[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#821042: marked as done (jessie-pu: package zendframework/1.12.9+dfsg-2+deb8u6)

Your message dated Sat, 04 Jun 2016 14:57:25 +0100
with message-id <1465048645.7545.11.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 8.5
has caused the Debian Bug report #821042,
regarding jessie-pu: package zendframework/1.12.9+dfsg-2+deb8u6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
821042: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=821042
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

As agreed with the security team, I’d like to fix another potential
entropy vulnerability has been fixed in zendframework.

The fix also gets rid of openssl_random_pseudo_bytes() introduced in the
previous ZF2015-09 fix, and I also added a regression fix from the
CVE-2015-7695 (ZF2015-08) patch (this one was introduced in DSA-3369-1).

Please find attached the proposed debdiff for Jessie (a similar request
for Wheezy follows), the changelog entry is:

zendframework (1.12.9+dfsg-2+deb8u6) jessie; urgency=medium

  * Fix regression from ZF2015-08: binary data corruption
  * Backport security fix from 1.12.18:
    - ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1
      http://framework.zend.com/security/advisory/ZF2016-01

Regards

David

diff -Nru zendframework-1.12.9+dfsg/debian/changelog zendframework-1.12.9+dfsg/debian/changelog
--- zendframework-1.12.9+dfsg/debian/changelog	2015-11-24 18:25:30.000000000 -0400
+++ zendframework-1.12.9+dfsg/debian/changelog	2016-04-13 17:12:29.000000000 -0400
@@ -1,6 +1,15 @@
+zendframework (1.12.9+dfsg-2+deb8u6) jessie; urgency=medium
+
+  * Fix regression from ZF2015-08: binary data corruption
+  * Backport security fix from 1.12.18:
+    - ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1
+      http://framework.zend.com/security/advisory/ZF2016-01
+
+ -- David Pr�t <taffit@debian.org>  Wed, 13 Apr 2016 16:37:00 -0400
+
 zendframework (1.12.9+dfsg-2+deb8u5) jessie; urgency=medium
 
-  * Backport security fix from 1.12.17
+  * Backport security fix from 1.12.17:
     - ZF2015-09: Fixed entropy issue in word CAPTCHA
       http://framework.zend.com/security/advisory/ZF2015-09
 
diff -Nru zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch
--- zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch	2015-11-24 18:18:19.000000000 -0400
+++ zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch	2016-04-13 17:12:29.000000000 -0400
@@ -5,37 +5,31 @@
 This addresses the same issue as found in ZF2014-06, but within the PDO MsSql
 adapter. Additionally, it fixes transaction tests for that adapter.
 
-Origin: upstream, https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2
+Origin: upstream, https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2 https://github.com/zendframework/zf1/commit/70d8aba8c525190e906c663dfdc55355f6e74416
 ---
- library/Zend/Db/Adapter/Pdo/Abstract.php |  3 +-
- library/Zend/Db/Adapter/Pdo/Mssql.php    |  2 +-
- tests/TestConfiguration.php.dist         |  5 ++--
- tests/Zend/Db/Adapter/Pdo/MssqlTest.php  | 47 +++++++-------------------------
- tests/Zend/Db/Adapter/Pdo/TestCommon.php | 10 +++++++
- tests/Zend/Db/Adapter/TestCommon.php     |  5 ++--
+ library/Zend/Db/Adapter/Pdo/Abstract.php |  1 -
+ library/Zend/Db/Adapter/Pdo/Mssql.php    | 17 +++++++++-
+ library/Zend/Db/Adapter/Pdo/Sqlite.php   | 14 ++++++++
+ tests/TestConfiguration.php.dist         |  5 +--
+ tests/Zend/Db/Adapter/Pdo/MssqlTest.php  | 58 ++++++++++++--------------------
+ tests/Zend/Db/Adapter/Pdo/MysqlTest.php  | 13 +++++--
+ tests/Zend/Db/Adapter/Pdo/SqliteTest.php | 11 ++++++
+ tests/Zend/Db/Adapter/Pdo/TestCommon.php | 10 ++++++
+ tests/Zend/Db/Adapter/TestCommon.php     |  5 ++-
  tests/Zend/Db/TestUtil/Pdo/Mssql.php     |  4 ++-
- 7 files changed, 31 insertions(+), 45 deletions(-)
+ 10 files changed, 91 insertions(+), 47 deletions(-)
 
