From the upstream advisory at $URL: ZF2012-05: Potential XML eXternal Entity injection vectors in Zend Framework 1 Zend_Feed component Zend_Feed_Rss and Zend_Feed_Atom were found to contain potential XML eXternal Entity (XXE) vectors due to insecure usage of PHP's DOM extension. External entities could be specified by adding a specific DOCTYPE element to feeds; exploiting this vulnerability could coerce opening arbitrary files and/or TCP connections. A similar issue was fixed for 1.11.13 and 1.12.0, in the Zend_Feed::import() factory method; however, the reporter of the issue discovered that the individual classes contained similar functionality in their constructors which remained vulnerable. Action Taken ============ A patch was applied that removes the XXE vector by calling libxml_disable_entity_loader() before attempting to parse the feed via DOMDocument::loadXML(). Recommendations =============== If you are using any of the components listed, and, in particular, were directly instantiating them, we recommend upgrading to either version 1.11.15 or 1.12.1 or greater. Other Information Acknowledgments =============== The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users: * Yury Dyachenko at Positive Research Center Reproducible: Always
Thanks for the report, Thomas.
CVE-2012-5657 Summary: The (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in Zend Framework 1.11.x before 1.11.15 and 1.12.x before 1.12.1 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack. Published: 05/02/2013
CVE-2012-6532 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6532): (1) Zend_Dom, (2) Zend_Feed, (3) Zend_Soap, and (4) Zend_XmlRpc in Zend Framework 1.x before 1.11.13 and 1.12.x before 1.12.0 allow remote attackers to cause a denial of service (CPU consumption) via recursive or circular references in an XML entity definition in an XML DOCTYPE declaration, aka an XML Entity Expansion (XEE) attack. CVE-2012-6531 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6531): (1) Zend_Dom, (2) Zend_Feed, and (3) Zend_Soap in Zend Framework 1.x before 1.11.13 and 1.12.x before 1.12.0 do not properly handle SimpleXMLElement classes, which allow remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack, a different vulnerability than CVE-2012-3363. CVE-2012-5657 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5657): The (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in Zend Framework 1.11.x before 1.11.15 and 1.12.x before 1.12.1 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack.
Any update on a new version for this?
+*ZendFramework-1.12.9 (07 Oct 2014) + + 07 Oct 2014; <grknight@gentoo.org> +ZendFramework-1.12.9.ebuild, + -ZendFramework-1.11.6.ebuild: + Version bump for wrt bug 448576 and security bugs 451060, 505276 and 523198 Should be OK to stable as it keeps backwards compatibility with the 1.11 series
Being Stabilized as part of Bug #523198
Arches, Thank you for your work. GLSA Vote: No Cleaned up as part of Bug 523198
GLSA vote: no. Closing as [noglsa]