Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 451060 (CVE-2012-5657) - <dev-php/ZendFramework-1.12.9: Potential XML eXternal Entity injection vectors (CVE-2012-{5657,6531,6532})
Summary: <dev-php/ZendFramework-1.12.9: Potential XML eXternal Entity injection vector...
Status: RESOLVED FIXED
Alias: CVE-2012-5657
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://framework.zend.com/security/ad...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-01-09 15:46 UTC by Thomas Deutschmann
Modified: 2015-03-18 21:57 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev 2013-01-09 15:46:57 UTC
From the upstream advisory at $URL:

ZF2012-05: Potential XML eXternal Entity injection vectors in Zend Framework 1 Zend_Feed component

Zend_Feed_Rss and Zend_Feed_Atom were found to contain potential XML eXternal Entity (XXE) vectors due to insecure usage of PHP's DOM extension. External entities could be specified by adding a specific DOCTYPE element to feeds; exploiting this vulnerability could coerce opening arbitrary files and/or TCP connections. 

A similar issue was fixed for 1.11.13 and 1.12.0, in the Zend_Feed::import() factory method; however, the reporter of the issue discovered that the individual classes contained similar functionality in their constructors which remained vulnerable. 

Action Taken
============
A patch was applied that removes the XXE vector by calling libxml_disable_entity_loader() before attempting to parse the feed via DOMDocument::loadXML(). 

Recommendations
===============
If you are using any of the components listed, and, in particular, were directly instantiating them, we recommend upgrading to either version 1.11.15 or 1.12.1 or greater. 
Other Information

Acknowledgments
===============
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users: 

  * Yury Dyachenko at Positive Research Center

Reproducible: Always
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2013-01-15 23:32:56 UTC
Thanks for the report, Thomas.
Comment 2 Agostino Sarubbo gentoo-dev 2013-05-05 12:14:40 UTC
CVE-2012-5657
Summary: The (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in Zend Framework 1.11.x before 1.11.15 and 1.12.x before 1.12.1 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack.
Published: 05/02/2013
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2013-05-09 11:41:03 UTC
CVE-2012-6532 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6532):
  (1) Zend_Dom, (2) Zend_Feed, (3) Zend_Soap, and (4) Zend_XmlRpc in Zend
  Framework 1.x before 1.11.13 and 1.12.x before 1.12.0 allow remote attackers
  to cause a denial of service (CPU consumption) via recursive or circular
  references in an XML entity definition in an XML DOCTYPE declaration, aka an
  XML Entity Expansion (XEE) attack.

CVE-2012-6531 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6531):
  (1) Zend_Dom, (2) Zend_Feed, and (3) Zend_Soap in Zend Framework 1.x before
  1.11.13 and 1.12.x before 1.12.0 do not properly handle SimpleXMLElement
  classes, which allow remote attackers to read arbitrary files or create TCP
  connections via an external entity reference in a DOCTYPE element in an
  XML-RPC request, aka an XML external entity (XXE) injection attack, a
  different vulnerability than CVE-2012-3363.

CVE-2012-5657 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5657):
  The (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in Zend
  Framework 1.11.x before 1.11.15 and 1.12.x before 1.12.1 allow remote
  attackers to read arbitrary files, send HTTP requests to intranet servers,
  and possibly cause a denial of service (CPU and memory consumption) via an
  XML External Entity (XXE) attack.
Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-05 21:33:28 UTC
Any update on a new version for this?
Comment 5 Brian Evans Gentoo Infrastructure gentoo-dev 2014-10-07 18:45:11 UTC
+*ZendFramework-1.12.9 (07 Oct 2014)
+
+  07 Oct 2014;  <grknight@gentoo.org> +ZendFramework-1.12.9.ebuild,
+  -ZendFramework-1.11.6.ebuild:
+  Version bump for wrt bug 448576 and security bugs 451060, 505276 and 523198

Should be OK to stable as it keeps backwards compatibility with the 1.11 series
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2014-10-15 05:12:09 UTC
Being Stabilized as part of Bug #523198
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2015-03-18 21:46:54 UTC
Arches, Thank you for your work.
GLSA Vote: No

Cleaned up as part of Bug 523198
Comment 8 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-03-18 21:57:27 UTC
GLSA vote: no.

Closing as [noglsa]