Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Hi, As agreed with the security team, I’d like to fix another potential entropy vulnerability has been fixed in zendframework. The fix also gets rid of openssl_random_pseudo_bytes() introduced in the previous ZF2015-09 fix, and I also added a regression fix from the CVE-2015-7695 (ZF2015-08) patch (this one was introduced in DSA-3369-1). Please find attached the proposed debdiff for Jessie (a similar request for Wheezy follows), the changelog entry is: zendframework (1.12.9+dfsg-2+deb8u6) jessie; urgency=medium * Fix regression from ZF2015-08: binary data corruption * Backport security fix from 1.12.18: - ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1 http://framework.zend.com/security/advisory/ZF2016-01 Regards David
diff -Nru zendframework-1.12.9+dfsg/debian/changelog zendframework-1.12.9+dfsg/debian/changelog --- zendframework-1.12.9+dfsg/debian/changelog 2015-11-24 18:25:30.000000000 -0400 +++ zendframework-1.12.9+dfsg/debian/changelog 2016-04-13 17:12:29.000000000 -0400 @@ -1,6 +1,15 @@ +zendframework (1.12.9+dfsg-2+deb8u6) jessie; urgency=medium + + * Fix regression from ZF2015-08: binary data corruption + * Backport security fix from 1.12.18: + - ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1 + http://framework.zend.com/security/advisory/ZF2016-01 + + -- David Pr�t <taffit@debian.org> Wed, 13 Apr 2016 16:37:00 -0400 + zendframework (1.12.9+dfsg-2+deb8u5) jessie; urgency=medium - * Backport security fix from 1.12.17 + * Backport security fix from 1.12.17: - ZF2015-09: Fixed entropy issue in word CAPTCHA http://framework.zend.com/security/advisory/ZF2015-09 diff -Nru zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch --- zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch 2015-11-24 18:18:19.000000000 -0400 +++ zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch 2016-04-13 17:12:29.000000000 -0400 @@ -5,37 +5,31 @@ This addresses the same issue as found in ZF2014-06, but within the PDO MsSql adapter. Additionally, it fixes transaction tests for that adapter. -Origin: upstream, https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2 +Origin: upstream, https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2 https://github.com/zendframework/zf1/commit/70d8aba8c525190e906c663dfdc55355f6e74416 --- - library/Zend/Db/Adapter/Pdo/Abstract.php | 3 +- - library/Zend/Db/Adapter/Pdo/Mssql.php | 2 +- - tests/TestConfiguration.php.dist | 5 ++-- - tests/Zend/Db/Adapter/Pdo/MssqlTest.php | 47 +++++++------------------------- - tests/Zend/Db/Adapter/Pdo/TestCommon.php | 10 +++++++ - tests/Zend/Db/Adapter/TestCommon.php | 5 ++-- + library/Zend/Db/Adapter/Pdo/Abstract.php | 1 - + library/Zend/Db/Adapter/Pdo/Mssql.php | 17 +++++++++- + library/Zend/Db/Adapter/Pdo/Sqlite.php | 14 ++++++++ + tests/TestConfiguration.php.dist | 5 +-- + tests/Zend/Db/Adapter/Pdo/MssqlTest.php | 58 ++++++++++++-------------------- + tests/Zend/Db/Adapter/Pdo/MysqlTest.php | 13 +++++-- + tests/Zend/Db/Adapter/Pdo/SqliteTest.php | 11 ++++++ + tests/Zend/Db/Adapter/Pdo/TestCommon.php | 10 ++++++ + tests/Zend/Db/Adapter/TestCommon.php | 5 ++- tests/Zend/Db/TestUtil/Pdo/Mssql.php | 4 ++- - 7 files changed, 31 insertions(+), 45 deletions(-) + 10 files changed, 91 insertions(+), 47 deletions(-) diff --git a/library/Zend/Db/Adapter/Pdo/Abstract.php b/library/Zend/Db/Adapter/Pdo/Abstract.php -index 84a76f3..7699d7a 100644 +index 84a76f3..e12b602 100644 --- a/library/Zend/Db/Adapter/Pdo/Abstract.php +++ b/library/Zend/Db/Adapter/Pdo/Abstract.php -@@ -292,6 +292,8 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract - if (is_int($value) || is_float($value)) { - return $value; - } -+ // Fix for null-byte injection -+ $value = addcslashes($value, "\000\032"); - $this->_connect(); - return $this->_connection->quote($value); - } -@@ -398,4 +400,3 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract +@@ -398,4 +398,3 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract } } } - diff --git a/library/Zend/Db/Adapter/Pdo/Mssql.php b/library/Zend/Db/Adapter/Pdo/Mssql.php -index e3d8c7a..8a8d306 100644 +index e3d8c7a..6081887 100644 --- a/library/Zend/Db/Adapter/Pdo/Mssql.php +++ b/library/Zend/Db/Adapter/Pdo/Mssql.php @@ -410,7 +410,7 @@ class Zend_Db_Adapter_Pdo_Mssql extends Zend_Db_Adapter_Pdo_Abstract @@ -47,6 +41,49 @@ $result = $stmt->fetchAll(Zend_Db::FETCH_NUM); if (count($result)) { return $result[0][0]; +@@ -420,4 +420,19 @@ class Zend_Db_Adapter_Pdo_Mssql extends Zend_Db_Adapter_Pdo_Abstract + return null; + } + } ++ ++ /** ++ * Quote a raw string. ++ * ++ * @param string $value Raw string ++ * @return string Quoted string ++ */ ++ protected function _quote($value) ++ { ++ if (!is_int($value) && !is_float($value)) { ++ // Fix for null-byte injection ++ $value = addcslashes($value, "\000\032"); ++ } ++ return parent::_quote($value); ++ } + } +diff --git a/library/Zend/Db/Adapter/Pdo/Sqlite.php b/library/Zend/Db/Adapter/Pdo/Sqlite.php +index f035cea..557e6ae 100644 +--- a/library/Zend/Db/Adapter/Pdo/Sqlite.php ++++ b/library/Zend/Db/Adapter/Pdo/Sqlite.php +@@ -294,4 +294,18 @@ class Zend_Db_Adapter_Pdo_Sqlite extends Zend_Db_Adapter_Pdo_Abstract + return $sql; + } + ++ /** ++ * Quote a raw string. ++ * ++ * @param string $value Raw string ++ * @return string Quoted string ++ */ ++ protected function _quote($value) ++ { ++ if (!is_int($value) && !is_float($value)) { ++ // Fix for null-byte injection ++ $value = addcslashes($value, "\000\032"); ++ } ++ return parent::_quote($value); ++ } + } diff --git a/tests/TestConfiguration.php.dist b/tests/TestConfiguration.php.dist index cf6c050..0f95f37 100644 --- a/tests/TestConfiguration.php.dist @@ -78,7 +115,7 @@ */ defined('TESTS_ZEND_HTTP_USERAGENT_WURFL_LIB_DIR') || define('TESTS_ZEND_HTTP_USERAGENT_WURFL_LIB_DIR', false); diff --git a/tests/Zend/Db/Adapter/Pdo/MssqlTest.php b/tests/Zend/Db/Adapter/Pdo/MssqlTest.php -index 402e048..25800a2 100644 +index 402e048..1364f15 100644 --- a/tests/Zend/Db/Adapter/Pdo/MssqlTest.php +++ b/tests/Zend/Db/Adapter/Pdo/MssqlTest.php @@ -211,11 +211,13 @@ class Zend_Db_Adapter_Pdo_MssqlTest extends Zend_Db_Adapter_Pdo_TestCommon @@ -172,6 +209,72 @@ } /** +@@ -388,6 +361,17 @@ class Zend_Db_Adapter_Pdo_MssqlTest extends Zend_Db_Adapter_Pdo_TestCommon + $this->assertArrayHasKey('product_name', $productsTableInfo); + } + ++ /** ++ * test that quote() escapes null byte character ++ * in a string. ++ */ ++ public function testAdapterQuoteNullByteCharacter() ++ { ++ $string = "1\0"; ++ $value = $this->_db->quote($string); ++ $this->assertEquals("'1\\000'", $value); ++ } ++ + public function getDriver() + { + return 'Pdo_Mssql'; +diff --git a/tests/Zend/Db/Adapter/Pdo/MysqlTest.php b/tests/Zend/Db/Adapter/Pdo/MysqlTest.php +index 6c78835..5c2d623 100644 +--- a/tests/Zend/Db/Adapter/Pdo/MysqlTest.php ++++ b/tests/Zend/Db/Adapter/Pdo/MysqlTest.php +@@ -315,7 +315,17 @@ class Zend_Db_Adapter_Pdo_MysqlTest extends Zend_Db_Adapter_Pdo_TestCommon + $adapter = new ZendTest_Db_Adapter_Pdo_Mysql(array('dbname' => 'foo', 'charset' => 'XYZ', 'username' => 'bar', 'password' => 'foo')); + $this->assertEquals('mysql:dbname=foo;charset=XYZ', $adapter->_dsn()); + } +- ++ ++ /** ++ * Test that quote() does not alter binary data ++ */ ++ public function testBinaryQuoteWithNulls() ++ { ++ $binary = pack("xxx"); ++ $value = $this->_db->quote($binary); ++ $this->assertEquals('\'\0\0\0\'', $value); ++ } ++ + public function getDriver() + { + return 'Pdo_Mysql'; +@@ -330,4 +340,3 @@ class ZendTest_Db_Adapter_Pdo_Mysql extends Zend_Db_Adapter_Pdo_Mysql + return parent::_dsn(); + } + } +- +diff --git a/tests/Zend/Db/Adapter/Pdo/SqliteTest.php b/tests/Zend/Db/Adapter/Pdo/SqliteTest.php +index cbb43b2..0867947 100644 +--- a/tests/Zend/Db/Adapter/Pdo/SqliteTest.php ++++ b/tests/Zend/Db/Adapter/Pdo/SqliteTest.php +@@ -247,4 +247,15 @@ class Zend_Db_Adapter_Pdo_SqliteTest extends Zend_Db_Adapter_Pdo_TestCommon + $this->assertTrue($stmt instanceof $stmtClass, + 'Expecting object of type ' . $stmtClass . ', got ' . get_class($stmt)); + } ++ ++ /** ++ * test that quote() escapes null byte character ++ * in a string. ++ */ ++ public function testAdapterQuoteNullByteCharacter() ++ { ++ $string = "1\0"; ++ $value = $this->_db->quote($string); ++ $this->assertEquals("'1\\000'", $value); ++ } + } diff --git a/tests/Zend/Db/Adapter/Pdo/TestCommon.php b/tests/Zend/Db/Adapter/Pdo/TestCommon.php index 1fe9fcc..b0e02d3 100644 --- a/tests/Zend/Db/Adapter/Pdo/TestCommon.php diff -Nru zendframework-1.12.9+dfsg/debian/patches/0009-Fixed-the-rand-usage.patch zendframework-1.12.9+dfsg/debian/patches/0009-Fixed-the-rand-usage.patch --- zendframework-1.12.9+dfsg/debian/patches/0009-Fixed-the-rand-usage.patch 1969-12-31 20:00:00.000000000 -0400 +++ zendframework-1.12.9+dfsg/debian/patches/0009-Fixed-the-rand-usage.patch 2016-04-13 17:12:29.000000000 -0400 @@ -0,0 +1,175 @@ +From: Enrico Zimuel <e.zimuel@gmail.com> +Date: Mon, 11 Apr 2016 19:16:32 +0200 +Subject: Fixed the rand usage + +Origin: upstream, https://github.com/zendframework/zf1/commit/dbb9c8e1cf9f8ac8dcee89591f73d5a902d50b10 +--- + library/Zend/Crypt/Math.php | 10 +++++----- + library/Zend/Filter/Encrypt/Mcrypt.php | 6 ++++-- + library/Zend/Form/Element/Hash.php | 8 ++++---- + library/Zend/Gdata/HttpClient.php | 5 ++++- + library/Zend/Ldap/Attribute.php | 7 +++++-- + library/Zend/OpenId.php | 9 ++++----- + 6 files changed, 26 insertions(+), 19 deletions(-) + +diff --git a/library/Zend/Crypt/Math.php b/library/Zend/Crypt/Math.php +index 8882259..fed3f75 100644 +--- a/library/Zend/Crypt/Math.php ++++ b/library/Zend/Crypt/Math.php +@@ -77,11 +77,8 @@ class Zend_Crypt_Math extends Zend_Crypt_Math_BigInteger + if ($length <= 0) { + return false; + } +- if (function_exists('openssl_random_pseudo_bytes')) { +- $bytes = openssl_random_pseudo_bytes($length, $usable); +- if ($strong === $usable) { +- return $bytes; +- } ++ if (function_exists('random_bytes')) { // available in PHP 7 ++ return random_bytes($length); + } + if (function_exists('mcrypt_create_iv')) { + $bytes = mcrypt_create_iv($length, MCRYPT_DEV_URANDOM); +@@ -134,6 +131,9 @@ class Zend_Crypt_Math extends Zend_Crypt_Math_BigInteger + 'The supplied range is too great to generate' + ); + } ++ if (function_exists('random_int')) { // available in PHP 7 ++ return random_int($min, $max); ++ } + // calculate number of bits required to store range on this machine + $r = $range; + $bits = 0; +diff --git a/library/Zend/Filter/Encrypt/Mcrypt.php b/library/Zend/Filter/Encrypt/Mcrypt.php +index 48d95d8..84dedb6 100644 +--- a/library/Zend/Filter/Encrypt/Mcrypt.php ++++ b/library/Zend/Filter/Encrypt/Mcrypt.php +@@ -24,6 +24,9 @@ + */ + require_once 'Zend/Filter/Encrypt/Interface.php'; + ++/** @see Zend_Crypt_Math */ ++require_once 'Zend/Crypt/Math.php'; ++ + /** + * Encryption adapter for mcrypt + * +@@ -355,9 +358,8 @@ class Zend_Filter_Encrypt_Mcrypt implements Zend_Filter_Encrypt_Interface + if (version_compare(PHP_VERSION, '5.3.0', '>=')) { + return; + } +- + if (!self::$_srandCalled) { +- srand((double) microtime() * 1000000); ++ srand(Zend_Crypt_Math::randInteger(0, PHP_INT_MAX)); + self::$_srandCalled = true; + } + } +diff --git a/library/Zend/Form/Element/Hash.php b/library/Zend/Form/Element/Hash.php +index 9cde34d..8fbe9f4 100644 +--- a/library/Zend/Form/Element/Hash.php ++++ b/library/Zend/Form/Element/Hash.php +@@ -22,6 +22,9 @@ + /** Zend_Form_Element_Xhtml */ + require_once 'Zend/Form/Element/Xhtml.php'; + ++/** @see Zend_Crypt_Math */ ++require_once 'Zend/Crypt/Math.php'; ++ + /** + * CSRF form protection + * +@@ -249,10 +252,7 @@ class Zend_Form_Element_Hash extends Zend_Form_Element_Xhtml + protected function _generateHash() + { + $this->_hash = md5( +- mt_rand(1,1000000) +- . $this->getSalt() +- . $this->getName() +- . mt_rand(1,1000000) ++ Zend_Crypt_Math::randBytes(32) + ); + $this->setValue($this->_hash); + } +diff --git a/library/Zend/Gdata/HttpClient.php b/library/Zend/Gdata/HttpClient.php +index b1f3f4e..6a54d88 100644 +--- a/library/Zend/Gdata/HttpClient.php ++++ b/library/Zend/Gdata/HttpClient.php +@@ -25,6 +25,9 @@ + */ + require_once 'Zend/Http/Client.php'; + ++/** @see Zend_Crypt_Math */ ++require_once 'Zend/Crypt/Math.php'; ++ + /** + * Gdata Http Client object. + * +@@ -210,7 +213,7 @@ class Zend_Gdata_HttpClient extends Zend_Http_Client + if ($this->getAuthSubPrivateKeyId() != null) { + // secure AuthSub + $time = time(); +- $nonce = mt_rand(0, 999999999); ++ $nonce = Zend_Crypt_Math::randInteger(0, 999999999); + $dataToSign = $method . ' ' . $url . ' ' . $time . ' ' . $nonce; + + // compute signature +diff --git a/library/Zend/Ldap/Attribute.php b/library/Zend/Ldap/Attribute.php +index 91a2a62..00ec549 100644 +--- a/library/Zend/Ldap/Attribute.php ++++ b/library/Zend/Ldap/Attribute.php +@@ -24,6 +24,9 @@ + */ + require_once 'Zend/Ldap/Converter.php'; + ++/** @see Zend_Crypt_Math */ ++require_once 'Zend/Crypt/Math.php'; ++ + /** + * Zend_Ldap_Attribute is a collection of LDAP attribute related functions. + * +@@ -311,7 +314,7 @@ class Zend_Ldap_Attribute + } + return $password; + case self::PASSWORD_HASH_SSHA: +- $salt = substr(sha1(uniqid(mt_rand(), true), true), 0, 4); ++ $salt = Zend_Crypt_Math::randBytes(4); + $rawHash = sha1($password . $salt, true) . $salt; + $method = '{SSHA}'; + break; +@@ -320,7 +323,7 @@ class Zend_Ldap_Attribute + $method = '{SHA}'; + break; + case self::PASSWORD_HASH_SMD5: +- $salt = substr(sha1(uniqid(mt_rand(), true), true), 0, 4); ++ $salt = Zend_Crypt_Math::randBytes(4); + $rawHash = md5($password . $salt, true) . $salt; + $method = '{SMD5}'; + break; +diff --git a/library/Zend/OpenId.php b/library/Zend/OpenId.php +index 4fc6784..9b732ee 100644 +--- a/library/Zend/OpenId.php ++++ b/library/Zend/OpenId.php +@@ -25,6 +25,9 @@ + */ + require_once "Zend/Controller/Response/Abstract.php"; + ++/** @see Zend_Crypt_Math */ ++require_once 'Zend/Crypt/Math.php'; ++ + /** + * Static class that contains common utility functions for + * {@link Zend_OpenId_Consumer} and {@link Zend_OpenId_Provider}. +@@ -474,11 +477,7 @@ class Zend_OpenId + */ + static public function randomBytes($len) + { +- $key = ''; +- for($i=0; $i < $len; $i++) { +- $key .= chr(mt_rand(0, 255)); +- } +- return $key; ++ return (string) Zend_Crypt_Math::randBytes($len); + } + + /** diff -Nru zendframework-1.12.9+dfsg/debian/patches/series zendframework-1.12.9+dfsg/debian/patches/series --- zendframework-1.12.9+dfsg/debian/patches/series 2015-11-24 18:18:19.000000000 -0400 +++ zendframework-1.12.9+dfsg/debian/patches/series 2016-04-13 17:12:29.000000000 -0400 @@ -6,3 +6,4 @@ 0006-ZF2015-07-Use-umask-of-0002.patch 0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch 0008-ZF2015-09-Fixed-entropy-issue-in-word-CAPTCHA.patch +0009-Fixed-the-rand-usage.patch
Attachment:
signature.asc
Description: PGP signature