Bug 8456

Summary:	php-ZendFramework needs update for upstream security advisories ZF2012-02 and ZF2012-05
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:
Severity:	major
Priority:	Normal	CC:	davidwhodgins, sysadmin-bugs, thomas, tmb
Version:	2	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/530909/
Whiteboard:	MGA2-64-OK MGA2-32-OK
Source RPM:	php-ZendFramework-1.11.11-1.1.mga2.src.rpm	CVE:
Status comment:

Description David Walser 2012-12-20 20:45:39 CET

These upstream advisories are from August and December.

ZF2012-05 (fixed in 1.11.15 and 1.12.1) has CVE-2012-5657:
http://openwall.com/lists/oss-security/2012/12/20/4

It doesn't appear a CVE was ever requested for ZF2012-02 (fixed in 1.11.13).

ZF2012-02 was also fixed in 1.12.0, so doesn't affect Cauldron.

Both affect Mageia 2.

ZF2012-3 and ZF2012-4 only affect versions 2.x.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5657
http://framework.zend.com/security/advisory/ZF2012-02
http://framework.zend.com/security/advisory/ZF2012-05

David Walser 2012-12-20 20:45:55 CET

CC: (none) => thomas
Whiteboard: (none) => MGA2TOO

David Walser 2012-12-20 20:46:03 CET

Assignee: bugsquad => thomas

Thomas Spuhler 2012-12-21 05:06:03 CET

Status: NEW => ASSIGNED

Comment 1 Thomas Spuhler 2012-12-21 05:21:58 CET

This bug has been fixed in mga2 by upgrading to 1.12.1 as recommended at the Zend Website and uploaded to upgrade_testing.
I haven't done any testing because I don't have any means to do the testing.

Assignee: thomas => qa-bugs

Comment 2 claire robinson 2012-12-21 10:48:12 CET

Zend quickstart intro: http://framework.zend.com/manual/1.12/en/learning.quickstart.intro.html

Comment 3 David Walser 2012-12-21 12:39:42 CET

Thomas, the one in updates_testing has a subrel, so it's newer than the one in Cauldron.  Either it needs to be deleted by a sysadmin and resubmitted without the subrel, or rebuilt in Cauldron.

Comment 4 David Walser 2012-12-21 12:42:00 CET

Packages built:
php-ZendFramework-1.12.1-1.1.mga2
php-ZendFramework-demos-1.12.1-1.1.mga2
php-ZendFramework-tests-1.12.1-1.1.mga2
php-ZendFramework-extras-1.12.1-1.1.mga2
php-ZendFramework-Cache-Backend-Apc-1.12.1-1.1.mga2
php-ZendFramework-Cache-Backend-Memcached-1.12.1-1.1.mga2
php-ZendFramework-Captcha-1.12.1-1.1.mga2
php-ZendFramework-Dojo-1.12.1-1.1.mga2
php-ZendFramework-Feed-1.12.1-1.1.mga2
php-ZendFramework-Gdata-1.12.1-1.1.mga2
php-ZendFramework-Pdf-1.12.1-1.1.mga2
php-ZendFramework-Search-Lucene-1.12.1-1.1.mga2
php-ZendFramework-Services-1.12.1-1.1.mga2

from php-ZendFramework-1.12.1-1.1.mga2.src.rpm

claire robinson 2012-12-21 13:09:09 CET

Version: Cauldron => 2
Whiteboard: MGA2TOO => feedback

Comment 5 claire robinson 2012-12-21 14:28:10 CET

Useful looking: http://www.webhostinghub.com/support/website/general-server-setup/test-zend-framework-installation

Comment 6 Thomas Spuhler 2012-12-22 05:20:21 CET

(In reply to comment #4)
> Packages built:
> php-ZendFramework-1.12.1-1.1.mga2
> php-ZendFramework-demos-1.12.1-1.1.mga2
> php-ZendFramework-tests-1.12.1-1.1.mga2
> php-ZendFramework-extras-1.12.1-1.1.mga2
> php-ZendFramework-Cache-Backend-Apc-1.12.1-1.1.mga2
> php-ZendFramework-Cache-Backend-Memcached-1.12.1-1.1.mga2
> php-ZendFramework-Captcha-1.12.1-1.1.mga2
> php-ZendFramework-Dojo-1.12.1-1.1.mga2
> php-ZendFramework-Feed-1.12.1-1.1.mga2
> php-ZendFramework-Gdata-1.12.1-1.1.mga2
> php-ZendFramework-Pdf-1.12.1-1.1.mga2
> php-ZendFramework-Search-Lucene-1.12.1-1.1.mga2
> php-ZendFramework-Services-1.12.1-1.1.mga2
> 
> from php-ZendFramework-1.12.1-1.1.mga2.src.rpm

I expected to have another upgrade soon.
But I just bumped the rel.

