Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
As agreed with the security team, I’d like to fix another potential
entropy vulnerability has been fixed in zendframework.
The fix also gets rid of openssl_random_pseudo_bytes() introduced in the
previous ZF2015-09 fix, and I also added a regression fix from the
CVE-2015-7695 (ZF2015-08) patch (this one was introduced in DSA-3369-1).
Please find attached the proposed debdiff for Jessie (a similar request
for Wheezy follows), the changelog entry is:
zendframework (1.12.9+dfsg-2+deb8u6) jessie; urgency=medium
* Fix regression from ZF2015-08: binary data corruption
* Backport security fix from 1.12.18:
- ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1
http://framework.zend.com/security/advisory/ZF2016-01
Regards
David
diff -Nru zendframework-1.12.9+dfsg/debian/changelog zendframework-1.12.9+dfsg/debian/changelog
--- zendframework-1.12.9+dfsg/debian/changelog 2015-11-24 18:25:30.000000000 -0400
+++ zendframework-1.12.9+dfsg/debian/changelog 2016-04-13 17:12:29.000000000 -0400
@@ -1,6 +1,15 @@
+zendframework (1.12.9+dfsg-2+deb8u6) jessie; urgency=medium
+
+ * Fix regression from ZF2015-08: binary data corruption
+ * Backport security fix from 1.12.18:
+ - ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1
+ http://framework.zend.com/security/advisory/ZF2016-01
+
+ -- David Pr�t <taffit@debian.org> Wed, 13 Apr 2016 16:37:00 -0400
+
zendframework (1.12.9+dfsg-2+deb8u5) jessie; urgency=medium
- * Backport security fix from 1.12.17
+ * Backport security fix from 1.12.17:
- ZF2015-09: Fixed entropy issue in word CAPTCHA
http://framework.zend.com/security/advisory/ZF2015-09
diff -Nru zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch
--- zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch 2015-11-24 18:18:19.000000000 -0400
+++ zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch 2016-04-13 17:12:29.000000000 -0400
@@ -5,37 +5,31 @@
This addresses the same issue as found in ZF2014-06, but within the PDO MsSql
adapter. Additionally, it fixes transaction tests for that adapter.
-Origin: upstream, https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2
+Origin: upstream, https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2 https://github.com/zendframework/zf1/commit/70d8aba8c525190e906c663dfdc55355f6e74416
---
- library/Zend/Db/Adapter/Pdo/Abstract.php | 3 +-
- library/Zend/Db/Adapter/Pdo/Mssql.php | 2 +-
- tests/TestConfiguration.php.dist | 5 ++--
- tests/Zend/Db/Adapter/Pdo/MssqlTest.php | 47 +++++++-------------------------
- tests/Zend/Db/Adapter/Pdo/TestCommon.php | 10 +++++++
- tests/Zend/Db/Adapter/TestCommon.php | 5 ++--
+ library/Zend/Db/Adapter/Pdo/Abstract.php | 1 -
+ library/Zend/Db/Adapter/Pdo/Mssql.php | 17 +++++++++-
+ library/Zend/Db/Adapter/Pdo/Sqlite.php | 14 ++++++++
+ tests/TestConfiguration.php.dist | 5 +--
+ tests/Zend/Db/Adapter/Pdo/MssqlTest.php | 58 ++++++++++++--------------------
+ tests/Zend/Db/Adapter/Pdo/MysqlTest.php | 13 +++++--
+ tests/Zend/Db/Adapter/Pdo/SqliteTest.php | 11 ++++++
+ tests/Zend/Db/Adapter/Pdo/TestCommon.php | 10 ++++++
+ tests/Zend/Db/Adapter/TestCommon.php | 5 ++-
tests/Zend/Db/TestUtil/Pdo/Mssql.php | 4 ++-
- 7 files changed, 31 insertions(+), 45 deletions(-)
