Bug 20049

Summary: php-ZendFramework2 new security issue CVE-2016-10034
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: brtians1, lewyssmith, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lwn.net/Vulnerabilities/710482/
Whiteboard: has_procedure mga5-32-ok advisory mga5-64-ok
Source RPM: php-ZendFramework2-2.4.9-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-12-30 22:42:13 CET 
Upstream has issued an advisory on December 20:
https://framework.zend.com/security/advisory/ZF2016-04

The issue is fixed in 2.4.11:
https://framework.zend.com/blog/2016-12-20-zf-2-4-11-released.html

It was assigned CVE-2016-10034:
http://openwall.com/lists/oss-security/2016/12/30/2

Freeze push requested for Cauldron; update checked into Mageia 5 SVN.

Advisory for future update below.

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=18259#c32

Advisory:
========================

Updated php-ZendFramework2 packages fix security vulnerability:

When using the zend-mail component to send email via the
Zend\Mail\Transport\Sendmail transport, a malicious user may be able to inject
arbitrary parameters to the system sendmail program. The attack is performed
by providing additional quote characters within an address; when unsanitized,
they can be interpreted as additional command line arguments, leading to the
vulnerability (CVE-2016-10034).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10034
https://framework.zend.com/security/advisory/ZF2016-04
https://framework.zend.com/blog/2016-12-20-zf-2-4-11-released.html
http://openwall.com/lists/oss-security/2016/12/30/2
========================

Updated packages in core/updates_testing:
========================
php-ZendFramework2-2.4.11-1.mga5
php-ZendFramework2-Authentication-2.4.11-1.mga5
php-ZendFramework2-Barcode-2.4.11-1.mga5
php-ZendFramework2-Cache-2.4.11-1.mga5
php-ZendFramework2-Captcha-2.4.11-1.mga5
php-ZendFramework2-Code-2.4.11-1.mga5
php-ZendFramework2-Config-2.4.11-1.mga5
php-ZendFramework2-Console-2.4.11-1.mga5
php-ZendFramework2-Crypt-2.4.11-1.mga5
php-ZendFramework2-Db-2.4.11-1.mga5
php-ZendFramework2-Debug-2.4.11-1.mga5
php-ZendFramework2-Di-2.4.11-1.mga5
php-ZendFramework2-Dom-2.4.11-1.mga5
php-ZendFramework2-Escaper-2.4.11-1.mga5
php-ZendFramework2-EventManager-2.4.11-1.mga5
php-ZendFramework2-Feed-2.4.11-1.mga5
php-ZendFramework2-File-2.4.11-1.mga5
php-ZendFramework2-Filter-2.4.11-1.mga5
php-ZendFramework2-Form-2.4.11-1.mga5
php-ZendFramework2-Http-2.4.11-1.mga5
php-ZendFramework2-I18n-2.4.11-1.mga5
php-ZendFramework2-InputFilter-2.4.11-1.mga5
php-ZendFramework2-Json-2.4.11-1.mga5
php-ZendFramework2-Ldap-2.4.11-1.mga5
php-ZendFramework2-Loader-2.4.11-1.mga5
php-ZendFramework2-Log-2.4.11-1.mga5
php-ZendFramework2-Mail-2.4.11-1.mga5
php-ZendFramework2-Math-2.4.11-1.mga5
php-ZendFramework2-Memory-2.4.11-1.mga5
php-ZendFramework2-Mime-2.4.11-1.mga5
php-ZendFramework2-ModuleManager-2.4.11-1.mga5
php-ZendFramework2-Mvc-2.4.11-1.mga5
php-ZendFramework2-Navigation-2.4.11-1.mga5
php-ZendFramework2-Paginator-2.4.11-1.mga5
php-ZendFramework2-Permissions-Acl-2.4.11-1.mga5
php-ZendFramework2-Permissions-Rbac-2.4.11-1.mga5
php-ZendFramework2-ProgressBar-2.4.11-1.mga5
php-ZendFramework2-Serializer-2.4.11-1.mga5
php-ZendFramework2-Server-2.4.11-1.mga5
php-ZendFramework2-ServiceManager-2.4.11-1.mga5
php-ZendFramework2-Session-2.4.11-1.mga5
php-ZendFramework2-Soap-2.4.11-1.mga5
php-ZendFramework2-Stdlib-2.4.11-1.mga5
php-ZendFramework2-Tag-2.4.11-1.mga5
php-ZendFramework2-Test-2.4.11-1.mga5
php-ZendFramework2-Text-2.4.11-1.mga5
php-ZendFramework2-Uri-2.4.11-1.mga5
php-ZendFramework2-Validator-2.4.11-1.mga5
php-ZendFramework2-Version-2.4.11-1.mga5
php-ZendFramework2-View-2.4.11-1.mga5
php-ZendFramework2-XmlRpc-2.4.11-1.mga5
php-ZendFramework2-ZendXml-2.4.11-1.mga5

from php-ZendFramework2-2.4.11-1.mga5.src.rpm
Comment 1 David Walser 2016-12-30 22:48:01 CET 
Updated packages uploaded for Mageia 5 and Cauldron.

