Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 604182

Summary: dev-php/ZendFramework: Multiple vulnerabilities
Product: Gentoo Security Reporter: Thomas Deutschmann <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gurligebis, php-bugs, titanofold, treecleaner, web-apps
Priority: Normal Keywords: PMASKED
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on: 608726, 621890, 646746    
Bug Blocks:    

Description Thomas Deutschmann gentoo-dev Security 2016-12-30 20:17:42 UTC
The dev-php/ZendFramework version in Gentoo repository (v1.12.9 as of today 2016-12-30) is very old and contains at least the following vulnerabilities:

ZF2015-04: Zend_Mail and Zend_Http were both susceptible to CRLF Injection Attack vectors (for HTTP, this is often referred to as HTTP Response Splitting). Both components were updated to perform header value validations to ensure no values contain characters not detailed in their corresponding specifications, and will raise exceptions on detection. Each also provides new facilities for both validating and filtering header values prior to injecting them into header classes. If you use either Zend_Mail or Zend_Http, we recommend upgrading immediately.


ZF2015-06: ZendXml runs a heuristic detection for XML Entity Expansion and XML eXternal Entity vectors when under php-fpm, due to issues with threading in libxml preventing using that library's built-in mechanisms for disabling them. However, the heuristic was determined to be faulty when multibyte encodings are used for the XML. This release contains a patch to ensure that the heuristic will work with multibyte encodings.

If you use Zend Framework components that utilize DOMDocument or SimpleXML (which includes Zend\XmlRpc, Zend\Soap, Zend\Feed, and several others), and deploy using php-fpm in production (or plan to), we recommend upgrading immediately.


ZF2015-07: A number of components, including Zend_Cloud, Zend_Search_Lucene, and Zend_Service_WindowsAzure were creating directories with a liberal umask that could lead to local arbitrary code execution and/or local privilege escalation. This release contains a patch that ensures the directories are created using permissions of 0775 and files using 0664 (essentially umask 0002).


ZF2015-08: ZF2014-06 uncovered an issue in the sqlsrv adapter provided by the framework whereby null bytes were not filtered correctly when generating SQL. A reporter discovered the same vulnerability is present in our PDO implementation when used with pdo_dblib, and could potentially be applied to other PDO adapters. This release contains a patch to properly escape null bytes used in SQL queries across all PDO adapters shipped with the framework.


ZF2015-09: Zend_Captcha_Word generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this version, the selection was performed using PHP's internal array_rand() function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such as openssl_pseudo_random_bytes(). This could potentially lead to information disclosure should an attacker be able to brute force the random number generation. This release updates Zend_Crypt_Math to provide cryptographically secure RNG, and updates Zend_Captcha_Word to use these new facilities.


ZF2016-01: A number of classes, including Zend_Filter_Encrypt, Zend_Form_Element_Hash, Zend_Gdata_HttpClient, Zend_Ldap_Attribute, and Zend_OpenId, were using randomization methods with insufficient entropy. They have been updated to each use Zend_Crypt_Math, and the latter was updated to use PHP 7's random_bytes() and random_int() where feasible.


ZF2016-02: The implementation of ORDER BY and GROUP BY in Zend_Db_Select contained potential SQL injection vulnerabilities, and have been patched.


ZF2016-03: The implementation of ORDER BY and GROUP BY in Zend_Db_Select remained prone to SQL injection when a combination of SQL expressions and comments were used. This release provides a comprehensive solution that identifies and removes comments prior to checking validity of the statement to ensure no SQLi vectors occur. We advise always filtering user input prior to invoking these methods, however, to further protect your applications.
Comment 1 Thomas Deutschmann gentoo-dev Security 2016-12-30 20:21:09 UTC
@ Maintainer(s):

Remember that ZF 1 is EOL since 2016-09-28. It is probably affected by 

  ZF2016-04: Potential remote code execution in zend-mail via Sendmail adapter

as well.

Please consider tree cleaning because ZF 2 is no drop-in replacement for ZF 1.
Comment 2 Michael Orlitzky gentoo-dev 2016-12-30 21:34:49 UTC
The 1.x version of ZendFramework is (or can be) used by www-apps/postfixadmin, but that's the only reverse dependency I found. I have no objections to lastriting it, but the PHP project isn't the primary maintainer and I wasn't around when the ZF was added.
Comment 3 Thomas Deutschmann gentoo-dev Security 2016-12-30 22:27:55 UTC
It is an optional dependency to provide a xmlrpc interface. We could apply a USE mask (CC'ing www-apps/postfixadmin maintainer).

If we want to keep ZF1 for the moment we would have to bump to v1.12.20 and backport https://github.com/zendframework/zend-mail/commit/7260c9768bf27c84f994c48698493fd1fa62fca3 (which looks like an easy task), because ZF1 Sendmail transport code also contains the potential RCE vulnerability like ZF2.

Even if we patch now we should start last rite process to end the false indication of security coverage.
Comment 4 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2017-01-02 09:04:45 UTC
I'm all for last-riting it, since I haven't been looking at it for several years (I have moved away from anything PHP related for, so I have forgot about it)
Comment 5 Michael Orlitzky gentoo-dev 2017-01-05 21:52:20 UTC
The one version of postfixadmin in the tree is stable, so to drop the "xmlrpc" flag, we need @webapps to do a new revision and then we can quickly stabilize it under the auspices of this security bug. Afterwards, the old postfixadmin ebuild can be removed and we can mask ZendFramework.
Comment 6 Brian Evans Gentoo Infrastructure gentoo-dev 2017-10-09 19:56:50 UTC
Ping.

Can we simply mask the xmlrpc USE on postfixadmin and then last-rite mask dev-php/ZendFramework to get this done?
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2017-11-01 20:34:51 UTC
CVE-2016-6233 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6233):
  The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework
  before 1.12.19 might allow remote attackers to conduct SQL injection attacks
  via vectors related to use of the character pattern [\w]* in a regular
  expression.

CVE-2016-4861 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4861):
  The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework
  before 1.12.20 might allow remote attackers to conduct SQL injection attacks
  by leveraging failure to remove comments from an SQL statement before
  validation.

CVE-2016-10034 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10034):
  The setFrom function in the Sendmail adapter in the zend-mail component
  before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework
  before 2.4.11 might allow remote attackers to pass extra parameters to the
  mail command and consequently execute arbitrary code via a \" (backslash
  double quote) in a crafted e-mail address.
Comment 8 Michael Orlitzky gentoo-dev 2017-11-04 23:53:28 UTC
Aaron already dropped the xmlrpc USE flag in the latest postfixadmin, so all we need to do is stabilize that and drop the old versions I think? Then ZendFramework can go.
Comment 9 Brian Evans Gentoo Infrastructure gentoo-dev 2018-02-22 13:50:56 UTC
Use masked www-apps/postfixadmin[xmlrpc] in addition

# Brian Evans <grknight@gentoo.org> (22 Feb 2018)
# Multiple vulnerablities, EOL upstream.
# Masked for removal in 30 days. Bug #604182
dev-php/ZendFramework
Comment 10 Larry the Git Cow gentoo-dev 2018-04-09 00:21:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=72f8743680dcfbb275eb300a8ce46d577d9f035c

commit 72f8743680dcfbb275eb300a8ce46d577d9f035c
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2018-04-09 00:20:48 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2018-04-09 00:20:48 +0000

    dev-php/ZendFramework: Package removal wrt bug 604182
    
    Bug: https://bugs.gentoo.org/604182

 dev-php/ZendFramework/Manifest                    |  4 --
 dev-php/ZendFramework/ZendFramework-1.12.9.ebuild | 79 -----------------------
 dev-php/ZendFramework/metadata.xml                | 14 ----
 profiles/package.mask                             |  5 --
 4 files changed, 102 deletions(-)}
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2018-04-09 16:01:23 UTC
This issue was resolved and addressed in
 GLSA 201804-10 at https://security.gentoo.org/glsa/201804-10
by GLSA coordinator Aaron Bauman (b-man).