Bug#821044: marked as done (wheezy-pu: package zendframework/1.11.13-1.1+deb7u6)

Sat, 04 Jun 2016 06:58:21 -0700 

Your message dated Sat, 04 Jun 2016 14:54:37 +0100
with message-id <1465048477.7545.10.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixed included in 7.11
has caused the Debian Bug report #821044,
regarding wheezy-pu: package zendframework/1.11.13-1.1+deb7u6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
821044: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=821044
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian....@packages.debian.org
Usertags: pu

Hi,

As agreed with the security team, I’d like to fix another potential
entropy vulnerability that has been fixed in zendframework.

The fix also gets rid of openssl_random_pseudo_bytes() introduced in the
previous ZF2015-09 fix, and I also added a regression fix from the
CVE-2015-7695 (ZF2015-08) patch (this one was introduced in DSA-3369-1).

Please find attached the proposed debdiff for Wheezy, it’s pretty
similar to the one from #821042.

zendframework (1.11.13-1.1+deb7u6) wheezy; urgency=medium

  * Fix regression from ZF2015-08: binary data corruption
  * Backport security fix from 1.12.18:
    - ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1
      http://framework.zend.com/security/advisory/ZF2016-01

Regards

David

diff -u zendframework-1.11.13/debian/changelog zendframework-1.11.13/debian/changelog
--- zendframework-1.11.13/debian/changelog
+++ zendframework-1.11.13/debian/changelog
@@ -1,6 +1,15 @@
+zendframework (1.11.13-1.1+deb7u6) wheezy; urgency=medium
+
+  * Fix regression from ZF2015-08: binary data corruption
+  * Backport security fix from 1.12.18:
+    - ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1
+      http://framework.zend.com/security/advisory/ZF2016-01
+
+ -- David Prévot <taf...@debian.org>  Wed, 13 Apr 2016 16:34:02 -0400
+
 zendframework (1.11.13-1.1+deb7u5) wheezy; urgency=medium
 
-  * Backport security fix from 1.12.17
+  * Backport security fix from 1.12.17:
     - ZF2015-09: Fixed entropy issue in word CAPTCHA
       http://framework.zend.com/security/advisory/ZF2015-09
 
@@ -8,7 +17,7 @@
 
 zendframework (1.11.13-1.1+deb7u4) wheezy-security; urgency=high
 
-  * Backport security fixes from 1.12.16
+  * Backport security fixes from 1.12.16:
     - ZF2015-07: Filesystem Permissions Issues in Multiple Components
       http://framework.zend.com/security/advisory/ZF2015-07
       [CVE-2015-5723]
diff -u zendframework-1.11.13/debian/patches/series zendframework-1.11.13/debian/patches/series
--- zendframework-1.11.13/debian/patches/series
+++ zendframework-1.11.13/debian/patches/series
@@ -15,0 +16 @@
+0016-Fixed-the-rand-usage.patch
diff -u zendframework-1.11.13/debian/patches/0014-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch zendframework-1.11.13/debian/patches/0014-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch
--- zendframework-1.11.13/debian/patches/0014-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch
+++ zendframework-1.11.13/debian/patches/0014-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch
@@ -5,37 +5,31 @@
 This addresses the same issue as found in ZF2014-06, but within the PDO MsSql
 adapter. Additionally, it fixes transaction tests for that adapter.
 
-Origin: upstream, https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2
+Origin: upstream, https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2 https://github.com/zendframework/zf1/commit/70d8aba8c525190e906c663dfdc55355f6e74416
 ---
- library/Zend/Db/Adapter/Pdo/Abstract.php |  3 +-
- library/Zend/Db/Adapter/Pdo/Mssql.php    |  2 +-
- tests/TestConfiguration.php.dist         |  5 ++--
- tests/Zend/Db/Adapter/Pdo/MssqlTest.php  | 47 +++++++-------------------------
- tests/Zend/Db/Adapter/Pdo/TestCommon.php | 10 +++++++
- tests/Zend/Db/Adapter/TestCommon.php     |  5 ++--
+ library/Zend/Db/Adapter/Pdo/Abstract.php |  1 -
+ library/Zend/Db/Adapter/Pdo/Mssql.php    | 19 +++++++++--
+ library/Zend/Db/Adapter/Pdo/Sqlite.php   | 14 ++++++++
+ tests/TestConfiguration.php.dist         |  5 +--
+ tests/Zend/Db/Adapter/Pdo/MssqlTest.php  | 58 ++++++++++++--------------------
+ tests/Zend/Db/Adapter/Pdo/MysqlTest.php  | 13 +++++--
+ tests/Zend/Db/Adapter/Pdo/SqliteTest.php | 10 ++++++
+ tests/Zend/Db/Adapter/Pdo/TestCommon.php | 10 ++++++
+ tests/Zend/Db/Adapter/TestCommon.php     |  5 ++-
  tests/Zend/Db/TestUtil/Pdo/Mssql.php     |  4 ++-
- 7 files changed, 31 insertions(+), 45 deletions(-)
+ 10 files changed, 91 insertions(+), 48 deletions(-)
 
 diff --git a/library/Zend/Db/Adapter/Pdo/Abstract.php b/library/Zend/Db/Adapter/Pdo/Abstract.php
-index 95f3734..8fde066 100644
+index 95f3734..d718255 100644
 --- a/library/Zend/Db/Adapter/Pdo/Abstract.php
 +++ b/library/Zend/Db/Adapter/Pdo/Abstract.php
-@@ -292,6 +292,8 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract
-         if (is_int($value) || is_float($value)) {
-             return $value;
-         }
-+        // Fix for null-byte injection
-+        $value = addcslashes($value, "\000\032");
-         $this->_connect();
-         return $this->_connection->quote($value);
-     }
-@@ -398,4 +400,3 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract
+@@ -398,4 +398,3 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract
          }
      }
  }
 -
 diff --git a/library/Zend/Db/Adapter/Pdo/Mssql.php b/library/Zend/Db/Adapter/Pdo/Mssql.php
-index 3faf82c..175360f 100644
+index 3faf82c..8665da7 100644
 --- a/library/Zend/Db/Adapter/Pdo/Mssql.php
 +++ b/library/Zend/Db/Adapter/Pdo/Mssql.php
 @@ -410,7 +410,7 @@ class Zend_Db_Adapter_Pdo_Mssql extends Zend_Db_Adapter_Pdo_Abstract
@@ -47,6 +41,51 @@
              $result = $stmt->fetchAll(Zend_Db::FETCH_NUM);
              if (count($result)) {
                  return $result[0][0];
+@@ -420,4 +420,19 @@ class Zend_Db_Adapter_Pdo_Mssql extends Zend_Db_Adapter_Pdo_Abstract
+             return null;
+         }
+     }
+-}
+\ No newline at end of file
++
++    /**
++     * Quote a raw string.
++     *
++     * @param string $value     Raw string
++     * @return string           Quoted string
++     */
++    protected function _quote($value)
++    {
++        if (!is_int($value) && !is_float($value)) {
++            // Fix for null-byte injection
++            $value = addcslashes($value, "\000\032");
++        }
++        return parent::_quote($value);
++    }
++}
+diff --git a/library/Zend/Db/Adapter/Pdo/Sqlite.php b/library/Zend/Db/Adapter/Pdo/Sqlite.php
+index 02b3e40..3320b1f 100644
+--- a/library/Zend/Db/Adapter/Pdo/Sqlite.php
++++ b/library/Zend/Db/Adapter/Pdo/Sqlite.php
+@@ -294,4 +294,18 @@ class Zend_Db_Adapter_Pdo_Sqlite extends Zend_Db_Adapter_Pdo_Abstract
+         return $sql;
+     }
+ 
++    /**
++     * Quote a raw string.
++     *
++     * @param string $value     Raw string
++     * @return string           Quoted string
++     */
++    protected function _quote($value)
++    {
++        if (!is_int($value) && !is_float($value)) {
++            // Fix for null-byte injection
++            $value = addcslashes($value, "\000\032");
++        }
++        return parent::_quote($value);
++    }
+ }
 diff --git a/tests/TestConfiguration.php.dist b/tests/TestConfiguration.php.dist
 index be8ad15..c534ba2 100644
 --- a/tests/TestConfiguration.php.dist
@@ -78,7 +117,7 @@
   */
  defined('TESTS_ZEND_HTTP_USERAGENT_WURFL_LIB_DIR') || define('TESTS_ZEND_HTTP_USERAGENT_WURFL_LIB_DIR', false);
 diff --git a/tests/Zend/Db/Adapter/Pdo/MssqlTest.php b/tests/Zend/Db/Adapter/Pdo/MssqlTest.php
-index 60ea18a..17cd37a 100644
+index 60ea18a..db80f28 100644
 --- a/tests/Zend/Db/Adapter/Pdo/MssqlTest.php
 +++ b/tests/Zend/Db/Adapter/Pdo/MssqlTest.php
 @@ -211,11 +211,13 @@ class Zend_Db_Adapter_Pdo_MssqlTest extends Zend_Db_Adapter_Pdo_TestCommon
@@ -172,6 +211,71 @@
      }
  
      /**
+@@ -388,6 +361,17 @@ class Zend_Db_Adapter_Pdo_MssqlTest extends Zend_Db_Adapter_Pdo_TestCommon
+         $this->assertArrayHasKey('product_name', $productsTableInfo);
+     }
+ 
++    /**
++     * test that quote() escapes null byte character
++     * in a string.
++     */
++    public function testAdapterQuoteNullByteCharacter()
++    {
++        $string = "1\0";
++        $value  = $this->_db->quote($string);
++        $this->assertEquals("'1\\000'", $value);
++    }
++
+     public function getDriver()
+     {
+         return 'Pdo_Mssql';
+diff --git a/tests/Zend/Db/Adapter/Pdo/MysqlTest.php b/tests/Zend/Db/Adapter/Pdo/MysqlTest.php
+index beb3842..f87244c 100644
+--- a/tests/Zend/Db/Adapter/Pdo/MysqlTest.php
++++ b/tests/Zend/Db/Adapter/Pdo/MysqlTest.php
+@@ -315,7 +315,17 @@ class Zend_Db_Adapter_Pdo_MysqlTest extends Zend_Db_Adapter_Pdo_TestCommon
+         $adapter = new ZendTest_Db_Adapter_Pdo_Mysql(array('dbname' => 'foo', 'charset' => 'XYZ', 'username' => 'bar', 'password' => 'foo'));
+         $this->assertEquals('mysql:dbname=foo;charset=XYZ', $adapter->_dsn());
+     }
+-    
++
++    /**
++     * Test that quote() does not alter binary data
++     */
++    public function testBinaryQuoteWithNulls()
++    {
++        $binary = pack("xxx");
++        $value  = $this->_db->quote($binary);
++        $this->assertEquals('\'\0\0\0\'', $value);
++    }
++
+     public function getDriver()
+     {
+         return 'Pdo_Mysql';
+@@ -330,4 +340,3 @@ class ZendTest_Db_Adapter_Pdo_Mysql extends Zend_Db_Adapter_Pdo_Mysql
+         return parent::_dsn();
+     }
+ }
+-
+diff --git a/tests/Zend/Db/Adapter/Pdo/SqliteTest.php b/tests/Zend/Db/Adapter/Pdo/SqliteTest.php
+index 6e28f2c..5dc29c7 100644
+--- a/tests/Zend/Db/Adapter/Pdo/SqliteTest.php
++++ b/tests/Zend/Db/Adapter/Pdo/SqliteTest.php
+@@ -200,4 +200,14 @@ class Zend_Db_Adapter_Pdo_SqliteTest extends Zend_Db_Adapter_Pdo_TestCommon
+         return 'Pdo_Sqlite';
+     }
+ 
++    /**
++     * test that quote() escapes null byte character
++     * in a string.
++     */
++    public function testAdapterQuoteNullByteCharacter()
++    {
++        $string = "1\0";
++        $value  = $this->_db->quote($string);
++        $this->assertEquals("'1\\000'", $value);
++    }
+ }
 diff --git a/tests/Zend/Db/Adapter/Pdo/TestCommon.php b/tests/Zend/Db/Adapter/Pdo/TestCommon.php
 index c6f50b5..1467e8e 100644
 --- a/tests/Zend/Db/Adapter/Pdo/TestCommon.php
only in patch2:
unchanged:
--- zendframework-1.11.13.orig/debian/patches/0016-Fixed-the-rand-usage.patch
+++ zendframework-1.11.13/debian/patches/0016-Fixed-the-rand-usage.patch
@@ -0,0 +1,175 @@
+From: Enrico Zimuel <e.zim...@gmail.com>
+Date: Mon, 11 Apr 2016 19:16:32 +0200
+Subject: Fixed the rand usage
+
+Origin: upstream, https://github.com/zendframework/zf1/commit/dbb9c8e1cf9f8ac8dcee89591f73d5a902d50b10
+---
+ library/Zend/Crypt/Math.php            | 10 +++++-----
+ library/Zend/Filter/Encrypt/Mcrypt.php |  6 ++++--
+ library/Zend/Form/Element/Hash.php     |  8 ++++----
+ library/Zend/Gdata/HttpClient.php      |  5 ++++-
+ library/Zend/Ldap/Attribute.php        |  7 +++++--
+ library/Zend/OpenId.php                |  9 ++++-----
+ 6 files changed, 26 insertions(+), 19 deletions(-)
+
+diff --git a/library/Zend/Crypt/Math.php b/library/Zend/Crypt/Math.php
+index 43f9167..37ff854 100644
+--- a/library/Zend/Crypt/Math.php
++++ b/library/Zend/Crypt/Math.php
+@@ -77,11 +77,8 @@ class Zend_Crypt_Math extends Zend_Crypt_Math_BigInteger
+         if ($length <= 0) {
+             return false;
+         }
+-        if (function_exists('openssl_random_pseudo_bytes')) {
+-            $bytes = openssl_random_pseudo_bytes($length, $usable);
+-            if ($strong === $usable) {
+-                return $bytes;
+-            }
++        if (function_exists('random_bytes')) { // available in PHP 7
++            return random_bytes($length);
+         }
+         if (function_exists('mcrypt_create_iv')) {
+             $bytes = mcrypt_create_iv($length, MCRYPT_DEV_URANDOM);
+@@ -134,6 +131,9 @@ class Zend_Crypt_Math extends Zend_Crypt_Math_BigInteger
+                 'The supplied range is too great to generate'
+             );
+         }
++        if (function_exists('random_int')) { // available in PHP 7
++            return random_int($min, $max);
++        }
+         // calculate number of bits required to store range on this machine
+         $r = $range;
+         $bits = 0;
+diff --git a/library/Zend/Filter/Encrypt/Mcrypt.php b/library/Zend/Filter/Encrypt/Mcrypt.php
+index 01d919c..cb32839 100644
+--- a/library/Zend/Filter/Encrypt/Mcrypt.php
++++ b/library/Zend/Filter/Encrypt/Mcrypt.php
+@@ -24,6 +24,9 @@
+  */
+ require_once 'Zend/Filter/Encrypt/Interface.php';
+ 
++/** @see Zend_Crypt_Math */
++require_once 'Zend/Crypt/Math.php';
++
+ /**
+  * Encryption adapter for mcrypt
+  *
+@@ -355,9 +358,8 @@ class Zend_Filter_Encrypt_Mcrypt implements Zend_Filter_Encrypt_Interface
+         if (version_compare(PHP_VERSION, '5.3.0', '>=')) {
+             return;
+         }
+-
+         if (!self::$_srandCalled) {
+-            srand((double) microtime() * 1000000);
++            srand(Zend_Crypt_Math::randInteger(0, PHP_INT_MAX));
+             self::$_srandCalled = true;
+         }
+     }
+diff --git a/library/Zend/Form/Element/Hash.php b/library/Zend/Form/Element/Hash.php
+index 6e11239..aff129e 100644
+--- a/library/Zend/Form/Element/Hash.php
++++ b/library/Zend/Form/Element/Hash.php
+@@ -22,6 +22,9 @@
+ /** Zend_Form_Element_Xhtml */
+ require_once 'Zend/Form/Element/Xhtml.php';
+ 
++/** @see Zend_Crypt_Math */
++require_once 'Zend/Crypt/Math.php';
++
+ /**
+  * CSRF form protection
+  *
+@@ -249,10 +252,7 @@ class Zend_Form_Element_Hash extends Zend_Form_Element_Xhtml
+     protected function _generateHash()
+     {
+         $this->_hash = md5(
+-            mt_rand(1,1000000)
+-            .  $this->getSalt()
+-            .  $this->getName()
+-            .  mt_rand(1,1000000)
++            Zend_Crypt_Math::randBytes(32)
+         );
+         $this->setValue($this->_hash);
+     }