Advisory, package list, and test procedure in Comment 0.

Assignee: bugsquad => qa-bugs
Whiteboard: (none) => has_procedure

David Walser 2017-01-03 20:31:27 CET

URL: (none) => https://lwn.net/Vulnerabilities/710482/

Comment 2 Brian Rockwell 2017-01-05 20:52:39 CET 
$ uname -a
Linux localhost 4.4.39-desktop-1.mga5 #1 SMP Fri Dec 16 18:52:20 UTC 2016 i686 i686 i686 GNU/Linux



The following 74 packages are going to be installed:

- apache-mod_php-5.6.29-1.mga5.i586
- galette-0.8.1-1.1.mga5.noarch
- php-analog-1.0.4-4.mga5.noarch
- php-channel-phpunit-1.3-14.mga5.noarch
- php-pear-1.9.5-8.mga5.noarch
- php-pear-channel-horde-1.0-19.mga5.noarch
- php-pear-channel-symfony2-1.0-5.mga5.noarch
- php-pear-DbUnit-1.3.1-4.mga5.noarch
- php-pear-File_Iterator-1.3.4-4.mga5.noarch
- php-pear-PHPUnit-3.7.34-2.mga5.noarch
- php-pear-PHPUnit_MockObject-1.2.3-4.mga5.noarch
- php-pear-PHPUnit_Selenium-1.3.3-4.mga5.noarch
- php-pear-PHPUnit_Story-1.0.2-4.mga5.noarch
- php-pear-PHP_CodeCoverage-1.2.17-3.mga5.noarch
- php-pear-PHP_Invoker-1.1.3-4.mga5.noarch
- php-pear-PHP_Timer-1.0.5-4.mga5.noarch
- php-pear-PHP_TokenStream-1.2.2-3.mga5.noarch
- php-pear-Symfony2_Yaml-2.4.4-3.mga5.noarch
- php-pear-Text_Template-1.2.0-3.mga5.noarch
- php-phpmailer-5.2.14-1.1.mga5.noarch
- php-smarty-3.1.21-1.mga5.noarch
- php-tcpdf-6.0.098-1.mga5.noarch
- php-ZendFramework2-2.4.11-1.mga5.noarch
- php-ZendFramework2-Authentication-2.4.11-1.mga5.noarch
- php-ZendFramework2-Barcode-2.4.11-1.mga5.noarch
- php-ZendFramework2-Cache-2.4.11-1.mga5.noarch
- php-ZendFramework2-Captcha-2.4.11-1.mga5.noarch
- php-ZendFramework2-Code-2.4.11-1.mga5.noarch
- php-ZendFramework2-Config-2.4.11-1.mga5.noarch
- php-ZendFramework2-Console-2.4.11-1.mga5.noarch
- php-ZendFramework2-Crypt-2.4.11-1.mga5.noarch
- php-ZendFramework2-Db-2.4.11-1.mga5.noarch
- php-ZendFramework2-Debug-2.4.11-1.mga5.noarch
- php-ZendFramework2-Di-2.4.11-1.mga5.noarch
- php-ZendFramework2-Dom-2.4.11-1.mga5.noarch
- php-ZendFramework2-Escaper-2.4.11-1.mga5.noarch
- php-ZendFramework2-EventManager-2.4.11-1.mga5.noarch
- php-ZendFramework2-Feed-2.4.11-1.mga5.noarch
- php-ZendFramework2-File-2.4.11-1.mga5.noarch
- php-ZendFramework2-Filter-2.4.11-1.mga5.noarch
- php-ZendFramework2-Form-2.4.11-1.mga5.noarch
- php-ZendFramework2-Http-2.4.11-1.mga5.noarch
- php-ZendFramework2-I18n-2.4.11-1.mga5.noarch
- php-ZendFramework2-InputFilter-2.4.11-1.mga5.noarch
- php-ZendFramework2-Json-2.4.11-1.mga5.noarch
- php-ZendFramework2-Ldap-2.4.11-1.mga5.noarch
- php-ZendFramework2-Loader-2.4.11-1.mga5.noarch
- php-ZendFramework2-Log-2.4.11-1.mga5.noarch
- php-ZendFramework2-Mail-2.4.11-1.mga5.noarch
- php-ZendFramework2-Math-2.4.11-1.mga5.noarch
- php-ZendFramework2-Memory-2.4.11-1.mga5.noarch
- php-ZendFramework2-Mime-2.4.11-1.mga5.noarch
- php-ZendFramework2-ModuleManager-2.4.11-1.mga5.noarch
- php-ZendFramework2-Mvc-2.4.11-1.mga5.noarch
- php-ZendFramework2-Navigation-2.4.11-1.mga5.noarch
- php-ZendFramework2-Paginator-2.4.11-1.mga5.noarch
- php-ZendFramework2-Permissions-Acl-2.4.11-1.mga5.noarch
- php-ZendFramework2-Permissions-Rbac-2.4.11-1.mga5.noarch
- php-ZendFramework2-ProgressBar-2.4.11-1.mga5.noarch
- php-ZendFramework2-Serializer-2.4.11-1.mga5.noarch
- php-ZendFramework2-Server-2.4.11-1.mga5.noarch
- php-ZendFramework2-ServiceManager-2.4.11-1.mga5.noarch
- php-ZendFramework2-Session-2.4.11-1.mga5.noarch
- php-ZendFramework2-Soap-2.4.11-1.mga5.noarch
- php-ZendFramework2-Stdlib-2.4.11-1.mga5.noarch
- php-ZendFramework2-Tag-2.4.11-1.mga5.noarch
- php-ZendFramework2-Test-2.4.11-1.mga5.noarch
- php-ZendFramework2-Text-2.4.11-1.mga5.noarch
- php-ZendFramework2-Uri-2.4.11-1.mga5.noarch
- php-ZendFramework2-Validator-2.4.11-1.mga5.noarch
- php-ZendFramework2-Version-2.4.11-1.mga5.noarch
- php-ZendFramework2-View-2.4.11-1.mga5.noarch
- php-ZendFramework2-XmlRpc-2.4.11-1.mga5.noarch
- php-ZendFramework2-ZendXml-2.4.11-1.mga5.noarch

53MB of additional disk space will be used.

18MB of packages will be retrieved.

Is it ok to continue?


Installed modules


set up date/timezone in /etc/php.ini



127.0.0.1/galette


It works through the setup process (I used SQLITE) 

I do get an error, but not related to PHP but as part of the Galette configuration process.

either way the setup routine validated the PHP modules and we happy.

CC: (none) => brtians1
Whiteboard: has_procedure => has_procedure mga5-32-ok

Lewis Smith 2017-01-08 21:03:15 CET

CC: (none) => lewyssmith
Whiteboard: has_procedure mga5-32-ok => has_procedure mga5-32-ok advisory

Comment 3 Brian Rockwell 2017-01-12 15:02:14 CET 
$ uname -a
Linux localhost 4.4.39-server-1.mga5 #1 SMP Fri Dec 16 19:07:42 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

The following 68 packages are going to be installed:

- php-channel-phpunit-1.3-14.mga5.noarch
- php-pear-1.9.5-8.mga5.noarch
- php-pear-channel-horde-1.0-19.mga5.noarch
- php-pear-channel-symfony2-1.0-5.mga5.noarch
- php-pear-DbUnit-1.3.1-4.mga5.noarch
- php-pear-File_Iterator-1.3.4-4.mga5.noarch
- php-pear-PHPUnit-3.7.34-2.mga5.noarch
- php-pear-PHPUnit_MockObject-1.2.3-4.mga5.noarch
- php-pear-PHPUnit_Selenium-1.3.3-4.mga5.noarch
- php-pear-PHPUnit_Story-1.0.2-4.mga5.noarch
- php-pear-PHP_CodeCoverage-1.2.17-3.mga5.noarch
- php-pear-PHP_Invoker-1.1.3-4.mga5.noarch
- php-pear-PHP_Timer-1.0.5-4.mga5.noarch
- php-pear-PHP_TokenStream-1.2.2-3.mga5.noarch
- php-pear-Symfony2_Yaml-2.4.4-3.mga5.noarch
- php-pear-Text_Template-1.2.0-3.mga5.noarch
- php-ZendFramework2-2.4.11-1.mga5.noarch
- php-ZendFramework2-Authentication-2.4.11-1.mga5.noarch
- php-ZendFramework2-Barcode-2.4.11-1.mga5.noarch
- php-ZendFramework2-Cache-2.4.11-1.mga5.noarch
- php-ZendFramework2-Captcha-2.4.11-1.mga5.noarch
- php-ZendFramework2-Code-2.4.11-1.mga5.noarch
- php-ZendFramework2-Config-2.4.11-1.mga5.noarch
- php-ZendFramework2-Console-2.4.11-1.mga5.noarch
- php-ZendFramework2-Crypt-2.4.11-1.mga5.noarch
- php-ZendFramework2-Db-2.4.11-1.mga5.noarch
- php-ZendFramework2-Debug-2.4.11-1.mga5.noarch
- php-ZendFramework2-Di-2.4.11-1.mga5.noarch
- php-ZendFramework2-Dom-2.4.11-1.mga5.noarch
- php-ZendFramework2-Escaper-2.4.11-1.mga5.noarch
- php-ZendFramework2-EventManager-2.4.11-1.mga5.noarch
- php-ZendFramework2-Feed-2.4.11-1.mga5.noarch
- php-ZendFramework2-File-2.4.11-1.mga5.noarch
- php-ZendFramework2-Filter-2.4.11-1.mga5.noarch