 diff --git a/library/Zend/Db/Adapter/Pdo/Abstract.php b/library/Zend/Db/Adapter/Pdo/Abstract.php
-index 84a76f3..7699d7a 100644
+index 84a76f3..e12b602 100644
 --- a/library/Zend/Db/Adapter/Pdo/Abstract.php
 +++ b/library/Zend/Db/Adapter/Pdo/Abstract.php
-@@ -292,6 +292,8 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract
-         if (is_int($value) || is_float($value)) {
-             return $value;
-         }
-+        // Fix for null-byte injection
-+        $value = addcslashes($value, "\000\032");
-         $this->_connect();
-         return $this->_connection->quote($value);
-     }
-@@ -398,4 +400,3 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract
+@@ -398,4 +398,3 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract
          }
      }
  }
 -
 diff --git a/library/Zend/Db/Adapter/Pdo/Mssql.php b/library/Zend/Db/Adapter/Pdo/Mssql.php
-index e3d8c7a..8a8d306 100644
+index e3d8c7a..6081887 100644
 --- a/library/Zend/Db/Adapter/Pdo/Mssql.php
 +++ b/library/Zend/Db/Adapter/Pdo/Mssql.php
 @@ -410,7 +410,7 @@ class Zend_Db_Adapter_Pdo_Mssql extends Zend_Db_Adapter_Pdo_Abstract
@@ -47,6 +41,49 @@
              $result = $stmt->fetchAll(Zend_Db::FETCH_NUM);
              if (count($result)) {
                  return $result[0][0];
+@@ -420,4 +420,19 @@ class Zend_Db_Adapter_Pdo_Mssql extends Zend_Db_Adapter_Pdo_Abstract
+             return null;
+         }
+     }
++
++    /**
++     * Quote a raw string.
++     *
++     * @param string $value     Raw string
++     * @return string           Quoted string
++     */
++    protected function _quote($value)
++    {
++        if (!is_int($value) && !is_float($value)) {
++            // Fix for null-byte injection
++            $value = addcslashes($value, "\000\032");
++        }
++        return parent::_quote($value);
++    }
+ }
+diff --git a/library/Zend/Db/Adapter/Pdo/Sqlite.php b/library/Zend/Db/Adapter/Pdo/Sqlite.php
+index f035cea..557e6ae 100644
+--- a/library/Zend/Db/Adapter/Pdo/Sqlite.php
++++ b/library/Zend/Db/Adapter/Pdo/Sqlite.php
+@@ -294,4 +294,18 @@ class Zend_Db_Adapter_Pdo_Sqlite extends Zend_Db_Adapter_Pdo_Abstract
+         return $sql;
+     }
+ 
++    /**
++     * Quote a raw string.
++     *
++     * @param string $value     Raw string
++     * @return string           Quoted string
++     */
++    protected function _quote($value)
++    {
++        if (!is_int($value) && !is_float($value)) {
++            // Fix for null-byte injection
++            $value = addcslashes($value, "\000\032");
++        }
++        return parent::_quote($value);
++    }
+ }
 diff --git a/tests/TestConfiguration.php.dist b/tests/TestConfiguration.php.dist
 index cf6c050..0f95f37 100644
 --- a/tests/TestConfiguration.php.dist
@@ -78,7 +115,7 @@
   */
  defined('TESTS_ZEND_HTTP_USERAGENT_WURFL_LIB_DIR') || define('TESTS_ZEND_HTTP_USERAGENT_WURFL_LIB_DIR', false);
 diff --git a/tests/Zend/Db/Adapter/Pdo/MssqlTest.php b/tests/Zend/Db/Adapter/Pdo/MssqlTest.php
-index 402e048..25800a2 100644
+index 402e048..1364f15 100644
 --- a/tests/Zend/Db/Adapter/Pdo/MssqlTest.php
 +++ b/tests/Zend/Db/Adapter/Pdo/MssqlTest.php
 @@ -211,11 +211,13 @@ class Zend_Db_Adapter_Pdo_MssqlTest extends Zend_Db_Adapter_Pdo_TestCommon
@@ -172,6 +209,72 @@
      }
  
      /**
+@@ -388,6 +361,17 @@ class Zend_Db_Adapter_Pdo_MssqlTest extends Zend_Db_Adapter_Pdo_TestCommon
+         $this->assertArrayHasKey('product_name', $productsTableInfo);
+     }
+ 
++    /**
++     * test that quote() escapes null byte character
++     * in a string.
++     */
++    public function testAdapterQuoteNullByteCharacter()
++    {
++        $string = "1\0";
++        $value  = $this->_db->quote($string);
++        $this->assertEquals("'1\\000'", $value);
++    }
++
+     public function getDriver()
+     {
+         return 'Pdo_Mssql';
+diff --git a/tests/Zend/Db/Adapter/Pdo/MysqlTest.php b/tests/Zend/Db/Adapter/Pdo/MysqlTest.php
+index 6c78835..5c2d623 100644
+--- a/tests/Zend/Db/Adapter/Pdo/MysqlTest.php
++++ b/tests/Zend/Db/Adapter/Pdo/MysqlTest.php
+@@ -315,7 +315,17 @@ class Zend_Db_Adapter_Pdo_MysqlTest extends Zend_Db_Adapter_Pdo_TestCommon
+         $adapter = new ZendTest_Db_Adapter_Pdo_Mysql(array('dbname' => 'foo', 'charset' => 'XYZ', 'username' => 'bar', 'password' => 'foo'));
+         $this->assertEquals('mysql:dbname=foo;charset=XYZ', $adapter->_dsn());
+     }
+-    
++
++    /**
++     * Test that quote() does not alter binary data
++     */
++    public function testBinaryQuoteWithNulls()
++    {
++        $binary = pack("xxx");
++        $value  = $this->_db->quote($binary);
++        $this->assertEquals('\'\0\0\0\'', $value);
++    }
++
+     public function getDriver()
+     {
+         return 'Pdo_Mysql';
+@@ -330,4 +340,3 @@ class ZendTest_Db_Adapter_Pdo_Mysql extends Zend_Db_Adapter_Pdo_Mysql
+         return parent::_dsn();
+     }
+ }
+-
+diff --git a/tests/Zend/Db/Adapter/Pdo/SqliteTest.php b/tests/Zend/Db/Adapter/Pdo/SqliteTest.php
+index cbb43b2..0867947 100644
+--- a/tests/Zend/Db/Adapter/Pdo/SqliteTest.php
++++ b/tests/Zend/Db/Adapter/Pdo/SqliteTest.php
+@@ -247,4 +247,15 @@ class Zend_Db_Adapter_Pdo_SqliteTest extends Zend_Db_Adapter_Pdo_TestCommon
+         $this->assertTrue($stmt instanceof $stmtClass,
+             'Expecting object of type ' . $stmtClass . ', got ' . get_class($stmt));
+     }
++
++    /**
++     * test that quote() escapes null byte character
++     * in a string.
++     */
++    public function testAdapterQuoteNullByteCharacter()
++    {
++        $string = "1\0";
++        $value  = $this->_db->quote($string);
++        $this->assertEquals("'1\\000'", $value);
++    }
+ }
 diff --git a/tests/Zend/Db/Adapter/Pdo/TestCommon.php b/tests/Zend/Db/Adapter/Pdo/TestCommon.php
 index 1fe9fcc..b0e02d3 100644
 --- a/tests/Zend/Db/Adapter/Pdo/TestCommon.php
diff -Nru zendframework-1.12.9+dfsg/debian/patches/0009-Fixed-the-rand-usage.patch zendframework-1.12.9+dfsg/debian/patches/0009-Fixed-the-rand-usage.patch
--- zendframework-1.12.9+dfsg/debian/patches/0009-Fixed-the-rand-usage.patch	1969-12-31 20:00:00.000000000 -0400
+++ zendframework-1.12.9+dfsg/debian/patches/0009-Fixed-the-rand-usage.patch	2016-04-13 17:12:29.000000000 -0400
@@ -0,0 +1,175 @@
+From: Enrico Zimuel <e.zimuel@gmail.com>
+Date: Mon, 11 Apr 2016 19:16:32 +0200
+Subject: Fixed the rand usage
+
+Origin: upstream, https://github.com/zendframework/zf1/commit/dbb9c8e1cf9f8ac8dcee89591f73d5a902d50b10
+---
+ library/Zend/Crypt/Math.php            | 10 +++++-----
+ library/Zend/Filter/Encrypt/Mcrypt.php |  6 ++++--
+ library/Zend/Form/Element/Hash.php     |  8 ++++----
+ library/Zend/Gdata/HttpClient.php      |  5 ++++-
+ library/Zend/Ldap/Attribute.php        |  7 +++++--
+ library/Zend/OpenId.php                |  9 ++++-----
+ 6 files changed, 26 insertions(+), 19 deletions(-)
+
+diff --git a/library/Zend/Crypt/Math.php b/library/Zend/Crypt/Math.php
+index 8882259..fed3f75 100644
+--- a/library/Zend/Crypt/Math.php
++++ b/library/Zend/Crypt/Math.php
+@@ -77,11 +77,8 @@ class Zend_Crypt_Math extends Zend_Crypt_Math_BigInteger
+         if ($length <= 0) {
+             return false;
+         }
+-        if (function_exists('openssl_random_pseudo_bytes')) {
+-            $bytes = openssl_random_pseudo_bytes($length, $usable);
+-            if ($strong === $usable) {
+-                return $bytes;
+-            }
++        if (function_exists('random_bytes')) { // available in PHP 7
++            return random_bytes($length);
+         }
+         if (function_exists('mcrypt_create_iv')) {
+             $bytes = mcrypt_create_iv($length, MCRYPT_DEV_URANDOM);
+@@ -134,6 +131,9 @@ class Zend_Crypt_Math extends Zend_Crypt_Math_BigInteger
+                 'The supplied range is too great to generate'
+             );
+         }
++        if (function_exists('random_int')) { // available in PHP 7
++            return random_int($min, $max);
++        }
+         // calculate number of bits required to store range on this machine
+         $r = $range;
+         $bits = 0;
+diff --git a/library/Zend/Filter/Encrypt/Mcrypt.php b/library/Zend/Filter/Encrypt/Mcrypt.php
+index 48d95d8..84dedb6 100644
+--- a/library/Zend/Filter/Encrypt/Mcrypt.php
++++ b/library/Zend/Filter/Encrypt/Mcrypt.php
+@@ -24,6 +24,9 @@
+  */
+ require_once 'Zend/Filter/Encrypt/Interface.php';
+ 
++/** @see Zend_Crypt_Math */
++require_once 'Zend/Crypt/Math.php';
++
+ /**
+  * Encryption adapter for mcrypt
+  *
+@@ -355,9 +358,8 @@ class Zend_Filter_Encrypt_Mcrypt implements Zend_Filter_Encrypt_Interface
+         if (version_compare(PHP_VERSION, '5.3.0', '>=')) {
+             return;
+         }
+-
+         if (!self::$_srandCalled) {
+-            srand((double) microtime() * 1000000);
++            srand(Zend_Crypt_Math::randInteger(0, PHP_INT_MAX));
+             self::$_srandCalled = true;
+         }
+     }
+diff --git a/library/Zend/Form/Element/Hash.php b/library/Zend/Form/Element/Hash.php
+index 9cde34d..8fbe9f4 100644
+--- a/library/Zend/Form/Element/Hash.php
++++ b/library/Zend/Form/Element/Hash.php
+@@ -22,6 +22,9 @@
+ /** Zend_Form_Element_Xhtml */
+ require_once 'Zend/Form/Element/Xhtml.php';
+ 
++/** @see Zend_Crypt_Math */
++require_once 'Zend/Crypt/Math.php';
++
+ /**
+  * CSRF form protection
+  *
+@@ -249,10 +252,7 @@ class Zend_Form_Element_Hash extends Zend_Form_Element_Xhtml
+     protected function _generateHash()
+     {
+         $this->_hash = md5(
+-            mt_rand(1,1000000)
+-            .  $this->getSalt()
+-            .  $this->getName()
+-            .  mt_rand(1,1000000)
++            Zend_Crypt_Math::randBytes(32)
+         );
+         $this->setValue($this->_hash);
+     }
+diff --git a/library/Zend/Gdata/HttpClient.php b/library/Zend/Gdata/HttpClient.php
+index b1f3f4e..6a54d88 100644
+--- a/library/Zend/Gdata/HttpClient.php
++++ b/library/Zend/Gdata/HttpClient.php
+@@ -25,6 +25,9 @@
+  */