+ 10 files changed, 91 insertions(+), 47 deletions(-)
diff --git a/library/Zend/Db/Adapter/Pdo/Abstract.php b/library/Zend/Db/Adapter/Pdo/Abstract.php
-index 84a76f3..7699d7a 100644
+index 84a76f3..e12b602 100644
--- a/library/Zend/Db/Adapter/Pdo/Abstract.php
+++ b/library/Zend/Db/Adapter/Pdo/Abstract.php
-@@ -292,6 +292,8 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract
- if (is_int($value) || is_float($value)) {
- return $value;
- }
-+ // Fix for null-byte injection
-+ $value = addcslashes($value, "\000\032");
- $this->_connect();
- return $this->_connection->quote($value);
- }
-@@ -398,4 +400,3 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract
+@@ -398,4 +398,3 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract
}
}
}
-
diff --git a/library/Zend/Db/Adapter/Pdo/Mssql.php b/library/Zend/Db/Adapter/Pdo/Mssql.php
-index e3d8c7a..8a8d306 100644
+index e3d8c7a..6081887 100644
--- a/library/Zend/Db/Adapter/Pdo/Mssql.php
+++ b/library/Zend/Db/Adapter/Pdo/Mssql.php
@@ -410,7 +410,7 @@ class Zend_Db_Adapter_Pdo_Mssql extends Zend_Db_Adapter_Pdo_Abstract
@@ -47,6 +41,49 @@
$result = $stmt->fetchAll(Zend_Db::FETCH_NUM);
if (count($result)) {
return $result[0][0];
+@@ -420,4 +420,19 @@ class Zend_Db_Adapter_Pdo_Mssql extends Zend_Db_Adapter_Pdo_Abstract
+ return null;
+ }
+ }
++
++ /**
++ * Quote a raw string.
++ *
++ * @param string $value Raw string
++ * @return string Quoted string
++ */
++ protected function _quote($value)
++ {
++ if (!is_int($value) && !is_float($value)) {
++ // Fix for null-byte injection
++ $value = addcslashes($value, "\000\032");
++ }
++ return parent::_quote($value);
++ }
+ }
+diff --git a/library/Zend/Db/Adapter/Pdo/Sqlite.php b/library/Zend/Db/Adapter/Pdo/Sqlite.php
+index f035cea..557e6ae 100644
+--- a/library/Zend/Db/Adapter/Pdo/Sqlite.php
++++ b/library/Zend/Db/Adapter/Pdo/Sqlite.php
+@@ -294,4 +294,18 @@ class Zend_Db_Adapter_Pdo_Sqlite extends Zend_Db_Adapter_Pdo_Abstract
+ return $sql;
+ }
+
++ /**
++ * Quote a raw string.
++ *
++ * @param string $value Raw string
++ * @return string Quoted string
++ */
++ protected function _quote($value)
++ {
++ if (!is_int($value) && !is_float($value)) {
++ // Fix for null-byte injection
++ $value = addcslashes($value, "\000\032");
++ }
++ return parent::_quote($value);
++ }
+ }
diff --git a/tests/TestConfiguration.php.dist b/tests/TestConfiguration.php.dist
index cf6c050..0f95f37 100644
--- a/tests/TestConfiguration.php.dist
@@ -78,7 +115,7 @@
*/
defined('TESTS_ZEND_HTTP_USERAGENT_WURFL_LIB_DIR') || define('TESTS_ZEND_HTTP_USERAGENT_WURFL_LIB_DIR', false);
diff --git a/tests/Zend/Db/Adapter/Pdo/MssqlTest.php b/tests/Zend/Db/Adapter/Pdo/MssqlTest.php
-index 402e048..25800a2 100644
+index 402e048..1364f15 100644
--- a/tests/Zend/Db/Adapter/Pdo/MssqlTest.php
+++ b/tests/Zend/Db/Adapter/Pdo/MssqlTest.php
@@ -211,11 +211,13 @@ class Zend_Db_Adapter_Pdo_MssqlTest extends Zend_Db_Adapter_Pdo_TestCommon
@@ -172,6 +209,72 @@
}
/**
+@@ -388,6 +361,17 @@ class Zend_Db_Adapter_Pdo_MssqlTest extends Zend_Db_Adapter_Pdo_TestCommon
+ $this->assertArrayHasKey('product_name', $productsTableInfo);
+ }
+
++ /**
++ * test that quote() escapes null byte character
++ * in a string.
++ */
++ public function testAdapterQuoteNullByteCharacter()
++ {
++ $string = "1\0";
++ $value = $this->_db->quote($string);
++ $this->assertEquals("'1\\000'", $value);
++ }
++
+ public function getDriver()
+ {
+ return 'Pdo_Mssql';
+diff --git a/tests/Zend/Db/Adapter/Pdo/MysqlTest.php b/tests/Zend/Db/Adapter/Pdo/MysqlTest.php
+index 6c78835..5c2d623 100644
+--- a/tests/Zend/Db/Adapter/Pdo/MysqlTest.php
++++ b/tests/Zend/Db/Adapter/Pdo/MysqlTest.php
+@@ -315,7 +315,17 @@ class Zend_Db_Adapter_Pdo_MysqlTest extends Zend_Db_Adapter_Pdo_TestCommon
+ $adapter = new ZendTest_Db_Adapter_Pdo_Mysql(array('dbname' => 'foo', 'charset' => 'XYZ', 'username' => 'bar', 'password' => 'foo'));
+ $this->assertEquals('mysql:dbname=foo;charset=XYZ', $adapter->_dsn());
+ }
+-
++
++ /**
++ * Test that quote() does not alter binary data
++ */
++ public function testBinaryQuoteWithNulls()
++ {
++ $binary = pack("xxx");
++ $value = $this->_db->quote($binary);
++ $this->assertEquals('\'\0\0\0\'', $value);
++ }
++
+ public function getDriver()
+ {
+ return 'Pdo_Mysql';
+@@ -330,4 +340,3 @@ class ZendTest_Db_Adapter_Pdo_Mysql extends Zend_Db_Adapter_Pdo_Mysql
+ return parent::_dsn();
+ }
+ }
+-
+diff --git a/tests/Zend/Db/Adapter/Pdo/SqliteTest.php b/tests/Zend/Db/Adapter/Pdo/SqliteTest.php
+index cbb43b2..0867947 100644
+--- a/tests/Zend/Db/Adapter/Pdo/SqliteTest.php
++++ b/tests/Zend/Db/Adapter/Pdo/SqliteTest.php
+@@ -247,4 +247,15 @@ class Zend_Db_Adapter_Pdo_SqliteTest extends Zend_Db_Adapter_Pdo_TestCommon
+ $this->assertTrue($stmt instanceof $stmtClass,
+ 'Expecting object of type ' . $stmtClass . ', got ' . get_class($stmt));
+ }
++
++ /**
++ * test that quote() escapes null byte character
++ * in a string.
++ */
++ public function testAdapterQuoteNullByteCharacter()
++ {
++ $string = "1\0";
++ $value = $this->_db->quote($string);
++ $this->assertEquals("'1\\000'", $value);
++ }
+ }
diff --git a/tests/Zend/Db/Adapter/Pdo/TestCommon.php b/tests/Zend/Db/Adapter/Pdo/TestCommon.php
index 1fe9fcc..b0e02d3 100644
--- a/tests/Zend/Db/Adapter/Pdo/TestCommon.php
diff -Nru zendframework-1.12.9+dfsg/debian/patches/0009-Fixed-the-rand-usage.patch zendframework-1.12.9+dfsg/debian/patches/0009-Fixed-the-rand-usage.patch
--- zendframework-1.12.9+dfsg/debian/patches/0009-Fixed-the-rand-usage.patch 1969-12-31 20:00:00.000000000 -0400
+++ zendframework-1.12.9+dfsg/debian/patches/0009-Fixed-the-rand-usage.patch 2016-04-13 17:12:29.000000000 -0400
@@ -0,0 +1,175 @@
+From: Enrico Zimuel <e.zimuel@gmail.com>
+Date: Mon, 11 Apr 2016 19:16:32 +0200
+Subject: Fixed the rand usage
+
+Origin: upstream, https://github.com/zendframework/zf1/commit/dbb9c8e1cf9f8ac8dcee89591f73d5a902d50b10
+---
+ library/Zend/Crypt/Math.php | 10 +++++-----
+ library/Zend/Filter/Encrypt/Mcrypt.php | 6 ++++--
+ library/Zend/Form/Element/Hash.php | 8 ++++----
+ library/Zend/Gdata/HttpClient.php | 5 ++++-
+ library/Zend/Ldap/Attribute.php | 7 +++++--
+ library/Zend/OpenId.php | 9 ++++-----
+ 6 files changed, 26 insertions(+), 19 deletions(-)
+
+diff --git a/library/Zend/Crypt/Math.php b/library/Zend/Crypt/Math.php
+index 8882259..fed3f75 100644
+--- a/library/Zend/Crypt/Math.php
++++ b/library/Zend/Crypt/Math.php
+@@ -77,11 +77,8 @@ class Zend_Crypt_Math extends Zend_Crypt_Math_BigInteger
+ if ($length <= 0) {
+ return false;
+ }
+- if (function_exists('openssl_random_pseudo_bytes')) {
+- $bytes = openssl_random_pseudo_bytes($length, $usable);
+- if ($strong === $usable) {
+- return $bytes;
+- }
++ if (function_exists('random_bytes')) { // available in PHP 7
++ return random_bytes($length);
+ }
+ if (function_exists('mcrypt_create_iv')) {
+ $bytes = mcrypt_create_iv($length, MCRYPT_DEV_URANDOM);
+@@ -134,6 +131,9 @@ class Zend_Crypt_Math extends Zend_Crypt_Math_BigInteger
+ 'The supplied range is too great to generate'
+ );
+ }
++ if (function_exists('random_int')) { // available in PHP 7
++ return random_int($min, $max);
++ }
+ // calculate number of bits required to store range on this machine
+ $r = $range;
+ $bits = 0;
+diff --git a/library/Zend/Filter/Encrypt/Mcrypt.php b/library/Zend/Filter/Encrypt/Mcrypt.php
+index 48d95d8..84dedb6 100644
+--- a/library/Zend/Filter/Encrypt/Mcrypt.php
++++ b/library/Zend/Filter/Encrypt/Mcrypt.php
+@@ -24,6 +24,9 @@
+ */
+ require_once 'Zend/Filter/Encrypt/Interface.php';
+
++/** @see Zend_Crypt_Math */
++require_once 'Zend/Crypt/Math.php';
++
+ /**
+ * Encryption adapter for mcrypt
+ *
+@@ -355,9 +358,8 @@ class Zend_Filter_Encrypt_Mcrypt implements Zend_Filter_Encrypt_Interface
+ if (version_compare(PHP_VERSION, '5.3.0', '>=')) {
+ return;
+ }
+-
+ if (!self::$_srandCalled) {
+- srand((double) microtime() * 1000000);
++ srand(Zend_Crypt_Math::randInteger(0, PHP_INT_MAX));
+ self::$_srandCalled = true;
+ }
+ }
+diff --git a/library/Zend/Form/Element/Hash.php b/library/Zend/Form/Element/Hash.php
+index 9cde34d..8fbe9f4 100644
+--- a/library/Zend/Form/Element/Hash.php
++++ b/library/Zend/Form/Element/Hash.php
+@@ -22,6 +22,9 @@
+ /** Zend_Form_Element_Xhtml */
+ require_once 'Zend/Form/Element/Xhtml.php';
+
++/** @see Zend_Crypt_Math */
++require_once 'Zend/Crypt/Math.php';
++
+ /**
+ * CSRF form protection
+ *
+@@ -249,10 +252,7 @@ class Zend_Form_Element_Hash extends Zend_Form_Element_Xhtml
+ protected function _generateHash()
+ {
+ $this->_hash = md5(
+- mt_rand(1,1000000)
+- . $this->getSalt()
+- . $this->getName()
+- . mt_rand(1,1000000)
++ Zend_Crypt_Math::randBytes(32)
+ );
+ $this->setValue($this->_hash);
+ }
+diff --git a/library/Zend/Gdata/HttpClient.php b/library/Zend/Gdata/HttpClient.php
+index b1f3f4e..6a54d88 100644
+--- a/library/Zend/Gdata/HttpClient.php
++++ b/library/Zend/Gdata/HttpClient.php
+@@ -25,6 +25,9 @@
+ */
+ require_once 'Zend/Http/Client.php';
+
++/** @see Zend_Crypt_Math */
++require_once 'Zend/Crypt/Math.php';
++
+ /**
+ * Gdata Http Client object.
+ *
+@@ -210,7 +213,7 @@ class Zend_Gdata_HttpClient extends Zend_Http_Client
+ if ($this->getAuthSubPrivateKeyId() != null) {
+ // secure AuthSub
+ $time = time();
+- $nonce = mt_rand(0, 999999999);
++ $nonce = Zend_Crypt_Math::randInteger(0, 999999999);
+ $dataToSign = $method . ' ' . $url . ' ' . $time . ' ' . $nonce;
+
+ // compute signature
+diff --git a/library/Zend/Ldap/Attribute.php b/library/Zend/Ldap/Attribute.php
+index 91a2a62..00ec549 100644
+--- a/library/Zend/Ldap/Attribute.php
++++ b/library/Zend/Ldap/Attribute.php
+@@ -24,6 +24,9 @@
+ */
+ require_once 'Zend/Ldap/Converter.php';
+
++/** @see Zend_Crypt_Math */
++require_once 'Zend/Crypt/Math.php';
++
+ /**
+ * Zend_Ldap_Attribute is a collection of LDAP attribute related functions.
+ *
+@@ -311,7 +314,7 @@ class Zend_Ldap_Attribute
+ }
+ return $password;
+ case self::PASSWORD_HASH_SSHA:
+- $salt = substr(sha1(uniqid(mt_rand(), true), true), 0, 4);
++ $salt = Zend_Crypt_Math::randBytes(4);
+ $rawHash = sha1($password . $salt, true) . $salt;
+ $method = '{SSHA}';
+ break;
+@@ -320,7 +323,7 @@ class Zend_Ldap_Attribute
+ $method = '{SHA}';
+ break;
+ case self::PASSWORD_HASH_SMD5:
+- $salt = substr(sha1(uniqid(mt_rand(), true), true), 0, 4);
++ $salt = Zend_Crypt_Math::randBytes(4);
+ $rawHash = md5($password . $salt, true) . $salt;
+ $method = '{SMD5}';
+ break;
+diff --git a/library/Zend/OpenId.php b/library/Zend/OpenId.php
+index 4fc6784..9b732ee 100644
+--- a/library/Zend/OpenId.php
++++ b/library/Zend/OpenId.php
+@@ -25,6 +25,9 @@
+ */
+ require_once "Zend/Controller/Response/Abstract.php";
+
++/** @see Zend_Crypt_Math */
++require_once 'Zend/Crypt/Math.php';
++
+ /**
+ * Static class that contains common utility functions for
+ * {@link Zend_OpenId_Consumer} and {@link Zend_OpenId_Provider}.
+@@ -474,11 +477,7 @@ class Zend_OpenId
+ */
+ static public function randomBytes($len)
+ {
+- $key = '';
+- for($i=0; $i < $len; $i++) {
+- $key .= chr(mt_rand(0, 255));
+- }
+- return $key;
++ return (string) Zend_Crypt_Math::randBytes($len);
+ }
+
+ /**
diff -Nru zendframework-1.12.9+dfsg/debian/patches/series zendframework-1.12.9+dfsg/debian/patches/series
--- zendframework-1.12.9+dfsg/debian/patches/series 2015-11-24 18:18:19.000000000 -0400
+++ zendframework-1.12.9+dfsg/debian/patches/series 2016-04-13 17:12:29.000000000 -0400
@@ -6,3 +6,4 @@
0006-ZF2015-07-Use-umask-of-0002.patch
0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch
0008-ZF2015-09-Fixed-entropy-issue-in-word-CAPTCHA.patch
+0009-Fixed-the-rand-usage.patch
Attachment:
signature.asc
Description: PGP signature