Comment 7 David Walser 2012-12-22 05:34:23 CET

Thanks Thomas.  I'll post an advisory in the morning.

Whiteboard: feedback => (none)

Comment 8 David Walser 2012-12-22 17:58:10 CET

Advisory:
========================

Updated php-ZendFramework packages fix security vulnerabilities:

Zend_Dom, Zend_Feed, Zend_Soap, and Zend_XmlRpc in Zend Framework before
1.11.13 and 1.12.0 are vulnerable to XML Entity Expansion (XEE) vectors,
leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE
declaration includes XML entity definitions that contain either recursive or
circular references; this leads to CPU and memory consumption, making Denial
of Service exploits trivial to implement (ZF2012-02).

A vulnerability was reported in Zend Framework versions prior to 1.11.15
and 1.12.1, which can be exploited to disclose certain sensitive
information.  This flaw is caused due to an error in the "Zend_Feed_Rss"
and "Zend_Feed_Atom" classes of the "Zend_Feed" component, when
processing XML data.  It can be used to disclose the contents of certain
local files by sending specially crafted XML data including external
entity references (CVE-2012-5657, ZF2012-05).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5657
http://openwall.com/lists/oss-security/2012/12/20/2
http://framework.zend.com/security/advisory/ZF2012-02
http://framework.zend.com/security/advisory/ZF2012-05
========================

Updated packages in core/updates_testing:
========================
php-ZendFramework-1.12.1-1.1.mga2
php-ZendFramework-demos-1.12.1-1.1.mga2
php-ZendFramework-tests-1.12.1-1.1.mga2
php-ZendFramework-extras-1.12.1-1.1.mga2
php-ZendFramework-Cache-Backend-Apc-1.12.1-1.1.mga2
php-ZendFramework-Cache-Backend-Memcached-1.12.1-1.1.mga2
php-ZendFramework-Captcha-1.12.1-1.1.mga2
php-ZendFramework-Dojo-1.12.1-1.1.mga2
php-ZendFramework-Feed-1.12.1-1.1.mga2
php-ZendFramework-Gdata-1.12.1-1.1.mga2
php-ZendFramework-Pdf-1.12.1-1.1.mga2
php-ZendFramework-Search-Lucene-1.12.1-1.1.mga2
php-ZendFramework-Services-1.12.1-1.1.mga2

from php-ZendFramework-1.12.1-1.1.mga2.src.rpm

Comment 9 Dave Hodgins 2012-12-26 23:43:49 CET

Testing complete on Mageia 2 i586 and x86-64 using the procedure at
https://bugs.mageia.org/show_bug.cgi?id=6666#c16

Only testing for regressions.

Could someone from the sysadmin team push the srpm
php-ZendFramework-1.12.1-1.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated php-ZendFramework packages fix security vulnerabilities:

Zend_Dom, Zend_Feed, Zend_Soap, and Zend_XmlRpc in Zend Framework before
1.11.13 and 1.12.0 are vulnerable to XML Entity Expansion (XEE) vectors,
leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE
declaration includes XML entity definitions that contain either recursive or
circular references; this leads to CPU and memory consumption, making Denial
of Service exploits trivial to implement (ZF2012-02).

A vulnerability was reported in Zend Framework versions prior to 1.11.15
and 1.12.1, which can be exploited to disclose certain sensitive
information.  This flaw is caused due to an error in the "Zend_Feed_Rss"
and "Zend_Feed_Atom" classes of the "Zend_Feed" component, when
processing XML data.  It can be used to disclose the contents of certain
local files by sending specially crafted XML data including external
entity references (CVE-2012-5657, ZF2012-05).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5657
http://openwall.com/lists/oss-security/2012/12/20/2
http://framework.zend.com/security/advisory/ZF2012-02
http://framework.zend.com/security/advisory/ZF2012-05

https://bugs.mageia.org/show_bug.cgi?id=8456

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: (none) => MGA2-64-OK MGA2-32-OK

Comment 10 Thomas Backlund 2012-12-27 00:41:48 CET

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0367

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2012-12-29 03:27:41 CET

URL: (none) => http://lwn.net/Vulnerabilities/530909/

Comment 11 David Walser 2013-01-03 17:30:41 CET

Update checked into Mageia 1 SVN.