+diff --git a/library/Zend/Gdata/HttpClient.php b/library/Zend/Gdata/HttpClient.php
+index cc5cc78..23ecda3 100644
+--- a/library/Zend/Gdata/HttpClient.php
++++ b/library/Zend/Gdata/HttpClient.php
+@@ -25,6 +25,9 @@
+  */
+ require_once 'Zend/Http/Client.php';
+ 
++/** @see Zend_Crypt_Math */
++require_once 'Zend/Crypt/Math.php';
++
+ /**
+  * Gdata Http Client object.
+  *
+@@ -210,7 +213,7 @@ class Zend_Gdata_HttpClient extends Zend_Http_Client
+             if ($this->getAuthSubPrivateKeyId() != null) {
+                 // secure AuthSub
+                 $time = time();
+-                $nonce = mt_rand(0, 999999999);
++                $nonce = Zend_Crypt_Math::randInteger(0, 999999999);
+                 $dataToSign = $method . ' ' . $url . ' ' . $time . ' ' . $nonce;
+ 
+                 // compute signature
+diff --git a/library/Zend/Ldap/Attribute.php b/library/Zend/Ldap/Attribute.php
+index 81080e8..d9984ad 100644
+--- a/library/Zend/Ldap/Attribute.php
++++ b/library/Zend/Ldap/Attribute.php
+@@ -24,6 +24,9 @@
+  */
+ require_once 'Zend/Ldap/Converter.php';
+ 
++/** @see Zend_Crypt_Math */
++require_once 'Zend/Crypt/Math.php';
++
+ /**
+  * Zend_Ldap_Attribute is a collection of LDAP attribute related functions.
+  *
+@@ -311,7 +314,7 @@ class Zend_Ldap_Attribute
+                 }
+                 return $password;
+             case self::PASSWORD_HASH_SSHA:
+-                $salt    = substr(sha1(uniqid(mt_rand(), true), true), 0, 4);
++                $salt    = Zend_Crypt_Math::randBytes(4);
+                 $rawHash = sha1($password . $salt, true) . $salt;
+                 $method  = '{SSHA}';
+                 break;
+@@ -320,7 +323,7 @@ class Zend_Ldap_Attribute
+                 $method  = '{SHA}';
+                 break;
+             case self::PASSWORD_HASH_SMD5:
+-                $salt    = substr(sha1(uniqid(mt_rand(), true), true), 0, 4);
++                $salt    = Zend_Crypt_Math::randBytes(4);
+                 $rawHash = md5($password . $salt, true) . $salt;
+                 $method  = '{SMD5}';
+                 break;
+diff --git a/library/Zend/OpenId.php b/library/Zend/OpenId.php
+index 887668d..5efc7ad 100644
+--- a/library/Zend/OpenId.php
++++ b/library/Zend/OpenId.php
+@@ -25,6 +25,9 @@
+  */
+ require_once "Zend/Controller/Response/Abstract.php";
+ 
++/** @see Zend_Crypt_Math */
++require_once 'Zend/Crypt/Math.php';
++
+ /**
+  * Static class that contains common utility functions for
+  * {@link Zend_OpenId_Consumer} and {@link Zend_OpenId_Provider}.
+@@ -470,11 +473,7 @@ class Zend_OpenId
+      */
+     static public function randomBytes($len)
+     {
+-        $key = '';
+-        for($i=0; $i < $len; $i++) {
+-            $key .= chr(mt_rand(0, 255));
+-        }
+-        return $key;
++        return (string) Zend_Crypt_Math::randBytes($len);
+     }
+ 
+     /**

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Version: 7.11

Hi,

The fixes referred to in each of these bugs were included in today's
7.11 point release.

Regards,

Adam

--- End Message ---

Reply via email to