Re: [SECURITY] [DSA 3074-1] php5 security update

2014-11-19 Thread Sébastien NOBILI 
Hi,

Le mercredi 19 novembre 2014 à  7:59, Yves-Alexis Perez a écrit :
 Yes, we're aware of that and working on a quick regression update.

Thanks for this (quick) update!

Seb


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/20141119120455.ge13...@sebian.nob900.homeip.net

Re: [SECURITY] [DSA 3074-1] php5 security update

2014-11-18 Thread Christoph Biedl 
Yves-Alexis Perez wrote...

 -
 Debian Security Advisory DSA-3074-1   secur...@debian.org
 http://www.debian.org/security/ Yves-Alexis Perez
 November 18, 2014  http://www.debian.org/security/faq
 -
 
 Package: php5
 CVE ID : CVE-2014-3710
 Debian Bug : 68283

Um, that number is wrong. It isn't #768283 either.


Worse, that update broke things:

| From: root@host-redacted (Cron Daemon)
| To: root@host-redacted
| Subject: Cron root@host-redacted   [ -x /usr/lib/php5/maxlifetime ]  [ 
-x /usr/lib/php5/sessionclean ]  [ -d /var/lib/php5 ]  
/usr/lib/php5/sessionclean /var/lib/php5 $(/usr/lib/php5/maxlifetime)
| 
| sed: invalid option -- 'z'
| Usage: sed [OPTION]... {script-only-if-no-other-script} [input-file]...
| 
|   -n, --quiet, --silent
|  suppress automatic printing of pattern space

The -z option isn't available in the wheezy version of sed. For the
records, this is the change in sessionclean:

--- /tmp/sessionclean   2014-10-20 11:03:53.0 +0200
+++ /usr/lib/php5/sessionclean  2014-11-18 08:02:56.0 +0100
@@ -1,7 +1,7 @@
 #!/bin/sh
 
 # first find all used files and touch them (hope it's not massive amount of 
files)
-[ -x /usr/bin/lsof ]  /usr/bin/lsof -w -l +d ${1} | awk -- '{ if (NR  1) 
{ print $9; } }' | xargs -i touch -c {}
+[ -x /usr/bin/lsof ]  /usr/bin/lsof -w -l +d ${1} -F0 | sed -zne s/^n//p 
| xargs -0i echo touch -c -h '{}'
 
 # find all files older then maxlifetime
 find ${1} -depth -mindepth 1 -maxdepth 1 -ignore_readdir_race -type f -cmin 
+${2} -delete

Regards,

Christoph


signature.asc
Description: Digital signature

Re: [SECURITY] [DSA 3074-1] php5 security update

2014-11-18 Thread Mark van Walraven 
/usr/lib/php5/sessionclean in the update uses the -z option of sed, but 
sed in wheezy doesn't have that option.


In the update, the critical change:

[ -x /usr/bin/lsof ]  /usr/bin/lsof -w -l +d ${1} -F0 | sed -zne 
s/^n//p | xargs -0i echo touch -c -h '{}'


previous version:

[ -x /usr/bin/lsof ]  /usr/bin/lsof -w -l +d ${1} | awk -- '{ if (NR 
 1) { print $9; } }' | xargs -i touch -c {}


Regards,

Mark.


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/546bc1f5.1060...@mega.co.nz

Re: [SECURITY] [DSA 3074-1] php5 security update

2014-11-18 Thread Christoph Biedl 
Christoph Biedl wrote...

 +[ -x /usr/bin/lsof ]  /usr/bin/lsof -w -l +d ${1} -F0 | sed -zne 
 s/^n//p | xargs -0i echo touch -c -h '{}'

Addendum, that echo rather looks like debugging.

Christoph


signature.asc
Description: Digital signature

Re: [SECURITY] [DSA 3074-1] php5 security update

2014-11-18 Thread Daniel Reichelt 
Just filed a bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770105

cheers
daniel


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/546bc6d3.9040...@nachtgeist.net

Re: [SECURITY] [DSA 3074-1] php5 security update

2014-11-18 Thread Herman harperink 
This update is incompatible with sed and gives some trouble on webservers in 
/use/lib/php5/sessionclean (invalid option -- z)



 On 18 nov. 2014, at 22:10, Yves-Alexis Perez cor...@debian.org wrote:
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA512
 
 - -
 Debian Security Advisory DSA-3074-1   secur...@debian.org
 http://www.debian.org/security/ Yves-Alexis Perez
 November 18, 2014  http://www.debian.org/security/faq
 - -
 
 Package: php5
 CVE ID : CVE-2014-3710
 Debian Bug : 68283
 
 Francisco Alonso of Red Hat Product Security found an issue in the file
 utility, whose code is embedded in PHP, a general-purpose scripting
 language.  When checking ELF files, note headers are incorrectly
 checked, thus potentially allowing attackers to cause a denial of
 service (out-of-bounds read and application crash) by supplying a
 specially crafted ELF file.
 
 As announced in DSA-3064-1 it has been decided to follow the stable
 5.4.x releases for the Wheezy php5 packages. Consequently the
 vulnerability is addressed by upgrading PHP to a new upstream version
 5.4.35, which includes additional bug fixes, new features and possibly
 incompatible changes. Please refer to the upstream changelog for more
 information:
 
 http://php.net/ChangeLog-5.php#5.4.35
 
 For the stable distribution (wheezy), this problem has been fixed in
 version 5.4.35-0+deb7u1.
 
 We recommend that you upgrade your php5 packages.
 
 Further information about Debian Security Advisories, how to apply
 these updates to your system and frequently asked questions can be
 found at: https://www.debian.org/security/
 
 Mailing list: debian-security-annou...@lists.debian.org
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v2
 
 iQEcBAEBCgAGBQJUa7XMAAoJEG3bU/KmdcClzHgH/3sZmgwrWGUenVLcg3c8TWE3
 uPMWOrUcRmPLzkyWuixKKaU1nijwB3EEYknNqGKqT87lLmZIntWF9FoJXfX6mxrg
 UpeSHQTknLPdL8w6gAg2KTFCkua+k8wIOqmW7TSpSHr6LU6Aq6ePkBGzBfEaXWLK
 JbL1HE8/SmfQ5+DWbaxz+g9cb5vJRHUUWGbTs2WotdrBlYho9wz4cSlx9khEIt3V
 B/NJ3Etvl7UMgS7Tii3h0WW+hksrgrXt8itBj7aNtasnFNf3iySlUoEaxeotIugu
 W6chDiuEKYdsq1jDdl0T/GhT2K9UxGIPoTwhvygLbGO20bw1Ux1Ku+r2qSNfryY=
 =0CGm
 -END PGP SIGNATURE-
 
 
 -- 
 To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
 Archive: https://lists.debian.org/20141118211042.ga9...@scapa.corsac.net
 


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/9ee2152b-8d32-4dc8-89a8-5eaad6581...@harperink.de

Re: [SECURITY] [DSA 3074-1] php5 security update

2014-11-18 Thread Yves-Alexis Perez 
On mar., 2014-11-18 at 22:59 +0100, Christoph Biedl wrote:
 Um, that number is wrong. It isn't #768283 either.

Definitely. This is a PHP bug number…
 
 
 Worse, that update broke things:
 
 | From: root@host-redacted (Cron Daemon)
 | To: root@host-redacted
 | Subject: Cron root@host-redacted
 [ -x /usr/lib/php5/maxlifetime ]  [ -x /usr/lib/php5/sessionclean ]
  [ -d /var/lib/php5 ]  /usr/lib/php5/sessionclean /var/lib/php5
 $(/usr/lib/php5/maxlifetime)
 | 
 | sed: invalid option -- 'z'
 | Usage: sed [OPTION]... {script-only-if-no-other-script}
 [input-file]...
 | 
 |   -n, --quiet, --silent
 |  suppress automatic printing of pattern space
 
 The -z option isn't available in the wheezy version of sed. For the
 records, this is the change in sessionclean:

Yes, we're aware of that and working on a quick regression update.

Regards,
-- 
Yves-Alexis


signature.asc
Description: This is a digitally signed message part