Summary: | dev-php/ZendFramework: Multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Thomas Deutschmann (RETIRED) <whissi> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | gurligebis, php-bugs, titanofold, treecleaner, web-apps |
Priority: | Normal | Keywords: | PMASKED |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [glsa+ cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 608726, 621890, 646746 | ||
Bug Blocks: |
Description
Thomas Deutschmann (RETIRED)
2016-12-30 20:17:42 UTC
@ Maintainer(s): Remember that ZF 1 is EOL since 2016-09-28. It is probably affected by ZF2016-04: Potential remote code execution in zend-mail via Sendmail adapter as well. Please consider tree cleaning because ZF 2 is no drop-in replacement for ZF 1. The 1.x version of ZendFramework is (or can be) used by www-apps/postfixadmin, but that's the only reverse dependency I found. I have no objections to lastriting it, but the PHP project isn't the primary maintainer and I wasn't around when the ZF was added. It is an optional dependency to provide a xmlrpc interface. We could apply a USE mask (CC'ing www-apps/postfixadmin maintainer). If we want to keep ZF1 for the moment we would have to bump to v1.12.20 and backport https://github.com/zendframework/zend-mail/commit/7260c9768bf27c84f994c48698493fd1fa62fca3 (which looks like an easy task), because ZF1 Sendmail transport code also contains the potential RCE vulnerability like ZF2. Even if we patch now we should start last rite process to end the false indication of security coverage. I'm all for last-riting it, since I haven't been looking at it for several years (I have moved away from anything PHP related for, so I have forgot about it) The one version of postfixadmin in the tree is stable, so to drop the "xmlrpc" flag, we need @webapps to do a new revision and then we can quickly stabilize it under the auspices of this security bug. Afterwards, the old postfixadmin ebuild can be removed and we can mask ZendFramework. Ping. Can we simply mask the xmlrpc USE on postfixadmin and then last-rite mask dev-php/ZendFramework to get this done? CVE-2016-6233 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6233): The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.19 might allow remote attackers to conduct SQL injection attacks via vectors related to use of the character pattern [\w]* in a regular expression. CVE-2016-4861 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4861): The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation. CVE-2016-10034 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10034): The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address. Aaron already dropped the xmlrpc USE flag in the latest postfixadmin, so all we need to do is stabilize that and drop the old versions I think? Then ZendFramework can go. Use masked www-apps/postfixadmin[xmlrpc] in addition # Brian Evans <grknight@gentoo.org> (22 Feb 2018) # Multiple vulnerablities, EOL upstream. # Masked for removal in 30 days. Bug #604182 dev-php/ZendFramework The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=72f8743680dcfbb275eb300a8ce46d577d9f035c commit 72f8743680dcfbb275eb300a8ce46d577d9f035c Author: Brian Evans <grknight@gentoo.org> AuthorDate: 2018-04-09 00:20:48 +0000 Commit: Brian Evans <grknight@gentoo.org> CommitDate: 2018-04-09 00:20:48 +0000 dev-php/ZendFramework: Package removal wrt bug 604182 Bug: https://bugs.gentoo.org/604182 dev-php/ZendFramework/Manifest | 4 -- dev-php/ZendFramework/ZendFramework-1.12.9.ebuild | 79 ----------------------- dev-php/ZendFramework/metadata.xml | 14 ---- profiles/package.mask | 5 -- 4 files changed, 102 deletions(-)} This issue was resolved and addressed in GLSA 201804-10 at https://security.gentoo.org/glsa/201804-10 by GLSA coordinator Aaron Bauman (b-man). |