Your message dated Sat, 04 Jun 2016 14:57:25 +0100 with message-id <1465048645.7545.11.camel@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 8.5 has caused the Debian Bug report #821042, regarding jessie-pu: package zendframework/1.12.9+dfsg-2+deb8u6 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 821042: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=821042 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package zendframework/1.12.9+dfsg-2+deb8u6
- From: David Prévot <taffit@debian.org>
- Date: Thu, 14 Apr 2016 18:06:17 -0400
- Message-id: <20160414220617.GA11710@persil.tilapin.org>
Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Hi, As agreed with the security team, I’d like to fix another potential entropy vulnerability has been fixed in zendframework. The fix also gets rid of openssl_random_pseudo_bytes() introduced in the previous ZF2015-09 fix, and I also added a regression fix from the CVE-2015-7695 (ZF2015-08) patch (this one was introduced in DSA-3369-1). Please find attached the proposed debdiff for Jessie (a similar request for Wheezy follows), the changelog entry is: zendframework (1.12.9+dfsg-2+deb8u6) jessie; urgency=medium * Fix regression from ZF2015-08: binary data corruption * Backport security fix from 1.12.18: - ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1 http://framework.zend.com/security/advisory/ZF2016-01 Regards Daviddiff -Nru zendframework-1.12.9+dfsg/debian/changelog zendframework-1.12.9+dfsg/debian/changelog --- zendframework-1.12.9+dfsg/debian/changelog 2015-11-24 18:25:30.000000000 -0400 +++ zendframework-1.12.9+dfsg/debian/changelog 2016-04-13 17:12:29.000000000 -0400 @@ -1,6 +1,15 @@ +zendframework (1.12.9+dfsg-2+deb8u6) jessie; urgency=medium + + * Fix regression from ZF2015-08: binary data corruption + * Backport security fix from 1.12.18: + - ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1 + http://framework.zend.com/security/advisory/ZF2016-01 + + -- David Pr�t <taffit@debian.org> Wed, 13 Apr 2016 16:37:00 -0400 + zendframework (1.12.9+dfsg-2+deb8u5) jessie; urgency=medium - * Backport security fix from 1.12.17 + * Backport security fix from 1.12.17: - ZF2015-09: Fixed entropy issue in word CAPTCHA http://framework.zend.com/security/advisory/ZF2015-09 diff -Nru zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch --- zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch 2015-11-24 18:18:19.000000000 -0400 +++ zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch 2016-04-13 17:12:29.000000000 -0400 @@ -5,37 +5,31 @@ This addresses the same issue as found in ZF2014-06, but within the PDO MsSql adapter. Additionally, it fixes transaction tests for that adapter. -Origin: upstream, https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2 +Origin: upstream, https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2 https://github.com/zendframework/zf1/commit/70d8aba8c525190e906c663dfdc55355f6e74416 --- - library/Zend/Db/Adapter/Pdo/Abstract.php | 3 +- - library/Zend/Db/Adapter/Pdo/Mssql.php | 2 +- - tests/TestConfiguration.php.dist | 5 ++-- - tests/Zend/Db/Adapter/Pdo/MssqlTest.php | 47 +++++++------------------------- - tests/Zend/Db/Adapter/Pdo/TestCommon.php | 10 +++++++ - tests/Zend/Db/Adapter/TestCommon.php | 5 ++-- + library/Zend/Db/Adapter/Pdo/Abstract.php | 1 - + library/Zend/Db/Adapter/Pdo/Mssql.php | 17 +++++++++- + library/Zend/Db/Adapter/Pdo/Sqlite.php | 14 ++++++++ + tests/TestConfiguration.php.dist | 5 +-- + tests/Zend/Db/Adapter/Pdo/MssqlTest.php | 58 ++++++++++++-------------------- + tests/Zend/Db/Adapter/Pdo/MysqlTest.php | 13 +++++-- + tests/Zend/Db/Adapter/Pdo/SqliteTest.php | 11 ++++++ + tests/Zend/Db/Adapter/Pdo/TestCommon.php | 10 ++++++ + tests/Zend/Db/Adapter/TestCommon.php | 5 ++- tests/Zend/Db/TestUtil/Pdo/Mssql.php | 4 ++- - 7 files changed, 31 insertions(+), 45 deletions(-) + 10 files changed, 91 insertions(+), 47 deletions(-) diff --git a/library/Zend/Db/Adapter/Pdo/Abstract.php b/library/Zend/Db/Adapter/Pdo/Abstract.php -index 84a76f3..7699d7a 100644 +index 84a76f3..e12b602 100644 --- a/library/Zend/Db/Adapter/Pdo/Abstract.php +++ b/library/Zend/Db/Adapter/Pdo/Abstract.php -@@ -292,6 +292,8 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract - if (is_int($value) || is_float($value)) { - return $value; - } -+ // Fix for null-byte injection -+ $value = addcslashes($value, "\000\032"); - $this->_connect(); - return $this->_connection->quote($value); - } -@@ -398,4 +400,3 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract +@@ -398,4 +398,3 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract } } } - diff --git a/library/Zend/Db/Adapter/Pdo/Mssql.php b/library/Zend/Db/Adapter/Pdo/Mssql.php -index e3d8c7a..8a8d306 100644 +index e3d8c7a..6081887 100644 --- a/library/Zend/Db/Adapter/Pdo/Mssql.php +++ b/library/Zend/Db/Adapter/Pdo/Mssql.php @@ -410,7 +410,7 @@ class Zend_Db_Adapter_Pdo_Mssql extends Zend_Db_Adapter_Pdo_Abstract @@ -47,6 +41,49 @@ $result = $stmt->fetchAll(Zend_Db::FETCH_NUM); if (count($result)) { return $result[0][0]; +@@ -420,4 +420,19 @@ class Zend_Db_Adapter_Pdo_Mssql extends Zend_Db_Adapter_Pdo_Abstract + return null; + } + } ++ ++ /** ++ * Quote a raw string. ++ * ++ * @param string $value Raw string ++ * @return string Quoted string ++ */ ++ protected function _quote($value) ++ { ++ if (!is_int($value) && !is_float($value)) { ++ // Fix for null-byte injection ++ $value = addcslashes($value, "\000\032"); ++ } ++ return parent::_quote($value); ++ } + } +diff --git a/library/Zend/Db/Adapter/Pdo/Sqlite.php b/library/Zend/Db/Adapter/Pdo/Sqlite.php +index f035cea..557e6ae 100644 +--- a/library/Zend/Db/Adapter/Pdo/Sqlite.php ++++ b/library/Zend/Db/Adapter/Pdo/Sqlite.php +@@ -294,4 +294,18 @@ class Zend_Db_Adapter_Pdo_Sqlite extends Zend_Db_Adapter_Pdo_Abstract + return $sql; + } + ++ /** ++ * Quote a raw string. ++ * ++ * @param string $value Raw string ++ * @return string Quoted string ++ */ ++ protected function _quote($value) ++ { ++ if (!is_int($value) && !is_float($value)) { ++ // Fix for null-byte injection ++ $value = addcslashes($value, "\000\032"); ++ } ++ return parent::_quote($value); ++ } + } diff --git a/tests/TestConfiguration.php.dist b/tests/TestConfiguration.php.dist index cf6c050..0f95f37 100644 --- a/tests/TestConfiguration.php.dist @@ -78,7 +115,7 @@ */ defined('TESTS_ZEND_HTTP_USERAGENT_WURFL_LIB_DIR') || define('TESTS_ZEND_HTTP_USERAGENT_WURFL_LIB_DIR', false); diff --git a/tests/Zend/Db/Adapter/Pdo/MssqlTest.php b/tests/Zend/Db/Adapter/Pdo/MssqlTest.php -index 402e048..25800a2 100644 +index 402e048..1364f15 100644 --- a/tests/Zend/Db/Adapter/Pdo/MssqlTest.php +++ b/tests/Zend/Db/Adapter/Pdo/MssqlTest.php @@ -211,11 +211,13 @@ class Zend_Db_Adapter_Pdo_MssqlTest extends Zend_Db_Adapter_Pdo_TestCommon @@ -172,6 +209,72 @@ } /** +@@ -388,6 +361,17 @@ class Zend_Db_Adapter_Pdo_MssqlTest extends Zend_Db_Adapter_Pdo_TestCommon + $this->assertArrayHasKey('product_name', $productsTableInfo); + } + ++ /** ++ * test that quote() escapes null byte character ++ * in a string. ++ */ ++ public function testAdapterQuoteNullByteCharacter() ++ { ++ $string = "1\0"; ++ $value = $this->_db->quote($string); ++ $this->assertEquals("'1\\000'", $value); ++ } ++ + public function getDriver() + { + return 'Pdo_Mssql'; +diff --git a/tests/Zend/Db/Adapter/Pdo/MysqlTest.php b/tests/Zend/Db/Adapter/Pdo/MysqlTest.php +index 6c78835..5c2d623 100644 +--- a/tests/Zend/Db/Adapter/Pdo/MysqlTest.php ++++ b/tests/Zend/Db/Adapter/Pdo/MysqlTest.php +@@ -315,7 +315,17 @@ class Zend_Db_Adapter_Pdo_MysqlTest extends Zend_Db_Adapter_Pdo_TestCommon + $adapter = new ZendTest_Db_Adapter_Pdo_Mysql(array('dbname' => 'foo', 'charset' => 'XYZ', 'username' => 'bar', 'password' => 'foo')); + $this->assertEquals('mysql:dbname=foo;charset=XYZ', $adapter->_dsn()); + } +- ++ ++ /** ++ * Test that quote() does not alter binary data ++ */ ++ public function testBinaryQuoteWithNulls() ++ { ++ $binary = pack("xxx"); ++ $value = $this->_db->quote($binary); ++ $this->assertEquals('\'\0\0\0\'', $value); ++ } ++ + public function getDriver() + { + return 'Pdo_Mysql'; +@@ -330,4 +340,3 @@ class ZendTest_Db_Adapter_Pdo_Mysql extends Zend_Db_Adapter_Pdo_Mysql + return parent::_dsn(); + } + } +- +diff --git a/tests/Zend/Db/Adapter/Pdo/SqliteTest.php b/tests/Zend/Db/Adapter/Pdo/SqliteTest.php +index cbb43b2..0867947 100644 +--- a/tests/Zend/Db/Adapter/Pdo/SqliteTest.php ++++ b/tests/Zend/Db/Adapter/Pdo/SqliteTest.php +@@ -247,4 +247,15 @@ class Zend_Db_Adapter_Pdo_SqliteTest extends Zend_Db_Adapter_Pdo_TestCommon + $this->assertTrue($stmt instanceof $stmtClass, + 'Expecting object of type ' . $stmtClass . ', got ' . get_class($stmt)); + } ++ ++ /** ++ * test that quote() escapes null byte character ++ * in a string. ++ */ ++ public function testAdapterQuoteNullByteCharacter() ++ { ++ $string = "1\0"; ++ $value = $this->_db->quote($string); ++ $this->assertEquals("'1\\000'", $value); ++ } + } diff --git a/tests/Zend/Db/Adapter/Pdo/TestCommon.php b/tests/Zend/Db/Adapter/Pdo/TestCommon.php index 1fe9fcc..b0e02d3 100644 --- a/tests/Zend/Db/Adapter/Pdo/TestCommon.php diff -Nru zendframework-1.12.9+dfsg/debian/patches/0009-Fixed-the-rand-usage.patch zendframework-1.12.9+dfsg/debian/patches/0009-Fixed-the-rand-usage.patch --- zendframework-1.12.9+dfsg/debian/patches/0009-Fixed-the-rand-usage.patch 1969-12-31 20:00:00.000000000 -0400 +++ zendframework-1.12.9+dfsg/debian/patches/0009-Fixed-the-rand-usage.patch 2016-04-13 17:12:29.000000000 -0400 @@ -0,0 +1,175 @@ +From: Enrico Zimuel <e.zimuel@gmail.com> +Date: Mon, 11 Apr 2016 19:16:32 +0200 +Subject: Fixed the rand usage + +Origin: upstream, https://github.com/zendframework/zf1/commit/dbb9c8e1cf9f8ac8dcee89591f73d5a902d50b10 +--- + library/Zend/Crypt/Math.php | 10 +++++----- + library/Zend/Filter/Encrypt/Mcrypt.php | 6 ++++-- + library/Zend/Form/Element/Hash.php | 8 ++++---- + library/Zend/Gdata/HttpClient.php | 5 ++++- + library/Zend/Ldap/Attribute.php | 7 +++++-- + library/Zend/OpenId.php | 9 ++++----- + 6 files changed, 26 insertions(+), 19 deletions(-) + +diff --git a/library/Zend/Crypt/Math.php b/library/Zend/Crypt/Math.php +index 8882259..fed3f75 100644 +--- a/library/Zend/Crypt/Math.php ++++ b/library/Zend/Crypt/Math.php +@@ -77,11 +77,8 @@ class Zend_Crypt_Math extends Zend_Crypt_Math_BigInteger + if ($length <= 0) { + return false; + } +- if (function_exists('openssl_random_pseudo_bytes')) { +- $bytes = openssl_random_pseudo_bytes($length, $usable); +- if ($strong === $usable) { +- return $bytes; +- } ++ if (function_exists('random_bytes')) { // available in PHP 7 ++ return random_bytes($length); + } + if (function_exists('mcrypt_create_iv')) { + $bytes = mcrypt_create_iv($length, MCRYPT_DEV_URANDOM); +@@ -134,6 +131,9 @@ class Zend_Crypt_Math extends Zend_Crypt_Math_BigInteger + 'The supplied range is too great to generate' + ); + } ++ if (function_exists('random_int')) { // available in PHP 7 ++ return random_int($min, $max); ++ } + // calculate number of bits required to store range on this machine + $r = $range; + $bits = 0; +diff --git a/library/Zend/Filter/Encrypt/Mcrypt.php b/library/Zend/Filter/Encrypt/Mcrypt.php +index 48d95d8..84dedb6 100644 +--- a/library/Zend/Filter/Encrypt/Mcrypt.php ++++ b/library/Zend/Filter/Encrypt/Mcrypt.php +@@ -24,6 +24,9 @@ + */ + require_once 'Zend/Filter/Encrypt/Interface.php'; + ++/** @see Zend_Crypt_Math */ ++require_once 'Zend/Crypt/Math.php'; ++ + /** + * Encryption adapter for mcrypt + * +@@ -355,9 +358,8 @@ class Zend_Filter_Encrypt_Mcrypt implements Zend_Filter_Encrypt_Interface + if (version_compare(PHP_VERSION, '5.3.0', '>=')) { + return; + } +- + if (!self::$_srandCalled) { +- srand((double) microtime() * 1000000); ++ srand(Zend_Crypt_Math::randInteger(0, PHP_INT_MAX)); + self::$_srandCalled = true; + } + } +diff --git a/library/Zend/Form/Element/Hash.php b/library/Zend/Form/Element/Hash.php +index 9cde34d..8fbe9f4 100644 +--- a/library/Zend/Form/Element/Hash.php ++++ b/library/Zend/Form/Element/Hash.php +@@ -22,6 +22,9 @@ + /** Zend_Form_Element_Xhtml */ + require_once 'Zend/Form/Element/Xhtml.php'; + ++/** @see Zend_Crypt_Math */ ++require_once 'Zend/Crypt/Math.php'; ++ + /** + * CSRF form protection + * +@@ -249,10 +252,7 @@ class Zend_Form_Element_Hash extends Zend_Form_Element_Xhtml + protected function _generateHash() + { + $this->_hash = md5( +- mt_rand(1,1000000) +- . $this->getSalt() +- . $this->getName() +- . mt_rand(1,1000000) ++ Zend_Crypt_Math::randBytes(32) + ); + $this->setValue($this->_hash); + } +diff --git a/library/Zend/Gdata/HttpClient.php b/library/Zend/Gdata/HttpClient.php +index b1f3f4e..6a54d88 100644 +--- a/library/Zend/Gdata/HttpClient.php ++++ b/library/Zend/Gdata/HttpClient.php +@@ -25,6 +25,9 @@ + */ + require_once 'Zend/Http/Client.php'; + ++/** @see Zend_Crypt_Math */ ++require_once 'Zend/Crypt/Math.php'; ++ + /** + * Gdata Http Client object. + * +@@ -210,7 +213,7 @@ class Zend_Gdata_HttpClient extends Zend_Http_Client + if ($this->getAuthSubPrivateKeyId() != null) { + // secure AuthSub + $time = time(); +- $nonce = mt_rand(0, 999999999); ++ $nonce = Zend_Crypt_Math::randInteger(0, 999999999); + $dataToSign = $method . ' ' . $url . ' ' . $time . ' ' . $nonce; + + // compute signature +diff --git a/library/Zend/Ldap/Attribute.php b/library/Zend/Ldap/Attribute.php +index 91a2a62..00ec549 100644 +--- a/library/Zend/Ldap/Attribute.php ++++ b/library/Zend/Ldap/Attribute.php +@@ -24,6 +24,9 @@ + */ + require_once 'Zend/Ldap/Converter.php'; + ++/** @see Zend_Crypt_Math */ ++require_once 'Zend/Crypt/Math.php'; ++ + /** + * Zend_Ldap_Attribute is a collection of LDAP attribute related functions. + * +@@ -311,7 +314,7 @@ class Zend_Ldap_Attribute + } + return $password; + case self::PASSWORD_HASH_SSHA: +- $salt = substr(sha1(uniqid(mt_rand(), true), true), 0, 4); ++ $salt = Zend_Crypt_Math::randBytes(4); + $rawHash = sha1($password . $salt, true) . $salt; + $method = '{SSHA}'; + break; +@@ -320,7 +323,7 @@ class Zend_Ldap_Attribute + $method = '{SHA}'; + break; + case self::PASSWORD_HASH_SMD5: +- $salt = substr(sha1(uniqid(mt_rand(), true), true), 0, 4); ++ $salt = Zend_Crypt_Math::randBytes(4); + $rawHash = md5($password . $salt, true) . $salt; + $method = '{SMD5}'; + break; +diff --git a/library/Zend/OpenId.php b/library/Zend/OpenId.php +index 4fc6784..9b732ee 100644 +--- a/library/Zend/OpenId.php ++++ b/library/Zend/OpenId.php +@@ -25,6 +25,9 @@ + */ + require_once "Zend/Controller/Response/Abstract.php"; + ++/** @see Zend_Crypt_Math */ ++require_once 'Zend/Crypt/Math.php'; ++ + /** + * Static class that contains common utility functions for + * {@link Zend_OpenId_Consumer} and {@link Zend_OpenId_Provider}. +@@ -474,11 +477,7 @@ class Zend_OpenId + */ + static public function randomBytes($len) + { +- $key = ''; +- for($i=0; $i < $len; $i++) { +- $key .= chr(mt_rand(0, 255)); +- } +- return $key; ++ return (string) Zend_Crypt_Math::randBytes($len); + } + + /** diff -Nru zendframework-1.12.9+dfsg/debian/patches/series zendframework-1.12.9+dfsg/debian/patches/series --- zendframework-1.12.9+dfsg/debian/patches/series 2015-11-24 18:18:19.000000000 -0400 +++ zendframework-1.12.9+dfsg/debian/patches/series 2016-04-13 17:12:29.000000000 -0400 @@ -6,3 +6,4 @@ 0006-ZF2015-07-Use-umask-of-0002.patch 0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch 0008-ZF2015-09-Fixed-entropy-issue-in-word-CAPTCHA.patch +0009-Fixed-the-rand-usage.patchAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 793984-done@bugs.debian.org, 796823-done@bugs.debian.org, 802331-done@bugs.debian.org, 818549-done@bugs.debian.org, 818908-done@bugs.debian.org, 819284-done@bugs.debian.org, 819444-done@bugs.debian.org, 819658-done@bugs.debian.org, 819758-done@bugs.debian.org, 819797-done@bugs.debian.org, 819801-done@bugs.debian.org, 819912-done@bugs.debian.org, 819933-done@bugs.debian.org, 820059-done@bugs.debian.org, 820101-done@bugs.debian.org, 820175-done@bugs.debian.org, 820193-done@bugs.debian.org, 820241-done@bugs.debian.org, 820403-done@bugs.debian.org, 820502-done@bugs.debian.org, 820540-done@bugs.debian.org, 820589-done@bugs.debian.org, 820945-done@bugs.debian.org, 820995-done@bugs.debian.org, 821042-done@bugs.debian.org, 821205-done@bugs.debian.org, 821326-done@bugs.debian.org, 821835-done@bugs.debian.org, 822229-done@bugs.debian.org, 822481-done@bugs.debian.org, 822487-done@bugs.debian.org, 822854-done@bugs.debian.org, 823430-done@bugs.debian.org, 823433-done@bugs.debian.org, 823496-done@bugs.debian.org, 823609-done@bugs.debian.org, 823678-done@bugs.debian.org, 823752-done@bugs.debian.org, 824484-done@bugs.debian.org, 824859-done@bugs.debian.org, 825087-done@bugs.debian.org, 825202-done@bugs.debian.org, 825205-done@bugs.debian.org, 825221-done@bugs.debian.org, 825226-done@bugs.debian.org, 825232-done@bugs.debian.org, 825259-done@bugs.debian.org, 825260-done@bugs.debian.org, 825512-done@bugs.debian.org, 825523-done@bugs.debian.org, 825530-done@bugs.debian.org, 825533-done@bugs.debian.org
- Subject: Closing bugs for fixes included in 8.5
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 04 Jun 2016 14:57:25 +0100
- Message-id: <1465048645.7545.11.camel@adam-barratt.org.uk>
Version: 8.5 Hi, The fixes referred to by each of these bugs were included in today's 8.5 point release. Regards, Adam
--- End Message ---