这是indexloc提供的服务,不要输入任何密码

Debian Bug report logs - #770164
php5: /usr/lib/php5/sessionclean broken: passes incompatible argument to sed

version graph

Package: php5-common; Maintainer for php5-common is (unknown);

Reported by: Sven Herzberg <sven.herzberg@cluepunk.com>

Date: Wed, 19 Nov 2014 10:06:01 UTC

Severity: normal

Tags: security

Merged with 770105, 770108, 770150, 770151, 770156

Found in versions php5/5.4.4-14+deb7u14, php5/5.4.35-0deb7u2, php5/5.4.35-0+deb7u1

Fixed in versions php5/5.4.35-0deb7u1, 5.4.35-0deb7u2, 5.4.35-0+deb7u2

Done: "Thijs Kinkhorst" <thijs@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#770164; Package php5. (Wed, 19 Nov 2014 10:06:06 GMT) (full text, mbox, link).

Acknowledgement sent to Sven Herzberg <sven.herzberg@cluepunk.com>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Wed, 19 Nov 2014 10:06:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Sven Herzberg <sven.herzberg@cluepunk.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: php5: /usr/lib/php5/sessionclean broken: passes incompatible argument to sed
Date: Wed, 19 Nov 2014 10:47:28 +0100
Package: php5
Version: 5.4.35-0+deb7u1
Severity: serious
Tags: security
Justification: Policy 10.4

With the latest update of the php5-package, the session cleaning script is broken. As
I'm unfamiliar with the session cleaning implementation, I guess this might cause a
security issue by potentially not deleting session information that should be deleted.

Here's some debugging information from manually running the script that is run by
the cron job.

> root@vm-b:~# set -x
> root@vm-b:~# . /usr/lib/php5/sessionclean /var/lib/php5 $(/usr/lib/php5/maxlifetime)
> ++ /usr/lib/php5/maxlifetime
> + . /usr/lib/php5/sessionclean /var/lib/php5 24
> ++ '[' -x /usr/bin/lsof ']'
> ++ xargs -0i echo touch -c -h ''\''{}'\'''
> ++ sed -zne 's/^n//p'
> sed: invalid option -- 'z'
> Usage: sed [OPTION]... {script-only-if-no-other-script} [input-file]...
> 
>   -n, --quiet, --silent
>                  suppress automatic printing of pattern space
>   -e script, --expression=script
>                  add the script to the commands to be executed
>   -f script-file, --file=script-file
>                  add the contents of script-file to the commands to be executed
>   --follow-symlinks
>                  follow symlinks when processing in place
>   -i[SUFFIX], --in-place[=SUFFIX]
>                  edit files in place (makes backup if extension supplied)
>   -l N, --line-length=N
>                  specify the desired line-wrap length for the `l' command
>   --posix
>                  disable all GNU extensions.
>   -r, --regexp-extended
>                  use extended regular expressions in the script.
>   -s, --separate
>                  consider files as separate rather than as a single continuous
>                  long stream.
>   -u, --unbuffered
>                  load minimal amounts of data from the input files and flush
>                  the output buffers more often
>       --help     display this help and exit
>       --version  output version information and exit
> 
> If no -e, --expression, -f, or --file option is given, then the first
> non-option argument is taken as the sed script to interpret.  All
> remaining arguments are names of input files; if no input files are
> specified, then the standard input is read.
> 
> GNU sed home page: <http://www.gnu.org/software/sed/>.
> General help using GNU software: <http://www.gnu.org/gethelp/>.
> ++ /usr/bin/lsof -w -l +d /var/lib/php5 -F0
> ++ find /var/lib/php5 -depth -mindepth 1 -maxdepth 1 -ignore_readdir_race -type f -cmin +24 -delete


-- System Information:
Debian Release: 7.7
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-042stab092.3 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages php5 depends on:
ii  libapache2-mod-php5  5.4.35-0+deb7u1
ii  php5-cgi             5.4.35-0+deb7u1
ii  php5-common          5.4.35-0+deb7u1

php5 recommends no packages.

php5 suggests no packages.

-- no debconf information

Removed tag(s) security. Request was from "Sebastiaan Couwenberg" <sebastic@xs4all.nl> to control@bugs.debian.org. (Wed, 19 Nov 2014 10:48:05 GMT) (full text, mbox, link).

Bug reassigned from package 'php5' to 'php5-common'. Request was from "Sebastiaan Couwenberg" <sebastic@xs4all.nl> to control@bugs.debian.org. (Wed, 19 Nov 2014 10:48:06 GMT) (full text, mbox, link).

No longer marked as found in versions php5/5.4.35-0+deb7u1. Request was from "Sebastiaan Couwenberg" <sebastic@xs4all.nl> to control@bugs.debian.org. (Wed, 19 Nov 2014 10:48:07 GMT) (full text, mbox, link).

Marked as fixed in versions 5.4.35-0deb7u2. Request was from "Sebastiaan Couwenberg" <sebastic@xs4all.nl> to control@bugs.debian.org. (Wed, 19 Nov 2014 10:48:08 GMT) (full text, mbox, link).

Marked Bug as done Request was from "Sebastiaan Couwenberg" <sebastic@xs4all.nl> to control@bugs.debian.org. (Wed, 19 Nov 2014 10:48:09 GMT) (full text, mbox, link).

Notification sent to Sven Herzberg <sven.herzberg@cluepunk.com>:
Bug acknowledged by developer. (Wed, 19 Nov 2014 10:48:10 GMT) (full text, mbox, link).

Marked as found in versions php5/5.4.35-0+deb7u1. Request was from "Sebastiaan Couwenberg" <sebastic@xs4all.nl> to control@bugs.debian.org. (Wed, 19 Nov 2014 10:48:10 GMT) (full text, mbox, link).

Merged 770105 770108 770150 770151 770156 770164 Request was from "Sebastiaan Couwenberg" <sebastic@xs4all.nl> to control@bugs.debian.org. (Wed, 19 Nov 2014 10:48:15 GMT) (full text, mbox, link).

Severity set to 'normal' from 'serious' Request was from Yves-Alexis Perez <corsac@debian.org> to control@bugs.debian.org. (Wed, 19 Nov 2014 10:48:24 GMT) (full text, mbox, link).

Bug reopened Request was from Yves-Alexis Perez <corsac@debian.org> to control@bugs.debian.org. (Wed, 19 Nov 2014 10:48:29 GMT) (full text, mbox, link).

No longer marked as fixed in versions 5.4.35-0deb7u2. Request was from Yves-Alexis Perez <corsac@debian.org> to control@bugs.debian.org. (Wed, 19 Nov 2014 10:48:35 GMT) (full text, mbox, link).

Marked as fixed in versions php5/5.4.35-0deb7u1 and 5.4.35-0deb7u2. Request was from Yves-Alexis Perez <corsac@debian.org> to control@bugs.debian.org. (Wed, 19 Nov 2014 10:48:40 GMT) (full text, mbox, link).

Marked as found in versions php5/5.4.4-14+deb7u14 and php5/5.4.35-0deb7u2. Request was from Yves-Alexis Perez <corsac@debian.org> to control@bugs.debian.org. (Wed, 19 Nov 2014 10:48:46 GMT) (full text, mbox, link).

Added tag(s) security and pending. Request was from Yves-Alexis Perez <corsac@debian.org> to control@bugs.debian.org. (Wed, 19 Nov 2014 10:48:51 GMT) (full text, mbox, link).

Merged 766147 770105 770108 770150 770151 770156 770164 Request was from Yves-Alexis Perez <corsac@debian.org> to control@bugs.debian.org. (Wed, 19 Nov 2014 10:48:58 GMT) (full text, mbox, link).

Disconnected #766147 from all other report(s). Request was from Yves-Alexis Perez <corsac@debian.org> to control@bugs.debian.org. (Wed, 19 Nov 2014 10:54:09 GMT) (full text, mbox, link).

Merged 770105 770108 770150 770151 770156 770164 Request was from Yves-Alexis Perez <corsac@debian.org> to control@bugs.debian.org. (Wed, 19 Nov 2014 10:54:15 GMT) (full text, mbox, link).

Disconnected #770108 from all other report(s). Request was from Yves-Alexis Perez <corsac@debian.org> to control@bugs.debian.org. (Wed, 19 Nov 2014 11:00:12 GMT) (full text, mbox, link).

Merged 770105 770108 770150 770151 770156 770164 Request was from Yves-Alexis Perez <corsac@debian.org> to control@bugs.debian.org. (Wed, 19 Nov 2014 11:03:22 GMT) (full text, mbox, link).

Reply sent to "Thijs Kinkhorst" <thijs@debian.org>:
You have taken responsibility. (Wed, 19 Nov 2014 11:06:05 GMT) (full text, mbox, link).

Notification sent to Sven Herzberg <sven.herzberg@cluepunk.com>:
Bug acknowledged by developer. (Wed, 19 Nov 2014 11:06:05 GMT) (full text, mbox, link).

Message #48 received at 770164-done@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: 770164-done@bugs.debian.org
Subject: Re: Bug#770164: php5: /usr/lib/php5/sessionclean broken: passes incompatible argument to sed
Date: Wed, 19 Nov 2014 12:03:01 +0100
Version: 5.4.35-0+deb7u2

This was fixed in a DSA regression update.

Reply sent to "Thijs Kinkhorst" <thijs@debian.org>:
You have taken responsibility. (Wed, 19 Nov 2014 11:06:06 GMT) (full text, mbox, link).

Notification sent to Daniel Reichelt <debian@nachtgeist.net>:
Bug acknowledged by developer. (Wed, 19 Nov 2014 11:06:06 GMT) (full text, mbox, link).

Reply sent to "Thijs Kinkhorst" <thijs@debian.org>:
You have taken responsibility. (Wed, 19 Nov 2014 11:06:08 GMT) (full text, mbox, link).

Notification sent to Marian Sigler <m@qjym.de>:
Bug acknowledged by developer. (Wed, 19 Nov 2014 11:06:08 GMT) (full text, mbox, link).

Reply sent to "Thijs Kinkhorst" <thijs@debian.org>:
You have taken responsibility. (Wed, 19 Nov 2014 11:06:09 GMT) (full text, mbox, link).

Notification sent to "dea" <dea@corep.it>:
Bug acknowledged by developer. (Wed, 19 Nov 2014 11:06:09 GMT) (full text, mbox, link).

Reply sent to "Thijs Kinkhorst" <thijs@debian.org>:
You have taken responsibility. (Wed, 19 Nov 2014 11:06:10 GMT) (full text, mbox, link).

Notification sent to "dea" <dea@corep.it>:
Bug acknowledged by developer. (Wed, 19 Nov 2014 11:06:10 GMT) (full text, mbox, link).

Reply sent to "Thijs Kinkhorst" <thijs@debian.org>:
You have taken responsibility. (Wed, 19 Nov 2014 11:06:11 GMT) (full text, mbox, link).

Notification sent to lpouzenc <lpouzenc@pouzenc.fr>:
Bug acknowledged by developer. (Wed, 19 Nov 2014 11:06:11 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 20 Dec 2014 07:25:49 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Jul 29 20:17:22 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.