testing zendframework for Wheezy LTS
Hi everybody,
I uploaded version 1.11.13-1.1+deb7u5 of zendframework to:
https://people.debian.org/~alteholz/packages/wheezy-lts/zendframework/amd64/
Please give it a try and tell me about any problems you met. It would be
nice to mainly test access to databases. The debdiff is attached.
Thanks!
Thorsten
* CVE-2016-4861
The implementation of ORDER BY and GROUP BY in Zend_Db_Select
remained prone to SQL injection when a combination of SQL
expressions and comments were used. This security patch provides
a comprehensive solution that identifies and removes comments
prior to checking validity of the statement to ensure no SQLi
vectors occur.
diff -u zendframework-1.11.13/debian/changelog zendframework-1.11.13/debian/changelog
--- zendframework-1.11.13/debian/changelog
+++ zendframework-1.11.13/debian/changelog
@@ -1,3 +1,16 @@
+zendframework (1.11.13-1.1+deb7u5) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the Wheezy LTS Team.
+ * CVE-2016-4861
+ The implementation of ORDER BY and GROUP BY in Zend_Db_Select
+ remained prone to SQL injection when a combination of SQL
+ expressions and comments were used. This security patch provides
+ a comprehensive solution that identifies and removes comments
+ prior to checking validity of the statement to ensure no SQLi
+ vectors occur.
+
+ -- Thorsten Alteholz <debian@alteholz.de> Tue, 27 Sep 2016 18:33:02 +0200
+
zendframework (1.11.13-1.1+deb7u4) wheezy-security; urgency=high
* Backport security fixes from 1.12.16
diff -u zendframework-1.11.13/debian/patches/series zendframework-1.11.13/debian/patches/series
--- zendframework-1.11.13/debian/patches/series
+++ zendframework-1.11.13/debian/patches/series
@@ -14,0 +15 @@
+0015-CVE-2016-4861.patch
only in patch2:
unchanged:
--- zendframework-1.11.13.orig/debian/patches/0015-CVE-2016-4861.patch
+++ zendframework-1.11.13/debian/patches/0015-CVE-2016-4861.patch
@@ -0,0 +1,50 @@
+Index: zendframework-1.11.13/library/Zend/Db/Select.php
+===================================================================
+--- zendframework-1.11.13.orig/library/Zend/Db/Select.php 2016-09-26 19:38:45.000000000 +0200
++++ zendframework-1.11.13/library/Zend/Db/Select.php 2016-09-26 19:38:45.000000000 +0200
+@@ -81,6 +81,23 @@
+ const SQL_ASC = 'ASC';
+ const SQL_DESC = 'DESC';
+
++ // @see http://stackoverflow.com/a/13823184/2028814
++ const REGEX_SQL_COMMENTS = '@
++ (([\'"]).*?[^\\\]\2) # $1 : Skip single & double quoted expressions
++ |( # $3 : Match comments
++ (?:\#|--).*?$ # - Single line comments
++ | # - Multi line (nested) comments
++ /\* # . comment open marker
++ (?: [^/*] # . non comment-marker characters
++ |/(?!\*) # . ! not a comment open
++ |\*(?!/) # . ! not a comment close
++ |(?R) # . recursive case
++ )* # . repeat eventually
++ \*\/ # . comment close marker
++ )\s* # Trim after comments
++ |(?<=;)\s+ # Trim after semi-colon
++ @msx';
++
+ /**
+ * Bind variables for query
+ *
+@@ -509,7 +526,9 @@
+ }
+
+ foreach ($spec as $val) {
+- if (preg_match('/\(.*\)/', (string) $val)) {
++ // Remove comments from SQL statement
++ $noComments = preg_replace(self::REGEX_SQL_COMMENTS, '$1', (string) $val);
++ if (preg_match(self::REGEX_COLUMN_EXPR_GROUP, $noComments)) {
+ $val = new Zend_Db_Expr($val);
+ }
+ $this->_parts[self::GROUP][] = $val;
+@@ -601,7 +620,9 @@
+ $val = trim($matches[1]);
+ $direction = $matches[2];
+ }
+- if (preg_match('/^[\w]*\(.*\)$/', $val)) {
++ // Remove comments from SQL statement
++ $noComments = preg_replace(self::REGEX_SQL_COMMENTS, '$1', (string) $val);
++ if (preg_match(self::REGEX_COLUMN_EXPR_ORDER, $noComments)) {
+ $val = new Zend_Db_Expr($val);
+ }
+ $this->_parts[self::ORDER][] = array($val, $direction);
Reply to: