Debian Bug report logs - #766147
php5-common: session cleanup can be misused to change modification time of arbitrary files to "now" when symlink protection not enabled

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Fiedler Roman <Roman.Fiedler@ait.ac.at>

To: "submit@bugs.debian.org" <submit@bugs.debian.org>

Subject: php5-common: session cleanup can be misused to change modification time of arbitrary files to "now" when symlink protection not enabled

Date: Tue, 21 Oct 2014 07:52:46 +0000

[Message part 1 (text/plain, inline)]

Package: php5-common 
Version: 5.4.4-14+deb7u14
Tags: security

/usr/lib/php5/sessionclean from [1] enables any process allowed to create
entries in /var/lib/php5 to adjust the modification time of any file by
waiting for the /etc/cron.d/php5 session cleanup job to run. This requires
/proc/sys/fs/protected_symlinks to be set to 0 (off), which is not the
default in Debian 7 Wheezy and up according to information from Debian
security team.

Even for affected systems, the impact might be small, just annoying:

* backup/IDS might be unhappy when file modification time is changed every
30min
* some spoolers might work differently since stale file could be prevented
from reaching required age for next action
* some privileged /proc or /sys entries might not handle modification time
update correctly or react in a strange way
* Sudo credentials cache might be affected (not checked)

To my judgement, the session cleanup code does _NOT_ allow to create
arbitrary files ("touch -c" is used), hence it would not be possible to use
this to create e.g. /etc/suid-debug

POC:

su -s /bin/bash nobody
cd /var/lib/php5
ln -s /etc/passwd xxx
cat > "xxx yyy"
# wait

[1]
http://http.us.debian.org/debian/pool/main/p/php5/php5-common_5.4.4-14+deb7u
14_i386.deb

[smime.p7s (application/pkcs7-signature, attachment)]

Message #10 received at 766147@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>

To: Fiedler Roman <Roman.Fiedler@ait.ac.at>, 766147@bugs.debian.org

Subject: Re: [php-maint] Bug#766147: php5-common: session cleanup can be misused to change modification time of arbitrary files to "now" when symlink protection not enabled

Date: Tue, 21 Oct 2014 10:49:44 +0200

Hi,

TL;DR: "s/touch -c/touch -c -h/", right?

Cheers,
Ondrej

On Tue, Oct 21, 2014, at 09:52, Fiedler Roman wrote:
> Package: php5-common 
> Version: 5.4.4-14+deb7u14
> Tags: security
> 
> /usr/lib/php5/sessionclean from [1] enables any process allowed to create
> entries in /var/lib/php5 to adjust the modification time of any file by
> waiting for the /etc/cron.d/php5 session cleanup job to run. This
> requires
> /proc/sys/fs/protected_symlinks to be set to 0 (off), which is not the
> default in Debian 7 Wheezy and up according to information from Debian
> security team.
> 
> Even for affected systems, the impact might be small, just annoying:
> 
> * backup/IDS might be unhappy when file modification time is changed
> every
> 30min
> * some spoolers might work differently since stale file could be
> prevented
> from reaching required age for next action
> * some privileged /proc or /sys entries might not handle modification
> time
> update correctly or react in a strange way
> * Sudo credentials cache might be affected (not checked)
> 
> To my judgement, the session cleanup code does _NOT_ allow to create
> arbitrary files ("touch -c" is used), hence it would not be possible to
> use
> this to create e.g. /etc/suid-debug
> 
> POC:
> 
> su -s /bin/bash nobody
> cd /var/lib/php5
> ln -s /etc/passwd xxx
> cat > "xxx yyy"
> # wait
> 
> [1]
> http://http.us.debian.org/debian/pool/main/p/php5/php5-common_5.4.4-14+deb7u
> 14_i386.deb
> 
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
> Email had 1 attachment:
> + smime.p7s
>   8k (application/pkcs7-signature)


-- 
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

Message #15 received at 766147@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>

To: Fiedler Roman <Roman.Fiedler@ait.ac.at>, 766147@bugs.debian.org

Subject: Re: [php-maint] Bug#766147: php5-common: session cleanup can be misused to change modification time of arbitrary files to "now" when symlink protection not enabled

Date: Tue, 21 Oct 2014 11:09:05 +0200

On Tue, Oct 21, 2014, at 10:55, Fiedler Roman wrote:
> > Von: Ondřej Surý [mailto:ondrej@sury.org]
> > 
> > Hi,
> > 
> > TL;DR: "s/touch -c/touch -c -h/", right?
> 
> This will fix it for arbitrary symlinks, the only remaining issues would
> be
> 
> a) keeping open a file ".. xxxx", which will update the parent directory
> modification time.

Which parent directory? The session dir or the symlink targe parent
directory?

> b) keeping open a file "[otherfilename] [random]", which will prevent
> arbitrary other sessions from timing out. Since most likely malicious
> process should be "www-data", this is not of any significance.

The httpd user (www-data) has access to all session files if the
attacker know the session name.

Cheers,
-- 
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

Message #20 received at 766147@bugs.debian.org (full text, mbox, reply):

From: Fiedler Roman <Roman.Fiedler@ait.ac.at>

To: Ondřej Surý <ondrej@sury.org>, "766147@bugs.debian.org" <766147@bugs.debian.org>

Subject: AW: [php-maint] Bug#766147: php5-common: session cleanup can be misused to change modification time of arbitrary files to "now" when symlink protection not enabled

Date: Tue, 21 Oct 2014 08:55:52 +0000

[Message part 1 (text/plain, inline)]

> Von: Ondřej Surý [mailto:ondrej@sury.org]
> 
> Hi,
> 
> TL;DR: "s/touch -c/touch -c -h/", right?

This will fix it for arbitrary symlinks, the only remaining issues would be

a) keeping open a file ".. xxxx", which will update the parent directory modification time.
b) keeping open a file "[otherfilename] [random]", which will prevent arbitrary other sessions from timing out. Since most likely malicious process should be "www-data", this is not of any significance.

[Removed]

[smime.p7s (application/pkcs7-signature, attachment)]

Message #25 received at 766147@bugs.debian.org (full text, mbox, reply):

From: Fiedler Roman <Roman.Fiedler@ait.ac.at>

To: Ondřej Surý <ondrej@sury.org>, "766147@bugs.debian.org" <766147@bugs.debian.org>

Subject: AW: [php-maint] Bug#766147: php5-common: session cleanup can be misused to change modification time of arbitrary files to "now" when symlink protection not enabled

Date: Tue, 21 Oct 2014 09:16:01 +0000

[Message part 1 (text/plain, inline)]

> Von: Ondřej Surý [mailto:ondrej@sury.org]
> 
> On Tue, Oct 21, 2014, at 10:55, Fiedler Roman wrote:
> > > Von: Ondřej Surý [mailto:ondrej@sury.org]
> > >
> > > Hi,
> > >
> > > TL;DR: "s/touch -c/touch -c -h/", right?
> >
> > This will fix it for arbitrary symlinks, the only remaining issues would
> > be
> >
> > a) keeping open a file ".. xxxx", which will update the parent directory
> > modification time.
> 
> Which parent directory? The session dir or the symlink targe parent
> directory?

The /var/lib directory: Since the the parsing of the lsof output is broken (awk uses "$9"), an open file ".. xxxx" will cause touch -c "/var/lib/php5/.." without involving any symlinks.
 
> > b) keeping open a file "[otherfilename] [random]", which will prevent
> > arbitrary other sessions from timing out. Since most likely malicious
> > process should be "www-data", this is not of any significance.
> 
> The httpd user (www-data) has access to all session files if the
> attacker know the session name.

Yes, so no relevance with "www-data". But e.g. user "nobody" could prevent any "www-data" session from timing out when knowing the name, just a subtle annoyance.

[smime.p7s (application/pkcs7-signature, attachment)]

Message #30 received at 766147@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>

To: Fiedler Roman <Roman.Fiedler@ait.ac.at>, 766147@bugs.debian.org

Subject: Re: [php-maint] Bug#766147: php5-common: session cleanup can be misused to change modification time of arbitrary files to "now" when symlink protection not enabled

Date: Tue, 21 Oct 2014 11:33:48 +0200

On Tue, Oct 21, 2014, at 11:16, Fiedler Roman wrote:
> > Von: Ondřej Surý [mailto:ondrej@sury.org]
> > 
> > On Tue, Oct 21, 2014, at 10:55, Fiedler Roman wrote:
> > > > Von: Ondřej Surý [mailto:ondrej@sury.org]
> > > >
> > > > Hi,
> > > >
> > > > TL;DR: "s/touch -c/touch -c -h/", right?
> > >
> > > This will fix it for arbitrary symlinks, the only remaining issues would
> > > be
> > >
> > > a) keeping open a file ".. xxxx", which will update the parent directory
> > > modification time.
> > 
> > Which parent directory? The session dir or the symlink targe parent
> > directory?
> 
> The /var/lib directory: Since the the parsing of the lsof output is
> broken (awk uses "$9"), an open file ".. xxxx" will cause touch -c
> "/var/lib/php5/.." without involving any symlinks.

I see...

[ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "${1}" -Fn | grep -E "^n"
| cut -b 2- | xargs -i touch -c -h {}

JFTR jessie&sid has a new script that takes a different approach and
might suffer from the same bug if you manage to open a file in
/var/lib/php5/sessions/ with active php5 process.

Cheers,
-- 
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

Message #35 received at 766147@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>

To: Fiedler Roman <Roman.Fiedler@ait.ac.at>, 766147@bugs.debian.org

Subject: Re: [php-maint] Bug#766147: php5-common: session cleanup can be misused to change modification time of arbitrary files to "now" when symlink protection not enabled

Date: Tue, 21 Oct 2014 12:06:33 +0200

Control: tags -1 +pending

On Tue, Oct 21, 2014, at 11:33, Ondřej Surý wrote:
> On Tue, Oct 21, 2014, at 11:16, Fiedler Roman wrote:
> > > Von: Ondřej Surý [mailto:ondrej@sury.org]
> > > 
> > > On Tue, Oct 21, 2014, at 10:55, Fiedler Roman wrote:
> > > > > Von: Ondřej Surý [mailto:ondrej@sury.org]
> > > > >
> > > > > Hi,
> > > > >
> > > > > TL;DR: "s/touch -c/touch -c -h/", right?
> > > >
> > > > This will fix it for arbitrary symlinks, the only remaining issues would
> > > > be
> > > >
> > > > a) keeping open a file ".. xxxx", which will update the parent directory
> > > > modification time.
> > > 
> > > Which parent directory? The session dir or the symlink targe parent
> > > directory?
> > 
> > The /var/lib directory: Since the the parsing of the lsof output is
> > broken (awk uses "$9"), an open file ".. xxxx" will cause touch -c
> > "/var/lib/php5/.." without involving any symlinks.
> 
> I see...

Thanks for the analysis, while the impact is very low, it's worth
updating.

> [ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "${1}" -Fn | grep -E "^n"
> | cut -b 2- | xargs -i touch -c -h {}

This change will be included in next wheezy update of PHP.

> JFTR jessie&sid has a new script that takes a different approach and
> might suffer from the same bug if you manage to open a file in
> /var/lib/php5/sessions/ with active php5 process.

If you find a similar vulnerability in the new session script, please
open a new bug.

Cheers,
-- 
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

Message #42 received at 766147@bugs.debian.org (full text, mbox, reply):

From: Fiedler Roman <Roman.Fiedler@ait.ac.at>

To: Ondřej Surý <ondrej@sury.org>, "766147@bugs.debian.org" <766147@bugs.debian.org>

Subject: Re: [php-maint] Bug#766147: php5-common: session cleanup can be misused to change modification time of arbitrary files to "now" when symlink protection not enabled

Date: Wed, 22 Oct 2014 13:14:36 +0000

[Message part 1 (text/plain, inline)]

> Von: Ondřej Surý [mailto:ondrej@sury.org]
> 
> Control: tags -1 +pending
> 
> On Tue, Oct 21, 2014, at 11:33, Ondřej Surý wrote:
> > On Tue, Oct 21, 2014, at 11:16, Fiedler Roman wrote:
> > > > Von: Ondřej Surý [mailto:ondrej@sury.org]
> > > >
> > > > On Tue, Oct 21, 2014, at 10:55, Fiedler Roman wrote:
> > > > > > Von: Ondřej Surý [mailto:ondrej@sury.org]
> > > > > >
> > > > > > Hi,
> > > > > >
> > > > > > TL;DR: "s/touch -c/touch -c -h/", right?
> > > > >
> > > > > This will fix it for arbitrary symlinks, the only remaining issues would
> > > > > be
> > > > >
> > > > > a) keeping open a file ".. xxxx", which will update the parent directory
> > > > > modification time.
> > > >
> > > > Which parent directory? The session dir or the symlink targe parent
> > > > directory?
> > >
> > > The /var/lib directory: Since the the parsing of the lsof output is
> > > broken (awk uses "$9"), an open file ".. xxxx" will cause touch -c
> > > "/var/lib/php5/.." without involving any symlinks.
> >
> > I see...
> 
> Thanks for the analysis, while the impact is very low, it's worth
> updating.
> 
> > [ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "${1}" -Fn | grep -E "^n"
> > | cut -b 2- | xargs -i touch -c -h {}
> 
> This change will be included in next wheezy update of PHP.

No, this seems not to solve it (I hope I haven't screwed something up while testing), consider the sequence (PID ordering is important!):

mkdir -p $'/var/lib/php5/xxx\n/var/lib'
ln -s /etc $'/var/lib/php5/xxx\n/var/lib/php5'
sleep 1000 > '/var/lib/php5/xxx\' &
sleep 1000 > /var/lib/php5/passwd &

Even touch -h does not help here, only kernel symlink protection prevents damage.

But maybe this is a problem with xargs usage? If it is an xargs-bug this would have a much broader scope, more another topic for security@d.

> > JFTR jessie&sid has a new script that takes a different approach and
> > might suffer from the same bug if you manage to open a file in
> > /var/lib/php5/sessions/ with active php5 process.
> 
> If you find a similar vulnerability in the new session script, please
> open a new bug.

Looking at the new script, I guess that it should be possible for any user allowed to write to sessions to update any file he has read access to it. But of course, it is not so simple as with old script.

To proof this, I would have to prepare a machine with sid (unless you have one ready with remote SSH for testing)

[smime.p7s (application/pkcs7-signature, attachment)]

Message #47 received at 766147@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>

To: Fiedler Roman <Roman.Fiedler@ait.ac.at>, 766147@bugs.debian.org

Subject: Re: [php-maint] Bug#766147: php5-common: session cleanup can be misused to change modification time of arbitrary files to "now" when symlink protection not enabled

Date: Wed, 22 Oct 2014 16:33:41 +0200

This should then fix even your case...

[ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "/var/lib/php5" -F0 | sed
-zne "s/^n//p" | xargs -0i echo touch -c -h "'{}'"

touch -c -h '/var/lib/php5/xxx\'
touch -c -h 'n/var/lib/php5/passwd'

Right?

Cheers,
Ondrej

On Wed, Oct 22, 2014, at 15:14, Fiedler Roman wrote:
> > Von: Ondřej Surý [mailto:ondrej@sury.org]
> > 
> > Control: tags -1 +pending
> > 
> > On Tue, Oct 21, 2014, at 11:33, Ondřej Surý wrote:
> > > On Tue, Oct 21, 2014, at 11:16, Fiedler Roman wrote:
> > > > > Von: Ondřej Surý [mailto:ondrej@sury.org]
> > > > >
> > > > > On Tue, Oct 21, 2014, at 10:55, Fiedler Roman wrote:
> > > > > > > Von: Ondřej Surý [mailto:ondrej@sury.org]
> > > > > > >
> > > > > > > Hi,
> > > > > > >
> > > > > > > TL;DR: "s/touch -c/touch -c -h/", right?
> > > > > >
> > > > > > This will fix it for arbitrary symlinks, the only remaining issues would
> > > > > > be
> > > > > >
> > > > > > a) keeping open a file ".. xxxx", which will update the parent directory
> > > > > > modification time.
> > > > >
> > > > > Which parent directory? The session dir or the symlink targe parent
> > > > > directory?
> > > >
> > > > The /var/lib directory: Since the the parsing of the lsof output is
> > > > broken (awk uses "$9"), an open file ".. xxxx" will cause touch -c
> > > > "/var/lib/php5/.." without involving any symlinks.
> > >
> > > I see...
> > 
> > Thanks for the analysis, while the impact is very low, it's worth
> > updating.
> > 
> > > [ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "${1}" -Fn | grep -E "^n"
> > > | cut -b 2- | xargs -i touch -c -h {}
> > 
> > This change will be included in next wheezy update of PHP.
> 
> No, this seems not to solve it (I hope I haven't screwed something up
> while testing), consider the sequence (PID ordering is important!):
> 
> mkdir -p $'/var/lib/php5/xxx\n/var/lib'
> ln -s /etc $'/var/lib/php5/xxx\n/var/lib/php5'
> sleep 1000 > '/var/lib/php5/xxx\' &
> sleep 1000 > /var/lib/php5/passwd &
> 
> Even touch -h does not help here, only kernel symlink protection prevents
> damage.
> 
> But maybe this is a problem with xargs usage? If it is an xargs-bug this
> would have a much broader scope, more another topic for security@d.
> 
> > > JFTR jessie&sid has a new script that takes a different approach and
> > > might suffer from the same bug if you manage to open a file in
> > > /var/lib/php5/sessions/ with active php5 process.
> > 
> > If you find a similar vulnerability in the new session script, please
> > open a new bug.
> 
> Looking at the new script, I guess that it should be possible for any
> user allowed to write to sessions to update any file he has read access
> to it. But of course, it is not so simple as with old script.
> 
> To proof this, I would have to prepare a machine with sid (unless you
> have one ready with remote SSH for testing)
> Email had 1 attachment:
> + smime.p7s
>   8k (application/pkcs7-signature)


-- 
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

Message #52 received at 766147@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>

To: Fiedler Roman <Roman.Fiedler@ait.ac.at>, 766147@bugs.debian.org

Subject: Re: [php-maint] Bug#766147: php5-common: session cleanup can be misused to change modification time of arbitrary files to "now" when symlink protection not enabled

Date: Wed, 22 Oct 2014 16:35:54 +0200

On Wed, Oct 22, 2014, at 15:14, Fiedler Roman wrote:
> To proof this, I would have to prepare a machine with sid (unless you
> have one ready with remote SSH for testing)

You don't really need a sid machine, just copy the script from the
package.

Cheers,
-- 
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

Message #57 received at 766147@bugs.debian.org (full text, mbox, reply):

From: Fiedler Roman <Roman.Fiedler@ait.ac.at>

To: Ondřej Surý <ondrej@sury.org>, "766147@bugs.debian.org" <766147@bugs.debian.org>

Subject: Re: [php-maint] Bug#766147: php5-common: session cleanup can be misused to change modification time of arbitrary files to "now" when symlink protection not enabled

Date: Wed, 22 Oct 2014 16:03:51 +0000

[Message part 1 (text/plain, inline)]

> Von: Ondřej Surý [mailto:ondrej@sury.org]
> 
> This should then fix even your case...
> 
> [ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "/var/lib/php5" -F0 | sed
> -zne "s/^n//p" | xargs -0i echo touch -c -h "'{}'"
> 
> touch -c -h '/var/lib/php5/xxx\'
> touch -c -h 'n/var/lib/php5/passwd'

Looks really good, I'm at my wits end with any more comments/improvements.

Only things I could think of

* strange behaviour with multibyte encodings (never dealt with that on C level)
* lsof peculiarities I did not notice till now (e.g. races)

[Snip]

[smime.p7s (application/pkcs7-signature, attachment)]

Message #66 received at 766147@bugs.debian.org (full text, mbox, reply):

From: Bernard Massot <bmassot@free.fr>

To: 766147@bugs.debian.org

Subject: Re: [php-maint] Bug#766147: php5-common: session cleanup can be misused to change modification time of arbitrary files to "now" when symlink protection not enabled

Date: Wed, 19 Nov 2014 10:33:21 +0100

Le 21/10/2014 à 12:06, Ondřej Surý a écrit :
> This change will be included in next wheezy update of PHP.
Debian Wheezy has Sed 4.2.1, whereas "-z" option was added in Sed 4.2.2.
As a consequence /usr/lib/php5/sessionclean is broken on Debian Stable!

Please fix.
-- 
Bernard Massot

Message #81 received at 766147@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>

To: 766147@bugs.debian.org

Subject: Fwd: Re: Fixed php5 package for CVE-2014-3710

Date: Wed, 19 Nov 2014 12:08:48 +0100

Hi,

this is suggestion from Stefan Fritsch how to improve the security of
the script even without "sed -z".

Cheers,
-- 
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

----- Original message -----
From: Stefan Fritsch <sf@sfritsch.de>
To: Ondřej Surý <ondrej@sury.org>
Cc: Debian Security Team <team@security.debian.org>
Subject: Re: Fixed php5 package for CVE-2014-3710
Date: Wed, 19 Nov 2014 12:00:55 +0100 (CET)

On Wed, 19 Nov 2014, Ondřej Surý wrote:
> -[ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "${1}" -F0 | sed -zne
> "s/^n//p" | xargs -0i echo touch -c -h "'{}'"
> +[ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "${1}" | awk -- '{ if
> (NR > 1) { print $9; } }' | xargs -i touch -c {}

What is the echo in there for? That seems wrong. Also escaping arguments 
with ' ' is insecure, filenames may contain single quotes, too. Much 
better to let xargs do the splitting of the args.

You can use perl to replace the sed -z, though:

[ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "${1}" -F0 | perl -0 -n
-e 's/^n// and print'|xargs -0 -r touch -c -h

xargs -r: If  the  standard  input does not contain any nonblanks, do
not 
run the command.

xargs -i is not neessary because the args are at the end of the command.

Cheers,
Stefan

Message #86 received at 766147-close@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>

To: 766147-close@bugs.debian.org

Subject: Bug#766147: fixed in php5 5.4.35-0+deb7u1

Date: Thu, 01 Jan 2015 18:47:08 +0000

Source: php5
Source-Version: 5.4.35-0+deb7u1

We believe that the bug you reported is fixed in the latest version of
php5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 766147@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated php5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 18 Nov 2014 06:34:02 +0100
Source: php5
Binary: php5 php5-common libapache2-mod-php5 libapache2-mod-php5filter php5-cgi php5-cli php5-fpm libphp5-embed php5-dev php5-dbg php-pear php5-curl php5-enchant php5-gd php5-gmp php5-imap php5-interbase php5-intl php5-ldap php5-mcrypt php5-mysql php5-mysqlnd php5-odbc php5-pgsql php5-pspell php5-recode php5-snmp php5-sqlite php5-sybase php5-tidy php5-xmlrpc php5-xsl
Architecture: source all amd64
Version: 5.4.35-0+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description: 
 libapache2-mod-php5 - server-side, HTML-embedded scripting language (Apache 2 module)
 libapache2-mod-php5filter - server-side, HTML-embedded scripting language (apache 2 filter mo
 libphp5-embed - HTML-embedded scripting language (Embedded SAPI library)
 php-pear   - PEAR - PHP Extension and Application Repository
 php5       - server-side, HTML-embedded scripting language (metapackage)
 php5-cgi   - server-side, HTML-embedded scripting language (CGI binary)
 php5-cli   - command-line interpreter for the php5 scripting language
 php5-common - Common files for packages built from the php5 source
 php5-curl  - CURL module for php5
 php5-dbg   - Debug symbols for PHP5
 php5-dev   - Files for PHP5 module development
 php5-enchant - Enchant module for php5
 php5-fpm   - server-side, HTML-embedded scripting language (FPM-CGI binary)
 php5-gd    - GD module for php5
 php5-gmp   - GMP module for php5
 php5-imap  - IMAP module for php5
 php5-interbase - interbase/firebird module for php5
 php5-intl  - internationalisation module for php5
 php5-ldap  - LDAP module for php5
 php5-mcrypt - MCrypt module for php5
 php5-mysql - MySQL module for php5
 php5-mysqlnd - MySQL module for php5 (Native Driver)
 php5-odbc  - ODBC module for php5
 php5-pgsql - PostgreSQL module for php5
 php5-pspell - pspell module for php5
 php5-recode - recode module for php5
 php5-snmp  - SNMP module for php5
 php5-sqlite - SQLite module for php5
 php5-sybase - Sybase / MS SQL Server module for php5
 php5-tidy  - tidy module for php5
 php5-xmlrpc - XML-RPC module for php5
 php5-xsl   - XSL module for php5
Closes: 766147 768309 769127
Changes: 
 php5 (5.4.35-0+deb7u1) wheezy-security; urgency=high
 .
   [ Ondřej Surý ]
   * New upstream version 5.4.35
    + Core:
     - Fixed bug #68365 (zend_mm_heap corrupted after memory overflow in
       zend_hash_copy).
    + Fileinfo:
     - Fixed bug #68283 (fileinfo: out-of-bounds read in elf note
       headers). (CVE-2014-3710)
    + GMP:
     - Fixed bug #63595 (GMP memory management conflicts with other
       libraries using GMP).
    + PDO_pgsql:
     - Fixed bug #66584 (Segmentation fault on statement deallocation).
   * Fix SQL_DESC_OCTET_LENGTH not supported by ADS ODBC driver (PHP#68350)
     (Closes: #768309)
   * Fix ODBC not reading columns other than SQL_*CHAR correctly
     (PHP#68087) (Closes: #769127)
   * Improve resiliency against symlink attacks by spliting the file names
     with NULL character in the sessionclean script (Closes: #766147)
Checksums-Sha1: 
 c11640516131c0e190881ba010cced3e1d6346dc 4530 php5_5.4.35-0+deb7u1.dsc
 fb4e33f86d72d3b8b44e833b0a7fd8f84b45bd38 15335367 php5_5.4.35.orig.tar.gz
 bd66fe010050f9de8c0c0a2776fd7a776284d2b8 147954 php5_5.4.35-0+deb7u1.diff.gz
 ee2492de815075229df9757c0f19e31556237040 1024 php5_5.4.35-0+deb7u1_all.deb
 27bec447f4efd5270ca2b6df4262212f7e9eac2f 371846 php-pear_5.4.35-0+deb7u1_all.deb
 8d4650dfaca356b0e7bf7bc820bc43afe1892da3 620230 php5-common_5.4.35-0+deb7u1_amd64.deb
 4f367d6395c112b8aad2a4d6226625fdf3b2182a 2707484 libapache2-mod-php5_5.4.35-0+deb7u1_amd64.deb
 dc6a31ffb60d0e51fb2755930cb6044fd136ddcb 2706634 libapache2-mod-php5filter_5.4.35-0+deb7u1_amd64.deb
 e097c29c4e3bdea5e1bc126f5d0345f339034de4 5172268 php5-cgi_5.4.35-0+deb7u1_amd64.deb
 5e75d8c22c1bda8a92fb8715ac4996e8a899def0 2595144 php5-cli_5.4.35-0+deb7u1_amd64.deb
 ee859a7e3dc128086d5d34f01828f7f3ea758a47 2627620 php5-fpm_5.4.35-0+deb7u1_amd64.deb
 a268ed34f3938877fc1ec119f31de4fcdcc6d1c4 2704264 libphp5-embed_5.4.35-0+deb7u1_amd64.deb
 7da0194a591b0467be622b957e8f4c9ef8043299 501022 php5-dev_5.4.35-0+deb7u1_amd64.deb
 99924d1e2457c551a6a131685cff1b0c01f2bab4 16125890 php5-dbg_5.4.35-0+deb7u1_amd64.deb
 823b5ca829025e20fa69b8c5469bf73aae4c2c9c 29432 php5-curl_5.4.35-0+deb7u1_amd64.deb
 e326fc4d6706f1448d974d850a5a714b1c4344e9 9954 php5-enchant_5.4.35-0+deb7u1_amd64.deb
 97fa46693e3660b83f9a75ee3875d1c1bb288e00 35700 php5-gd_5.4.35-0+deb7u1_amd64.deb
 9c308276331063cf6770bd3da2783bfdc199682f 17010 php5-gmp_5.4.35-0+deb7u1_amd64.deb
 d60c0e7deb2c4940e88ff36c332d208a2c3c7ad9 35602 php5-imap_5.4.35-0+deb7u1_amd64.deb
 56a65ab725267b61c9933f488851b3cf9d5065eb 49638 php5-interbase_5.4.35-0+deb7u1_amd64.deb
 03cf5ce1947df3b760c22f5ff6d4fbdf8995b4c4 72164 php5-intl_5.4.35-0+deb7u1_amd64.deb
 15e2537a89c6d39aa2140c8b2fd7e9b9e3d620d0 23878 php5-ldap_5.4.35-0+deb7u1_amd64.deb
 22c5736a590d93f671d841457a473688ccda5410 16092 php5-mcrypt_5.4.35-0+deb7u1_amd64.deb
 270a9228315acc9bfec714f23d3c800ef11fe8b0 80860 php5-mysql_5.4.35-0+deb7u1_amd64.deb
 67ddfed342d18ed01459bd2d39e87cac1df31aac 164316 php5-mysqlnd_5.4.35-0+deb7u1_amd64.deb
 294a662a716cf6d9efb5083666c0804606a17fdd 36842 php5-odbc_5.4.35-0+deb7u1_amd64.deb
 7c4059c909b9bda1aee8b8feb5c6b777f3206775 64318 php5-pgsql_5.4.35-0+deb7u1_amd64.deb
 91fabe334d36a778b2fe5c739d1e84f6808d8143 8910 php5-pspell_5.4.35-0+deb7u1_amd64.deb
 efdae4d690b5d7d5cfd50701e7198d845e56e998 5204 php5-recode_5.4.35-0+deb7u1_amd64.deb
 9b201633aa6fff57569504f6fd2d8478402d64d0 21936 php5-snmp_5.4.35-0+deb7u1_amd64.deb
 de284505a540eff3ba5d23d944fc47170e7fec1a 30528 php5-sqlite_5.4.35-0+deb7u1_amd64.deb
 3a5d106c37dc9d5e83fe9ac568c3a2b73836c694 28928 php5-sybase_5.4.35-0+deb7u1_amd64.deb
 5c0157b68ebfc1bf4dd6523308a74556ac492ae6 19652 php5-tidy_5.4.35-0+deb7u1_amd64.deb
 8bd2add372f3a9d60f76484dfe5702a63c800f42 36360 php5-xmlrpc_5.4.35-0+deb7u1_amd64.deb
 a719047790fde981c7bf39b382999f098291598d 15472 php5-xsl_5.4.35-0+deb7u1_amd64.deb
Checksums-Sha256: 
 cddf2edb4964bd90959d6976c671fa406ce78cf5befc8a267dd68a4ac131e08f 4530 php5_5.4.35-0+deb7u1.dsc
 7ecab4ebb880b6d4f68bd4e3e49d837d4704fe26d81dc992b17b74151ee950a7 15335367 php5_5.4.35.orig.tar.gz
 58eafe068e84963d01b19716168a1e168228f14cf03a623fb3c28cd2519f1606 147954 php5_5.4.35-0+deb7u1.diff.gz
 f725e42bc8c4b25d8a892e502a71301aa11109df44aeb1a87c9ddb3f007d61ee 1024 php5_5.4.35-0+deb7u1_all.deb
 bd381afa3c5aa65c145ead824a6f6faa9ba5b3630ac9714d3f545f2714acfede 371846 php-pear_5.4.35-0+deb7u1_all.deb
 66756ad606c85b864a1511cd4956a0c66a2024673dfea868309533bf88527d9e 620230 php5-common_5.4.35-0+deb7u1_amd64.deb
 86b179bd2d4163b84d3afd53edd3c604f75a480ac8b0942eba5543c8b0201ede 2707484 libapache2-mod-php5_5.4.35-0+deb7u1_amd64.deb
 f6a9929fd8fe50294bf934a21b7d9a0a9598592e100a477f6b82e48f1b34aedf 2706634 libapache2-mod-php5filter_5.4.35-0+deb7u1_amd64.deb
 b101e386caa6922ee53bc5d1c976f4ce963de9c2925a22a097664dd06b231b06 5172268 php5-cgi_5.4.35-0+deb7u1_amd64.deb
 e064d4f6cf268bbdd1351e22292a6b8371bfe1af78e8b11e88ff9525e8da37f3 2595144 php5-cli_5.4.35-0+deb7u1_amd64.deb
 7c1f18ff9ec851cff80a6cc85dc716d33fb8cd30f81eefbde957c53c1042be4d 2627620 php5-fpm_5.4.35-0+deb7u1_amd64.deb
 dace432d38940217676fc265bf3bacbc2ce4d4d7ee4747bd917623293cc569c3 2704264 libphp5-embed_5.4.35-0+deb7u1_amd64.deb
 01591f814621e22722cd1df2471e719d942efab202ad7d51881a281388873a0d 501022 php5-dev_5.4.35-0+deb7u1_amd64.deb
 b025ea3d16056b8e1b849e677eabb6106d2e6e57c560405f65cb51166adea2a9 16125890 php5-dbg_5.4.35-0+deb7u1_amd64.deb
 9dfb812000950896c555a7b02dd5d91c6116c10d70dd89c230dba64c9c4298ff 29432 php5-curl_5.4.35-0+deb7u1_amd64.deb
 92634361f1dbdf97aedfae95ccbfbd34c21616c95f46c038d608f2f68bc3bd0c 9954 php5-enchant_5.4.35-0+deb7u1_amd64.deb
 b7d324679ebbc332608f29ec5f6c0a65b9db713fa3ebebf85ae29a91b59101e4 35700 php5-gd_5.4.35-0+deb7u1_amd64.deb
 df568f14d8eed5cb338d727c9391a3abca2133a2db6f2ba3c4d82c8b86920aea 17010 php5-gmp_5.4.35-0+deb7u1_amd64.deb
 ac7ecd1ed7f1a42850dfc49ae8cccb53342511da503491f6dd46761cfa95eb27 35602 php5-imap_5.4.35-0+deb7u1_amd64.deb
 f06cd047f68096902f609cf222ff9257979a85e2263fe52d6ddf28c5a6eebdd8 49638 php5-interbase_5.4.35-0+deb7u1_amd64.deb
 94fa56b2c0a863f031af07df97ae49a1f400b7d5908da6b146ea5aa0e4bc8de3 72164 php5-intl_5.4.35-0+deb7u1_amd64.deb
 fefdaad774dbdd6697ff46f8f38e65367be66e20bd0e704a2770592d15d656c6 23878 php5-ldap_5.4.35-0+deb7u1_amd64.deb
 50dbf87ee77c2046930db39755d40c14d0483249bccece42837473198f3b97b4 16092 php5-mcrypt_5.4.35-0+deb7u1_amd64.deb
 2d2849c33f49e1d57835f338f5cbbb70a1dab19154558784618e30551b1921d8 80860 php5-mysql_5.4.35-0+deb7u1_amd64.deb
 1f1a6ad1c4dfe026c65873e463b62f5818db38cb5d02d9aa0b0c9b6f05c41bd6 164316 php5-mysqlnd_5.4.35-0+deb7u1_amd64.deb
 9f450c774b9f2371b117e218ba61fce7e39661b323b054f0b11e06bbf81ace7e 36842 php5-odbc_5.4.35-0+deb7u1_amd64.deb
 02961f1ad481adaacc1f85b6225784efb6aa262c207c461b08617259b276bbff 64318 php5-pgsql_5.4.35-0+deb7u1_amd64.deb
 48198e6b8819e2adba42f0892d41fc3c2136f1007586bd959f39516466ad6e91 8910 php5-pspell_5.4.35-0+deb7u1_amd64.deb
 078f0fdb45c3a3991b806d870fa0eaed64fba65620c822b92759bc777290d862 5204 php5-recode_5.4.35-0+deb7u1_amd64.deb
 7d8e997197075454e0f71f890e0f84129fc04505c090e5e7026f2e8ddea4c729 21936 php5-snmp_5.4.35-0+deb7u1_amd64.deb
 c10970d3eff83c05a84abe4f3711a4a7e8e150265f62b9c77927c15d9345e651 30528 php5-sqlite_5.4.35-0+deb7u1_amd64.deb
 01e66d662c2d735fdfafa65091c7bcb6295149ce144b61e8704a4c8f984a29bb 28928 php5-sybase_5.4.35-0+deb7u1_amd64.deb
 63b12ae5581bcb49f13f7340c8b31fc45061c354df2a6fd367af8c55c6ed4377 19652 php5-tidy_5.4.35-0+deb7u1_amd64.deb
 d6811aff4d15758eb3d6b82e94101beb32ed0c99a0c566c96e16b302f5129f70 36360 php5-xmlrpc_5.4.35-0+deb7u1_amd64.deb
 f5bf9c7b49fd0c5c79867575fc804a6bfdfe0863863b13c6e962a3a1ec5a5266 15472 php5-xsl_5.4.35-0+deb7u1_amd64.deb
Files: 
 8ddbd8ca72f93c143ad759e1a075e522 4530 php optional php5_5.4.35-0+deb7u1.dsc
 da7bed3b65033c7f096c96572cd9ea45 15335367 php optional php5_5.4.35.orig.tar.gz
 cd8868ef1199e76240c01904bc522747 147954 php optional php5_5.4.35-0+deb7u1.diff.gz
 b85050c18eb9440677e767acc00f16a7 1024 php optional php5_5.4.35-0+deb7u1_all.deb
 ca18dbcb5e8a283110aa0a502f73c266 371846 php optional php-pear_5.4.35-0+deb7u1_all.deb
 6a463c103e0b900b1b40579b8364e2c2 620230 php optional php5-common_5.4.35-0+deb7u1_amd64.deb
 2e6e884e0d38ca5da834fc9814fec7ac 2707484 httpd optional libapache2-mod-php5_5.4.35-0+deb7u1_amd64.deb
 8e7353d576def8d820ab635931a11b25 2706634 httpd extra libapache2-mod-php5filter_5.4.35-0+deb7u1_amd64.deb
 8ac9fb018bff3941cd38648086f06401 5172268 php optional php5-cgi_5.4.35-0+deb7u1_amd64.deb
 bd675e6704f3e2380655fd685e0684e3 2595144 php optional php5-cli_5.4.35-0+deb7u1_amd64.deb
 aebac506441ed271fe58f773649bf44a 2627620 php optional php5-fpm_5.4.35-0+deb7u1_amd64.deb
 f69da71875f3c483e903742d58657aa7 2704264 php optional libphp5-embed_5.4.35-0+deb7u1_amd64.deb
 e90ef4758a2ed347a0bbe64ca30712a5 501022 php optional php5-dev_5.4.35-0+deb7u1_amd64.deb
 74e0f63961aa4af878169c7f13f279c9 16125890 debug extra php5-dbg_5.4.35-0+deb7u1_amd64.deb
 4f81bcbe7150eebe53dd2a0cb85100b1 29432 php optional php5-curl_5.4.35-0+deb7u1_amd64.deb
 cbab06a53a1caafdd7ecaafc1dda11f1 9954 php optional php5-enchant_5.4.35-0+deb7u1_amd64.deb
 06169f77633ce0b6511c386a323acce0 35700 php optional php5-gd_5.4.35-0+deb7u1_amd64.deb
 2df4e6529167247068a36c2189db5cf7 17010 php optional php5-gmp_5.4.35-0+deb7u1_amd64.deb
 cdb8537a109255b73f16200043dc0d12 35602 php optional php5-imap_5.4.35-0+deb7u1_amd64.deb
 ce36263258c6c82dfdb650614a71d0db 49638 php optional php5-interbase_5.4.35-0+deb7u1_amd64.deb
 347a2d727a4549660f78dc5ebd49cc23 72164 php optional php5-intl_5.4.35-0+deb7u1_amd64.deb
 f68a6ad2ab4f9ca2da9a61f48681a609 23878 php optional php5-ldap_5.4.35-0+deb7u1_amd64.deb
 9ad77878532bef7d9d26dca9e2c5464a 16092 php optional php5-mcrypt_5.4.35-0+deb7u1_amd64.deb
 96f62d6cd692b4aa18d0d5b91936e2bf 80860 php optional php5-mysql_5.4.35-0+deb7u1_amd64.deb
 f936c5bf463ab22ae046c9d87bc9ecb2 164316 php extra php5-mysqlnd_5.4.35-0+deb7u1_amd64.deb
 790c540b1b4ab36e6fffea6eeaf17842 36842 php optional php5-odbc_5.4.35-0+deb7u1_amd64.deb
 d4b722f04254b8faa5da011eca840f5f 64318 php optional php5-pgsql_5.4.35-0+deb7u1_amd64.deb
 afdd3be22016fb06a7fcc06c1a5501f4 8910 php optional php5-pspell_5.4.35-0+deb7u1_amd64.deb
 65a4b3a7d352e90b082b90a2f2914b0c 5204 php optional php5-recode_5.4.35-0+deb7u1_amd64.deb
 3b96c95a7e3cdcceb0628f886ac52638 21936 php optional php5-snmp_5.4.35-0+deb7u1_amd64.deb
 484469fbfa839c0a5d8b101cb1699300 30528 php optional php5-sqlite_5.4.35-0+deb7u1_amd64.deb
 9615c8b872140a6c29c9ae8734549ece 28928 php optional php5-sybase_5.4.35-0+deb7u1_amd64.deb
 36a80036e09a0c94e82c7e512b3e198f 19652 php optional php5-tidy_5.4.35-0+deb7u1_amd64.deb
 7645431608b5374a350ee003ec17df44 36360 php optional php5-xmlrpc_5.4.35-0+deb7u1_amd64.deb
 abc9fe40c4311e6f330d6c14fd827030 15472 php optional php5-xsl_5.4.35-0+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJUaw/qXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzMEI5MzNEODBGQ0UzRDk4MUEyRDM4RkIw
Qzk5QjcwRUY0RkNCQjA3AAoJEAyZtw70/LsHuNEQAIeQK638enAS84Vvprsia/S2
L7EbEPZHI1dHkUgvI0QRgV9hvK6H7+NcMtg+QMdTQI2RZ4KJANAtcjWIfik8cx6F
uM8n+t5nPv5X/OQgk4E9KuTJXK/klb1cxXqFvbalr+1CfE0gQLhMJnVuORyi9Nnx
d5z5edrPFRPdOR35LY39Xs4xiGq/kAY4ygPgGsfwQIZINb/di1Aa01Xhevofa3+e
sRRK7dbM5NMb7wSqHA0Wxqnw1Vkr+saVaEXliRzBPLL6lZg0PvasWMfzB0b1rpZE
fU672WHb4Z+nEp2hCeLCfQzCD1299hS63n2mn6raJIMu6kVrVZhUIUJ1dOjWbW4a
afBCSSF60jdkrvIiTRqE3SUdedCRbP3H2aaIWge1YEa7Jo6dhHomCWpYEZ4jaHi4
nFSXghpKlDoJjdBvGKb6v/0eD0NTu/Msi1uyB07H7AwA4Flhyn+m6n9aYo/ZRq5n
2EB01KQuL0K+GZXbwgf6PKu3AtIhH/YnOqrVuWnV0YTXiNsCIzVetZbWFz9OcSsW
Sku4Hfg+/EAPLayJqUFdC2jwy6TZZjmUb5C8074ZJMaiXFnIR2c26jNyt02kp9ND
kmlY6aN9BAhuZSC76BpZqI4ibbiBEHMaADSipt7/7/2LzNSxIoQAMuWosVoKMwbL
GicNfKNzZqYEhE/PRW+u
=qHZL
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.