+ require_once 'Zend/Http/Client.php';
+ 
++/** @see Zend_Crypt_Math */
++require_once 'Zend/Crypt/Math.php';
++
+ /**
+  * Gdata Http Client object.
+  *
+@@ -210,7 +213,7 @@ class Zend_Gdata_HttpClient extends Zend_Http_Client
+             if ($this->getAuthSubPrivateKeyId() != null) {
+                 // secure AuthSub
+                 $time = time();
+-                $nonce = mt_rand(0, 999999999);
++                $nonce = Zend_Crypt_Math::randInteger(0, 999999999);
+                 $dataToSign = $method . ' ' . $url . ' ' . $time . ' ' . $nonce;
+ 
+                 // compute signature
+diff --git a/library/Zend/Ldap/Attribute.php b/library/Zend/Ldap/Attribute.php
+index 91a2a62..00ec549 100644
+--- a/library/Zend/Ldap/Attribute.php
++++ b/library/Zend/Ldap/Attribute.php
+@@ -24,6 +24,9 @@
+  */
+ require_once 'Zend/Ldap/Converter.php';
+ 
++/** @see Zend_Crypt_Math */
++require_once 'Zend/Crypt/Math.php';
++
+ /**
+  * Zend_Ldap_Attribute is a collection of LDAP attribute related functions.
+  *
+@@ -311,7 +314,7 @@ class Zend_Ldap_Attribute
+                 }
+                 return $password;
+             case self::PASSWORD_HASH_SSHA:
+-                $salt    = substr(sha1(uniqid(mt_rand(), true), true), 0, 4);
++                $salt    = Zend_Crypt_Math::randBytes(4);
+                 $rawHash = sha1($password . $salt, true) . $salt;
+                 $method  = '{SSHA}';
+                 break;
+@@ -320,7 +323,7 @@ class Zend_Ldap_Attribute
+                 $method  = '{SHA}';
+                 break;
+             case self::PASSWORD_HASH_SMD5:
+-                $salt    = substr(sha1(uniqid(mt_rand(), true), true), 0, 4);
++                $salt    = Zend_Crypt_Math::randBytes(4);
+                 $rawHash = md5($password . $salt, true) . $salt;
+                 $method  = '{SMD5}';
+                 break;
+diff --git a/library/Zend/OpenId.php b/library/Zend/OpenId.php
+index 4fc6784..9b732ee 100644
+--- a/library/Zend/OpenId.php
++++ b/library/Zend/OpenId.php
+@@ -25,6 +25,9 @@
+  */
+ require_once "Zend/Controller/Response/Abstract.php";
+ 
++/** @see Zend_Crypt_Math */
++require_once 'Zend/Crypt/Math.php';
++
+ /**
+  * Static class that contains common utility functions for
+  * {@link Zend_OpenId_Consumer} and {@link Zend_OpenId_Provider}.
+@@ -474,11 +477,7 @@ class Zend_OpenId
+      */
+     static public function randomBytes($len)
+     {
+-        $key = '';
+-        for($i=0; $i < $len; $i++) {
+-            $key .= chr(mt_rand(0, 255));
+-        }
+-        return $key;
++        return (string) Zend_Crypt_Math::randBytes($len);
+     }
+ 
+     /**
diff -Nru zendframework-1.12.9+dfsg/debian/patches/series zendframework-1.12.9+dfsg/debian/patches/series
--- zendframework-1.12.9+dfsg/debian/patches/series	2015-11-24 18:18:19.000000000 -0400
+++ zendframework-1.12.9+dfsg/debian/patches/series	2016-04-13 17:12:29.000000000 -0400
@@ -6,3 +6,4 @@
 0006-ZF2015-07-Use-umask-of-0002.patch
 0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch
 0008-ZF2015-09-Fixed-entropy-issue-in-word-CAPTCHA.patch
+0009-Fixed-the-rand-usage.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Version: 8.5

Hi,

The fixes referred to by each of these bugs were included in today's 8.5
point release.

Regards,

Adam

--- End Message ---
Reply to: