Bug 16828

Summary: php-ZendFramework, php-ZendFramework2 new security issues ZF2015-07 (CVE-2015-5723) and ZF2015-08 (CVE-2015-7695)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: brtians1, davidwhodgins, guillomovitch, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/658458/
Whiteboard: has_procedure advisory MGA5-32-OK
Source RPM: php-ZendFramework-1.12.15-1.mga5.src.rpm, php-ZendFramework2-2.4.7-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-09-25 19:59:28 CEST 
Upstream has issued advisories on September 15:
http://framework.zend.com/security/advisory/ZF2015-07
http://framework.zend.com/security/advisory/ZF2015-08

The issues are fixed in 1.12.16 and 2.4.8.

Fedora has issued an advisory for this today (September 25):
https://lists.fedoraproject.org/pipermail/package-announce/2015-September/167698.html

Mageia 5 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-09-25 19:59:43 CEST

CC: (none) => guillomovitch
Whiteboard: (none) => MGA5TOO

Comment 1 Thomas Spuhler 2015-09-26 17:11:00 CEST 
Zendframework has been obsoleted in cauldron. Only needs fix in mga5
Comment 2 Thomas Spuhler 2015-09-26 17:34:43 CEST 
Resolved for mga5.
These updated packages are now in updates_testing 
php-ZendFramework-1.12.16-1.mga5.src.rpm
php-ZendFramework-1.12.16-1.mga5.noarch.rpm
php-ZendFramework-demos-1.12.16-1.mga5.noarch.rpm
php-ZendFramework-tests-1.12.16-1.mga5.noarch.rpm
php-ZendFramework-extras-1.12.16-1.mga5.noarch.rpm
php-ZendFramework-Cache-Backend-Apc-1.12.16-1.mga5.noarch.rpm
php-ZendFramework-Cache-Backend-Memcached-1.12.16-1.mga5.noarch.rpm
php-ZendFramework-Captcha-1.12.16-1.mga5.noarch.rpm
php-ZendFramework-Dojo-1.12.16-1.mga5.noarch.rpm
php-ZendFramework-Feed-1.12.16-1.mga5.noarch.rpm
php-ZendFramework-Gdata-1.12.16-1.mga5.noarch.rpm
php-ZendFramework-Pdf-1.12.16-1.mga5.noarch.rpm
php-ZendFramework-Search-Lucene-1.12.16-1.mga5.noarch.rpm
php-ZendFramework-Services-1.12.16-1.mga5.noarch.rpm

maintainer of php-ZendFramework2 please assign to QA when done

Status: NEW => ASSIGNED

Comment 3 Thomas Spuhler 2015-09-27 18:04:30 CEST 
Re-assigning to maintainer of ZendFramework2

Assignee: thomas => guillomovitch

Comment 4 David Walser 2015-09-30 16:11:21 CEST 
CVE request fo rZF2015-08:
http://openwall.com/lists/oss-security/2015/09/30/6
Comment 5 David Walser 2015-10-02 12:29:28 CEST 
Updated packages uploaded for Mageia 5 and Cauldron.

Testing procedures in Bug 16624.

Advisory:
========================

Updated php-ZendFramework and php-ZendFramework2 packages fix security
vulnerabilities:

Zend Framework contained several instances where it was using incorrect
permissions masks, which could lead to local privilege escalation issues
(CVE-2015-5723).

The PDO adapters of Zend Framework 1 do not filter null bytes values in SQL
statements. A PDO adapter can treat null bytes in a query as a string
terminator, allowing an attacker to add arbitrary SQL following a null byte,
and thus create a SQL injection (ZF2015-08).

Note that the ZF2015-08 issue did not affect Zend Framework 2.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5723
http://framework.zend.com/security/advisory/ZF2015-07
http://framework.zend.com/security/advisory/ZF2015-08
https://lists.fedoraproject.org/pipermail/package-announce/2015-September/167698.html
========================

Updated packages in core/updates_testing:
========================
php-ZendFramework-1.12.16-1.mga5
php-ZendFramework-demos-1.12.16-1.mga5
php-ZendFramework-tests-1.12.16-1.mga5
php-ZendFramework-extras-1.12.16-1.mga5
php-ZendFramework-Cache-Backend-Apc-1.12.16-1.mga5
php-ZendFramework-Cache-Backend-Memcached-1.12.16-1.mga5
php-ZendFramework-Captcha-1.12.16-1.mga5
php-ZendFramework-Dojo-1.12.16-1.mga5
php-ZendFramework-Feed-1.12.16-1.mga5
php-ZendFramework-Gdata-1.12.16-1.mga5
php-ZendFramework-Pdf-1.12.16-1.mga5
php-ZendFramework-Search-Lucene-1.12.16-1.mga5
php-ZendFramework-Services-1.12.16-1.mga5
php-ZendFramework2-2.4.8-1.mga5
php-ZendFramework2-Authentication-2.4.8-1.mga5
php-ZendFramework2-Barcode-2.4.8-1.mga5
php-ZendFramework2-Cache-2.4.8-1.mga5
php-ZendFramework2-Captcha-2.4.8-1.mga5
php-ZendFramework2-Code-2.4.8-1.mga5
php-ZendFramework2-Config-2.4.8-1.mga5
php-ZendFramework2-Console-2.4.8-1.mga5
php-ZendFramework2-Crypt-2.4.8-1.mga5
php-ZendFramework2-Db-2.4.8-1.mga5
php-ZendFramework2-Debug-2.4.8-1.mga5
php-ZendFramework2-Di-2.4.8-1.mga5
php-ZendFramework2-Dom-2.4.8-1.mga5
php-ZendFramework2-Escaper-2.4.8-1.mga5
php-ZendFramework2-EventManager-2.4.8-1.mga5
php-ZendFramework2-Feed-2.4.8-1.mga5
php-ZendFramework2-File-2.4.8-1.mga5
php-ZendFramework2-Filter-2.4.8-1.mga5
php-ZendFramework2-Form-2.4.8-1.mga5
php-ZendFramework2-Http-2.4.8-1.mga5
php-ZendFramework2-I18n-2.4.8-1.mga5
php-ZendFramework2-InputFilter-2.4.8-1.mga5
php-ZendFramework2-Json-2.4.8-1.mga5
php-ZendFramework2-Ldap-2.4.8-1.mga5
php-ZendFramework2-Loader-2.4.8-1.mga5
php-ZendFramework2-Log-2.4.8-1.mga5
php-ZendFramework2-Mail-2.4.8-1.mga5
php-ZendFramework2-Math-2.4.8-1.mga5
php-ZendFramework2-Memory-2.4.8-1.mga5
php-ZendFramework2-Mime-2.4.8-1.mga5
php-ZendFramework2-ModuleManager-2.4.8-1.mga5
php-ZendFramework2-Mvc-2.4.8-1.mga5
php-ZendFramework2-Navigation-2.4.8-1.mga5
php-ZendFramework2-Paginator-2.4.8-1.mga5
php-ZendFramework2-Permissions-Acl-2.4.8-1.mga5
php-ZendFramework2-Permissions-Rbac-2.4.8-1.mga5
php-ZendFramework2-ProgressBar-2.4.8-1.mga5
php-ZendFramework2-Serializer-2.4.8-1.mga5
php-ZendFramework2-Server-2.4.8-1.mga5
php-ZendFramework2-ServiceManager-2.4.8-1.mga5
php-ZendFramework2-Session-2.4.8-1.mga5
php-ZendFramework2-Soap-2.4.8-1.mga5
php-ZendFramework2-Stdlib-2.4.8-1.mga5
php-ZendFramework2-Tag-2.4.8-1.mga5
php-ZendFramework2-Test-2.4.8-1.mga5
php-ZendFramework2-Text-2.4.8-1.mga5
php-ZendFramework2-Uri-2.4.8-1.mga5
php-ZendFramework2-Validator-2.4.8-1.mga5
php-ZendFramework2-Version-2.4.8-1.mga5
php-ZendFramework2-View-2.4.8-1.mga5
php-ZendFramework2-XmlRpc-2.4.8-1.mga5
php-ZendFramework2-ZendXml-2.4.8-1.mga5

from SRPMS
php-ZendFramework-1.12.16-1.mga5.src.rpm
php-ZendFramework2-2.4.8-1.mga5.src.rpm

Version: Cauldron => 5
Assignee: guillomovitch => qa-bugs
Whiteboard: MGA5TOO => has_procedure

Dave Hodgins 2015-10-07 00:29:42 CEST

CC: (none) => davidwhodgins
Whiteboard: has_procedure => has_procedure advisory

Comment 6 David Walser 2015-10-07 18:10:40 CEST 
LWN reference for ZF2015-08:
http://lwn.net/Vulnerabilities/659755/

Debian has issued an advisory for this on October 6:
https://www.debian.org/security/2015/dsa-3369
Comment 7 Brian Rockwell 2015-10-08 23:10:24 CEST 
installed php-zendFramework2-2.4.8.1 series.  All installed properly.

Ran Galette installation again, seemed to install most of the way as usual and the screens all worked.

CC: (none) => brtians1
Whiteboard: has_procedure advisory => has_procedure advisory MGA5-32-OK

Dave Hodgins 2015-10-09 00:30:58 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2015-10-09 20:48:52 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0391.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 9 David Walser 2015-10-12 20:41:20 CEST 
(In reply to David Walser from comment #6)
> LWN reference for ZF2015-08:
> http://lwn.net/Vulnerabilities/659755/
> 
> Debian has issued an advisory for this on October 6:
> https://www.debian.org/security/2015/dsa-3369

CVE-2015-7695 has been assigned for this:
http://openwall.com/lists/oss-security/2015/10/11/3

Summary: php-ZendFramework, php-ZendFramework2 new security issues ZF2015-07 (CVE-2015-5723) and ZF2015-08 => php-ZendFramework, php-ZendFramework2 new security issues ZF2015-07 (CVE-2015-5723) and ZF2015-08 (CVE-2015-7695)