5.3.6-1_amd64.deb
 9fb0eb4d3403ee665c8931f6c04b1f8c 1058 php optional php5_5.3.6-1_all.deb
 9741061e11b96b6ae2684771d4cca54f 366050 php optional php-pear_5.3.6-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk2Dx1oACgkQ9OZqfMIN8nNQ9wCeO60H+mYjSuh4pdRex3D5dlmo
EKQAnAjcR9UIqpuJ0hkDT77i4pSG7i9S
=i7ya
-----END PGP SIGNATURE-----

Message #78 received at 618489@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: 618489@bugs.debian.org

Cc: ,control@bugs.debian.org

Subject: [debian/debian-lenny] Fix CVE-2011-0441: arbitrary files removal via cronjob (Closes #618489)

Date: Sun, 20 Mar 2011 01:27:26 +0000

tag 618489 pending
thanks

Date: Fri Mar 18 18:33:09 2011 -0600
Author: Raphael Geissert <geissert@debian.org>
Commit ID: 236533b4fe16ea4109a651a1ce9b8d7334b86980
Commit URL: http://git.debian.org/?p=pkg-php/php.git;a=commitdiff;h=236533b4fe16ea4109a651a1ce9b8d7334b86980
Patch URL: http://git.debian.org/?p=pkg-php/php.git;a=commitdiff_plain;h=236533b4fe16ea4109a651a1ce9b8d7334b86980

    Fix CVE-2011-0441: arbitrary files removal via cronjob (Closes #618489)

      

Send a report that this bug log contains spam.