Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 369139 (CVE-2011-1939) - <dev-php/ZendFramework-1.11.6: Filter bypass may allow SQL injection (CVE-2011-1939)
Summary: <dev-php/ZendFramework-1.11.6: Filter bypass may allow SQL injection (CVE-201...
Status: RESOLVED FIXED
Alias: CVE-2011-1939
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://framework.zend.com/security/ad...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-05-29 04:01 UTC by Tim Sammut (RETIRED)
Modified: 2014-08-04 09:08 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-05-29 04:01:35 UTC
From the upstream advisory at $URL:

ZF2011-02: Potential SQL Injection Vector When Using PDO_MySql
Executive Summary

Developers using non-ASCII-compatible encodings in conjunction with the MySQL PDO driver of PHP may be vulnerable to SQL injection attacks. Developers using ASCII-compatible encodings like UTF8 or latin1 are not affected by this PHP issue, which is described in more detail here:

    * http://bugs.php.net/bug.php?id=47802

The PHP Group included a feature in PHP 5.3.6+ that allows any character set information to be passed as part of the DSN in PDO to allow both the database as well as the C-level driver to be aware of which charset is in use which is of special importance when PDO's quoting mechanisms are utilized, which Zend Framework also relies on.
Action Taken

Zend_Db was patched to ensure that any charset information provided to the PDO MySQL adapter will be sent to PDO both as part of the DSN as well as in a SET NAMES query. This ensures that any developer using ZF on PHP 5.3.6+ while using non-ASCII compatible encodings is safe from SQL injection while using the PDO's quoting mechanisms or emulated prepared statements.

The patch has been applied starting in versions 1.11.6 and 1.10.9 of Zend Framework.
Recommendations

If you are using non-ASCII compatible encodings, such as GBK, in conjunction with PDO's MySQL adapter, we strongly urge you to consider upgrading to at least PHP 5.3.6 and use Zend Framework version 1.11.6 or greater, or 1.10.9 if still using the 1.10 series of releases.
Other Information
Acknowledgments

The Zend Framework team thanks the following for working with us to help protect its users:

    * Anthony Ferrara
Comment 1 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2011-05-29 10:32:47 UTC
Do fell free to bump and stabilize the new version :)
Would make me happy to be able to get rid of the old versions, once the new version is stable :) (So that would be a bonus)
Comment 2 Ole Markus With (RETIRED) gentoo-dev 2011-05-29 11:08:21 UTC
Ebuild committed. Please go ahead and stabilise.

Cheers!
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-05-29 17:48:16 UTC
(In reply to comment #2)
> Ebuild committed. Please go ahead and stabilise.
> 

Thanks!

Arches, please test and mark stable:
=dev-php/ZendFramework-1.11.6
Target keywords : "amd64 hppa ppc ppc64 x86"
Comment 4 Markos Chandras (RETIRED) gentoo-dev 2011-05-29 20:59:26 UTC
amd64 done
Comment 5 Jeroen Roovers gentoo-dev 2011-05-30 00:51:55 UTC
Stable for HPPA.
Comment 6 Andreas Schürch gentoo-dev 2011-05-30 11:13:55 UTC
Tested on x86, looks also good here.
Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-05-31 13:30:08 UTC
x86 stable, thanks Andreas
Comment 8 Brent Baude (RETIRED) gentoo-dev 2011-06-03 15:01:27 UTC
ppc done
Comment 9 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-06-07 09:39:00 UTC
ppc64 stable, last arch done
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-06-07 13:12:59 UTC
Thanks, folks. GLSA Vote: Yes.
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 21:42:44 UTC
Vote: YES. New GLSA request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-08-04 09:08:46 UTC
This issue was resolved and addressed in
 GLSA 201408-01 at http://security.gentoo.org/glsa/glsa-201408-01.xml
by GLSA coordinator Sergey Popov (pinkbyte).