The dev-php/ZendFramework version in Gentoo repository (v1.12.9 as of today 2016-12-30) is very old and contains at least the following vulnerabilities: ZF2015-04: Zend_Mail and Zend_Http were both susceptible to CRLF Injection Attack vectors (for HTTP, this is often referred to as HTTP Response Splitting). Both components were updated to perform header value validations to ensure no values contain characters not detailed in their corresponding specifications, and will raise exceptions on detection. Each also provides new facilities for both validating and filtering header values prior to injecting them into header classes. If you use either Zend_Mail or Zend_Http, we recommend upgrading immediately. ZF2015-06: ZendXml runs a heuristic detection for XML Entity Expansion and XML eXternal Entity vectors when under php-fpm, due to issues with threading in libxml preventing using that library's built-in mechanisms for disabling them. However, the heuristic was determined to be faulty when multibyte encodings are used for the XML. This release contains a patch to ensure that the heuristic will work with multibyte encodings. If you use Zend Framework components that utilize DOMDocument or SimpleXML (which includes Zend\XmlRpc, Zend\Soap, Zend\Feed, and several others), and deploy using php-fpm in production (or plan to), we recommend upgrading immediately. ZF2015-07: A number of components, including Zend_Cloud, Zend_Search_Lucene, and Zend_Service_WindowsAzure were creating directories with a liberal umask that could lead to local arbitrary code execution and/or local privilege escalation. This release contains a patch that ensures the directories are created using permissions of 0775 and files using 0664 (essentially umask 0002). ZF2015-08: ZF2014-06 uncovered an issue in the sqlsrv adapter provided by the framework whereby null bytes were not filtered correctly when generating SQL. A reporter discovered the same vulnerability is present in our PDO implementation when used with pdo_dblib, and could potentially be applied to other PDO adapters. This release contains a patch to properly escape null bytes used in SQL queries across all PDO adapters shipped with the framework. ZF2015-09: Zend_Captcha_Word generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this version, the selection was performed using PHP's internal array_rand() function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such as openssl_pseudo_random_bytes(). This could potentially lead to information disclosure should an attacker be able to brute force the random number generation. This release updates Zend_Crypt_Math to provide cryptographically secure RNG, and updates Zend_Captcha_Word to use these new facilities. ZF2016-01: A number of classes, including Zend_Filter_Encrypt, Zend_Form_Element_Hash, Zend_Gdata_HttpClient, Zend_Ldap_Attribute, and Zend_OpenId, were using randomization methods with insufficient entropy. They have been updated to each use Zend_Crypt_Math, and the latter was updated to use PHP 7's random_bytes() and random_int() where feasible. ZF2016-02: The implementation of ORDER BY and GROUP BY in Zend_Db_Select contained potential SQL injection vulnerabilities, and have been patched. ZF2016-03: The implementation of ORDER BY and GROUP BY in Zend_Db_Select remained prone to SQL injection when a combination of SQL expressions and comments were used. This release provides a comprehensive solution that identifies and removes comments prior to checking validity of the statement to ensure no SQLi vectors occur. We advise always filtering user input prior to invoking these methods, however, to further protect your applications.
@ Maintainer(s): Remember that ZF 1 is EOL since 2016-09-28. It is probably affected by ZF2016-04: Potential remote code execution in zend-mail via Sendmail adapter as well. Please consider tree cleaning because ZF 2 is no drop-in replacement for ZF 1.
The 1.x version of ZendFramework is (or can be) used by www-apps/postfixadmin, but that's the only reverse dependency I found. I have no objections to lastriting it, but the PHP project isn't the primary maintainer and I wasn't around when the ZF was added.
It is an optional dependency to provide a xmlrpc interface. We could apply a USE mask (CC'ing www-apps/postfixadmin maintainer). If we want to keep ZF1 for the moment we would have to bump to v1.12.20 and backport https://github.com/zendframework/zend-mail/commit/7260c9768bf27c84f994c48698493fd1fa62fca3 (which looks like an easy task), because ZF1 Sendmail transport code also contains the potential RCE vulnerability like ZF2. Even if we patch now we should start last rite process to end the false indication of security coverage.
I'm all for last-riting it, since I haven't been looking at it for several years (I have moved away from anything PHP related for, so I have forgot about it)
The one version of postfixadmin in the tree is stable, so to drop the "xmlrpc" flag, we need @webapps to do a new revision and then we can quickly stabilize it under the auspices of this security bug. Afterwards, the old postfixadmin ebuild can be removed and we can mask ZendFramework.
Ping. Can we simply mask the xmlrpc USE on postfixadmin and then last-rite mask dev-php/ZendFramework to get this done?
CVE-2016-6233 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6233): The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.19 might allow remote attackers to conduct SQL injection attacks via vectors related to use of the character pattern [\w]* in a regular expression. CVE-2016-4861 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4861): The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation. CVE-2016-10034 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10034): The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address.
Aaron already dropped the xmlrpc USE flag in the latest postfixadmin, so all we need to do is stabilize that and drop the old versions I think? Then ZendFramework can go.
Use masked www-apps/postfixadmin[xmlrpc] in addition # Brian Evans <grknight@gentoo.org> (22 Feb 2018) # Multiple vulnerablities, EOL upstream. # Masked for removal in 30 days. Bug #604182 dev-php/ZendFramework
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=72f8743680dcfbb275eb300a8ce46d577d9f035c commit 72f8743680dcfbb275eb300a8ce46d577d9f035c Author: Brian Evans <grknight@gentoo.org> AuthorDate: 2018-04-09 00:20:48 +0000 Commit: Brian Evans <grknight@gentoo.org> CommitDate: 2018-04-09 00:20:48 +0000 dev-php/ZendFramework: Package removal wrt bug 604182 Bug: https://bugs.gentoo.org/604182 dev-php/ZendFramework/Manifest | 4 -- dev-php/ZendFramework/ZendFramework-1.12.9.ebuild | 79 ----------------------- dev-php/ZendFramework/metadata.xml | 14 ---- profiles/package.mask | 5 -- 4 files changed, 102 deletions(-)}
This issue was resolved and addressed in GLSA 201804-10 at https://security.gentoo.org/glsa/201804-10 by GLSA coordinator Aaron Bauman (b-man).