|Summary:||dev-php/ZendFramework: Multiple vulnerabilities|
|Product:||Gentoo Security||Reporter:||Thomas Deutschmann <whissi>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||normal||CC:||gurligebis, php-bugs, titanofold, treecleaner, web-apps|
|Whiteboard:||B2 [glsa+ cve]|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||608726, 621890, 646746|
Description Thomas Deutschmann 2016-12-30 20:17:42 UTC
The dev-php/ZendFramework version in Gentoo repository (v1.12.9 as of today 2016-12-30) is very old and contains at least the following vulnerabilities: ZF2015-04: Zend_Mail and Zend_Http were both susceptible to CRLF Injection Attack vectors (for HTTP, this is often referred to as HTTP Response Splitting). Both components were updated to perform header value validations to ensure no values contain characters not detailed in their corresponding specifications, and will raise exceptions on detection. Each also provides new facilities for both validating and filtering header values prior to injecting them into header classes. If you use either Zend_Mail or Zend_Http, we recommend upgrading immediately. ZF2015-06: ZendXml runs a heuristic detection for XML Entity Expansion and XML eXternal Entity vectors when under php-fpm, due to issues with threading in libxml preventing using that library's built-in mechanisms for disabling them. However, the heuristic was determined to be faulty when multibyte encodings are used for the XML. This release contains a patch to ensure that the heuristic will work with multibyte encodings. If you use Zend Framework components that utilize DOMDocument or SimpleXML (which includes Zend\XmlRpc, Zend\Soap, Zend\Feed, and several others), and deploy using php-fpm in production (or plan to), we recommend upgrading immediately. ZF2015-07: A number of components, including Zend_Cloud, Zend_Search_Lucene, and Zend_Service_WindowsAzure were creating directories with a liberal umask that could lead to local arbitrary code execution and/or local privilege escalation. This release contains a patch that ensures the directories are created using permissions of 0775 and files using 0664 (essentially umask 0002). ZF2015-08: ZF2014-06 uncovered an issue in the sqlsrv adapter provided by the framework whereby null bytes were not filtered correctly when generating SQL. A reporter discovered the same vulnerability is present in our PDO implementation when used with pdo_dblib, and could potentially be applied to other PDO adapters. This release contains a patch to properly escape null bytes used in SQL queries across all PDO adapters shipped with the framework. ZF2015-09: Zend_Captcha_Word generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this version, the selection was performed using PHP's internal array_rand() function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such as openssl_pseudo_random_bytes(). This could potentially lead to information disclosure should an attacker be able to brute force the random number generation. This release updates Zend_Crypt_Math to provide cryptographically secure RNG, and updates Zend_Captcha_Word to use these new facilities. ZF2016-01: A number of classes, including Zend_Filter_Encrypt, Zend_Form_Element_Hash, Zend_Gdata_HttpClient, Zend_Ldap_Attribute, and Zend_OpenId, were using randomization methods with insufficient entropy. They have been updated to each use Zend_Crypt_Math, and the latter was updated to use PHP 7's random_bytes() and random_int() where feasible. ZF2016-02: The implementation of ORDER BY and GROUP BY in Zend_Db_Select contained potential SQL injection vulnerabilities, and have been patched. ZF2016-03: The implementation of ORDER BY and GROUP BY in Zend_Db_Select remained prone to SQL injection when a combination of SQL expressions and comments were used. This release provides a comprehensive solution that identifies and removes comments prior to checking validity of the statement to ensure no SQLi vectors occur. We advise always filtering user input prior to invoking these methods, however, to further protect your applications.
Comment 1 Thomas Deutschmann 2016-12-30 20:21:09 UTC
@ Maintainer(s): Remember that ZF 1 is EOL since 2016-09-28. It is probably affected by ZF2016-04: Potential remote code execution in zend-mail via Sendmail adapter as well. Please consider tree cleaning because ZF 2 is no drop-in replacement for ZF 1.
Comment 2 Michael Orlitzky 2016-12-30 21:34:49 UTC
The 1.x version of ZendFramework is (or can be) used by www-apps/postfixadmin, but that's the only reverse dependency I found. I have no objections to lastriting it, but the PHP project isn't the primary maintainer and I wasn't around when the ZF was added.
Comment 3 Thomas Deutschmann 2016-12-30 22:27:55 UTC
It is an optional dependency to provide a xmlrpc interface. We could apply a USE mask (CC'ing www-apps/postfixadmin maintainer). If we want to keep ZF1 for the moment we would have to bump to v1.12.20 and backport https://github.com/zendframework/zend-mail/commit/7260c9768bf27c84f994c48698493fd1fa62fca3 (which looks like an easy task), because ZF1 Sendmail transport code also contains the potential RCE vulnerability like ZF2. Even if we patch now we should start last rite process to end the false indication of security coverage.
Comment 4 Bjarke Istrup Pedersen (RETIRED) 2017-01-02 09:04:45 UTC
I'm all for last-riting it, since I haven't been looking at it for several years (I have moved away from anything PHP related for, so I have forgot about it)
Comment 5 Michael Orlitzky 2017-01-05 21:52:20 UTC
The one version of postfixadmin in the tree is stable, so to drop the "xmlrpc" flag, we need @webapps to do a new revision and then we can quickly stabilize it under the auspices of this security bug. Afterwards, the old postfixadmin ebuild can be removed and we can mask ZendFramework.
Comment 6 Brian Evans 2017-10-09 19:56:50 UTC
Ping. Can we simply mask the xmlrpc USE on postfixadmin and then last-rite mask dev-php/ZendFramework to get this done?
Comment 7 GLSAMaker/CVETool Bot 2017-11-01 20:34:51 UTC
CVE-2016-6233 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6233): The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.19 might allow remote attackers to conduct SQL injection attacks via vectors related to use of the character pattern [\w]* in a regular expression. CVE-2016-4861 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4861): The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation. CVE-2016-10034 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10034): The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address.
Comment 8 Michael Orlitzky 2017-11-04 23:53:28 UTC
Aaron already dropped the xmlrpc USE flag in the latest postfixadmin, so all we need to do is stabilize that and drop the old versions I think? Then ZendFramework can go.
Comment 9 Brian Evans 2018-02-22 13:50:56 UTC
Use masked www-apps/postfixadmin[xmlrpc] in addition # Brian Evans <email@example.com> (22 Feb 2018) # Multiple vulnerablities, EOL upstream. # Masked for removal in 30 days. Bug #604182 dev-php/ZendFramework
Comment 10 Larry the Git Cow 2018-04-09 00:21:35 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=72f8743680dcfbb275eb300a8ce46d577d9f035c commit 72f8743680dcfbb275eb300a8ce46d577d9f035c Author: Brian Evans <firstname.lastname@example.org> AuthorDate: 2018-04-09 00:20:48 +0000 Commit: Brian Evans <email@example.com> CommitDate: 2018-04-09 00:20:48 +0000 dev-php/ZendFramework: Package removal wrt bug 604182 Bug: https://bugs.gentoo.org/604182 dev-php/ZendFramework/Manifest | 4 -- dev-php/ZendFramework/ZendFramework-1.12.9.ebuild | 79 ----------------------- dev-php/ZendFramework/metadata.xml | 14 ---- profiles/package.mask | 5 -- 4 files changed, 102 deletions(-)}