- php-ZendFramework2-Form-2.4.11-1.mga5.noarch
- php-ZendFramework2-Http-2.4.11-1.mga5.noarch
- php-ZendFramework2-I18n-2.4.11-1.mga5.noarch
- php-ZendFramework2-InputFilter-2.4.11-1.mga5.noarch
- php-ZendFramework2-Json-2.4.11-1.mga5.noarch
- php-ZendFramework2-Ldap-2.4.11-1.mga5.noarch
- php-ZendFramework2-Loader-2.4.11-1.mga5.noarch
- php-ZendFramework2-Log-2.4.11-1.mga5.noarch
- php-ZendFramework2-Mail-2.4.11-1.mga5.noarch
- php-ZendFramework2-Math-2.4.11-1.mga5.noarch
- php-ZendFramework2-Memory-2.4.11-1.mga5.noarch
- php-ZendFramework2-Mime-2.4.11-1.mga5.noarch
- php-ZendFramework2-ModuleManager-2.4.11-1.mga5.noarch
- php-ZendFramework2-Mvc-2.4.11-1.mga5.noarch
- php-ZendFramework2-Navigation-2.4.11-1.mga5.noarch
- php-ZendFramework2-Paginator-2.4.11-1.mga5.noarch
- php-ZendFramework2-Permissions-Acl-2.4.11-1.mga5.noarch
- php-ZendFramework2-Permissions-Rbac-2.4.11-1.mga5.noarch
- php-ZendFramework2-ProgressBar-2.4.11-1.mga5.noarch
- php-ZendFramework2-Serializer-2.4.11-1.mga5.noarch
- php-ZendFramework2-Server-2.4.11-1.mga5.noarch
- php-ZendFramework2-ServiceManager-2.4.11-1.mga5.noarch
- php-ZendFramework2-Session-2.4.11-1.mga5.noarch
- php-ZendFramework2-Soap-2.4.11-1.mga5.noarch
- php-ZendFramework2-Stdlib-2.4.11-1.mga5.noarch
- php-ZendFramework2-Tag-2.4.11-1.mga5.noarch
- php-ZendFramework2-Test-2.4.11-1.mga5.noarch
- php-ZendFramework2-Text-2.4.11-1.mga5.noarch
- php-ZendFramework2-Uri-2.4.11-1.mga5.noarch
- php-ZendFramework2-Validator-2.4.11-1.mga5.noarch
- php-ZendFramework2-Version-2.4.11-1.mga5.noarch
- php-ZendFramework2-View-2.4.11-1.mga5.noarch
- php-ZendFramework2-XmlRpc-2.4.11-1.mga5.noarch
- php-ZendFramework2-ZendXml-2.4.11-1.mga5.noarch

14MB of additional disk space will be used.

2.7MB of packages will be retrieved.

Is it ok to continue?



Installing Gallete

The following 5 packages are going to be installed:

- galette-0.8.1-1.1.mga5.noarch
- php-analog-1.0.4-4.mga5.noarch
- php-phpmailer-5.2.14-1.1.mga5.noarch
- php-smarty-3.1.21-1.mga5.noarch
- php-tcpdf-6.0.098-1.mga5.noarch

39MB of additional disk space will be used.

16MB of packages will be retrieved.

Did the same above.

Whiteboard: has_procedure mga5-32-ok advisory => has_procedure mga5-32-ok advisory mga5-64-ok

Lewis Smith 2017-01-12 21:50:18 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2017-01-13 11:33:05 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0016.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED