Package: php5-common Version: 5.4.4-14+deb7u14 Tags: security /usr/lib/php5/sessionclean from [1] enables any process allowed to create entries in /var/lib/php5 to adjust the modification time of any file by waiting for the /etc/cron.d/php5 session cleanup job to run. This requires /proc/sys/fs/protected_symlinks to be set to 0 (off), which is not the default in Debian 7 Wheezy and up according to information from Debian security team.
Even for affected systems, the impact might be small, just annoying: * backup/IDS might be unhappy when file modification time is changed every 30min * some spoolers might work differently since stale file could be prevented from reaching required age for next action * some privileged /proc or /sys entries might not handle modification time update correctly or react in a strange way * Sudo credentials cache might be affected (not checked) To my judgement, the session cleanup code does _NOT_ allow to create arbitrary files ("touch -c" is used), hence it would not be possible to use this to create e.g. /etc/suid-debug POC: su -s /bin/bash nobody cd /var/lib/php5 ln -s /etc/passwd xxx cat > "xxx yyy" # wait [1] http://http.us.debian.org/debian/pool/main/p/php5/php5-common_5.4.4-14+deb7u 14_i386.deb
smime.p7s
Description: S/MIME cryptographic signature