Bug 13708

Summary: php-ZendFramework new security issue ZF2014-04 (CVE-2014-4914)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia, rverschelde, sysadmin-bugs, thomas
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/606172/
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok advisory
Source RPM: php-ZendFramework-1.12.5-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2014-07-09 01:34:24 CEST 
Upstream has posted an advisory:
http://framework.zend.com/security/advisory/ZF2014-04

The issue is fixed upstream in 1.12.7.

CVE request:
http://openwall.com/lists/oss-security/2014/07/08/18

Reproducible: 

Steps to Reproduce:
David Walser 2014-07-09 01:34:30 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Thomas Spuhler 2014-07-10 00:34:40 CEST

Status: NEW => ASSIGNED

Comment 1 Thomas Spuhler 2014-07-10 01:28:05 CEST 
This bug has been resolved by upgrading to ver. 1.12.7
The following pacakges are now in upgrade_testing:

php-ZendFramework-1.12.7-1.mga4.src.rpm
php-ZendFramework-1.12.7-1.mga4.noarch.rpm
php-ZendFramework-demos-1.12.7-1.mga4.noarch.rpm
php-ZendFramework-tests-1.12.7-1.mga4.noarch.rpm
php-ZendFramework-extras-1.12.7-1.mga4.noarch.rpm
php-ZendFramework-Cache-Backend-Apc-1.12.7-1.mga4.noarch.rpm
php-ZendFramework-Cache-Backend-Memcached-1.12.7-1.mga4.noarch.rpm
php-ZendFramework-Captcha-1.12.7-1.mga4.noarch.rpm
php-ZendFramework-Dojo-1.12.7-1.mga4.noarch.rpm
php-ZendFramework-Feed-1.12.7-1.mga4.noarch.rpm
php-ZendFramework-Gdata-1.12.7-1.mga4.noarch.rpm
php-ZendFramework-Pdf-1.12.7-1.mga4.noarch.rpm
php-ZendFramework-Search-Lucene-1.12.7-1.mga4.noarch.rpm
php-ZendFramework-Services-1.12.7-1.mga4.noarch.rpm

and the same packages for mga3

Assigning to to qa

CC: (none) => thomas
Assignee: thomas => qa-bugs

claire robinson 2014-07-10 11:22:25 CEST

Version: Cauldron => 4
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 2 claire robinson 2014-07-10 17:34:44 CEST 
Some info for testing in bug 6666
Comment 3 claire robinson 2014-07-10 18:38:26 CEST 
Testing complete mga4 64

Needs an advisory David please. No PoC's so just testing zend is still functional.

Followed the procedure here https://bugs.mageia.org/show_bug.cgi?id=6666#c16
It's changed a little so find it updated below.

php-eaccelerator is no longer used so ignore that bit.

If you don't have task-lamp installed already you'll need this first
# urpmi task-lamp

then

# urpmi php-pdo_sqlite # Required for sample app, not Zend-Framework itself
# urpmi -ya php-ZendFramework
# wget https://bugs.mageia.org/attachment.cgi?id=2605 -O Zend.tar.gz
# tar -xf Zend.tar.gz
# cp -r css /var/www/html
# cp -r Zend /var/www/html
# chown -R apache:apache /var/www/html/Zend/data/db
# service httpd start # or restart

Then go to http://127.0.0.1/Zend/public/index.php

Click on guestbook in the top right, and sign the
guestbook.

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok

Comment 4 David Walser 2014-07-10 18:48:40 CEST 
(In reply to claire robinson from comment #3)
> Needs an advisory David please.

Yep, I know.  I'm waiting for CVE assignments.  For now, refer to the upstream advisory:
http://framework.zend.com/security/advisory/ZF2014-04
Comment 5 David Walser 2014-07-11 18:40:06 CEST 
CVE assignment:
http://www.openwall.com/lists/oss-security/2014/07/11/4

Advisory:
========================

Updated php-ZendFramework packages fix security vulnerability:

The implementation of the ORDER BY SQL statement in Zend_Db_Select of Zend
Framework 1 contains a potential SQL injection when the query string passed
contains parentheses (CVE-2014-4914).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4914
http://framework.zend.com/security/advisory/ZF2014-04
http://www.openwall.com/lists/oss-security/2014/07/11/4

Summary: php-ZendFramework new security issue ZF2014-04 => php-ZendFramework new security issue ZF2014-04 (CVE-2014-4914)

Comment 6 claire robinson 2014-07-18 17:04:51 CEST 
Testing complete mga4 32 using the procedure in comment 3

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok

Comment 7 David Walser 2014-07-22 17:26:34 CEST 
Fedora has issued an advisory for this on July 13:
https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135671.html

Adding that link to the advisory.

Advisory:
========================

Updated php-ZendFramework packages fix security vulnerability:

The implementation of the ORDER BY SQL statement in Zend_Db_Select of Zend
Framework 1 contains a potential SQL injection when the query string passed
contains parentheses (CVE-2014-4914).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4914
http://framework.zend.com/security/advisory/ZF2014-04
https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135671.html
David Walser 2014-07-22 18:42:19 CEST

URL: (none) => http://lwn.net/Vulnerabilities/606172/

Comment 8 Rémi Verschelde 2014-07-26 11:58:50 CEST 
Advisory uploaded. This still needs to be tested on mga3 before it can be validated.

CC: (none) => remi
Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok advisory

Comment 9 David Walser 2014-08-01 15:49:13 CEST 
Validating this.  See the discussion in the QA meeting:
http://meetbot.mageia.org/mageia-qa/2014/mageia-qa.2014-07-31-19.02.log.html#l-30

Please push this to core/updates for Mageia 3 and Mageia 4.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Rémi Verschelde 2014-08-05 19:55:20 CEST 
Made sure it installs in Mageia 3 32bit.

Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok advisory => MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok advisory

Comment 11 Colin Guthrie 2014-08-05 22:23:20 CEST 
Update pushed.

http://advisories.mageia.org/MGASA-2014-0311.html

Status: ASSIGNED => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED