Bug 6666 - php-ZendFramework new security issue CVE-2012-3363
: php-ZendFramework new security issue CVE-2012-3363
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/504698/
: MGA1TOO has_procedure MGA2-64-OK MGA2...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-07-02 22:28 CEST by David Walser
Modified: 2016-05-16 18:28 CEST (History)
6 users (show)

See Also:
Source RPM: php-ZendFramework-1.11.11-1.mga2.src.rpm
CVE:
Status comment:


Attachments
Zend.tar.gz Sample quickstart application. (7.95 KB, application/octet-stream)
2012-08-04 23:08 CEST, Dave Hodgins
Details

Description David Walser 2012-07-02 22:28:21 CEST
Debian has issued an advisory on June 29:
http://www.debian.org/security/2012/dsa-2505

Mageia 1 and Mageia 2 are also affected.
Comment 1 David Walser 2012-07-10 21:34:28 CEST
Updated package uploaded for Cauldron.

Patched packages uploaded for Mageia 1 and Mageia 2.

Advisory:
========================

Updated php-ZendFramework packages fix security vulnerability:

A file disclosure flaw was found in the way SimpleXMLElement class of
Zend Framework, a PHP framework, processed XML data provided within
certain XML-RPC requests (external XML entities were previously possible
to specify by adding a specific DOCTYPE element to particular XML-RPC
request). A remote attacker could use this flaw to obtain sensitive
information by issuing a specially-crafted XML-RPC request to the Zend
Framework based PHP application (CVE-2012-3363).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3363
http://framework.zend.com/security/advisory/ZF2012-01
https://bugzilla.redhat.com/show_bug.cgi?id=835560
http://www.debian.org/security/2012/dsa-2505
========================

Updated packages in core/updates_testing:
========================
php-ZendFramework-1.11.0-1.1.mga1
php-ZendFramework-demos-1.11.0-1.1.mga1
php-ZendFramework-tests-1.11.0-1.1.mga1
php-ZendFramework-extras-1.11.0-1.1.mga1
php-ZendFramework-Cache-Backend-Apc-1.11.0-1.1.mga1
php-ZendFramework-Cache-Backend-Memcached-1.11.0-1.1.mga1
php-ZendFramework-Captcha-1.11.0-1.1.mga1
php-ZendFramework-Dojo-1.11.0-1.1.mga1
php-ZendFramework-Feed-1.11.0-1.1.mga1
php-ZendFramework-Gdata-1.11.0-1.1.mga1
php-ZendFramework-Pdf-1.11.0-1.1.mga1
php-ZendFramework-Search-Lucene-1.11.0-1.1.mga1
php-ZendFramework-Services-1.11.0-1.1.mga1
php-ZendFramework-1.11.11-1.1.mga2
php-ZendFramework-demos-1.11.11-1.1.mga2
php-ZendFramework-tests-1.11.11-1.1.mga2
php-ZendFramework-extras-1.11.11-1.1.mga2
php-ZendFramework-Cache-Backend-Apc-1.11.11-1.1.mga2
php-ZendFramework-Cache-Backend-Memcached-1.11.11-1.1.mga2
php-ZendFramework-Captcha-1.11.11-1.1.mga2
php-ZendFramework-Dojo-1.11.11-1.1.mga2
php-ZendFramework-Feed-1.11.11-1.1.mga2
php-ZendFramework-Gdata-1.11.11-1.1.mga2
php-ZendFramework-Pdf-1.11.11-1.1.mga2
php-ZendFramework-Search-Lucene-1.11.11-1.1.mga2
php-ZendFramework-Services-1.11.11-1.1.mga2

from SRPMS:
php-ZendFramework-1.11.0-1.1.mga1.src.rpm
php-ZendFramework-1.11.11-1.1.mga2.src.rpm
Comment 2 Dave Hodgins 2012-07-21 21:14:13 CEST
Seems php-eaccelerator has to be uninstalled first, as it conflicts with php-apc.

I'm looking into how to test this one on Mageia 2 i586 now.
Comment 3 Dave Hodgins 2012-07-21 21:22:47 CEST
# pwd
/usr/share/php/Zend/tests

# phpunit --list-groups AllTests.php
This verison of PHPUnit is not supported in Zend Framework 1.x unit tests.

Is there a compatibility problem, or do I need to set some environment variables
first?
Comment 4 Thomas Spuhler 2012-07-21 21:30:14 CEST
Dave, let me look into this.
I have a kolab package for cauldron that doesn't build because of tests
Comment 5 Samuel Verschelde 2012-07-31 21:27:18 CEST
Hi Thomas. Have you made progress? We are waiting for your input to continue validating this security update :)
Comment 6 Thomas Spuhler 2012-08-03 06:58:45 CEST
I get:
# phpunit --list-groups AllTests.php
PHPUnit 3.3.17 by Sebastian Bergmann.

File "AllTests.php" does not exist.

What packages do you have installed? I suggest to push it as it isn't a regression.
I have similar results in cauldron, but I need to rebuild some php packages for php-5.4
Comment 7 Dave Hodgins 2012-08-04 01:08:12 CEST
rpm -q -f /usr/share/php/Zend/tests/AllTests.php 
php-ZendFramework-tests-1.11.11-1.1.mga2

Testing complete on Mageia 2 x86-64 using
http://framework.zend.com/manual/en/learning.quickstart.create-project.html
putting the quickstart under /var/www/html/Zend, creating the symlink
in the library directory to /usr/share/php/Zend/,  and then using
http://127.0.0.1/Zend/public/index.php to access the welcome page.

I'll test Mageia 2 i586 shortly.
Comment 8 Thomas Spuhler 2012-08-04 02:42:44 CEST
I am still getting $ phpunit --list-groups AllTests.php
PHPUnit 3.3.17 by Sebastian Bergmann.

File "AllTests.php" does not exist.

after installation of php-ZendFramework-tests in mga1, so no regression.
BTW a lot of these test have a problem. This is why we have to put so many % _define_exceptions into the spec files.
I will test mga2 tomorrow morning.
Comment 9 Dave Hodgins 2012-08-04 05:41:48 CEST
(In reply to comment #8)
> I am still getting $ phpunit --list-groups AllTests.php
> PHPUnit 3.3.17 by Sebastian Bergmann.
> 
> File "AllTests.php" does not exist.
> 
> after installation of php-ZendFramework-tests in mga1, so no regression.
> BTW a lot of these test have a problem. This is why we have to put so many %
> _define_exceptions into the spec files.
> I will test mga2 tomorrow morning.

Did you "/usr/share/php/Zend/tests/" first?
Comment 10 Dave Hodgins 2012-08-04 06:37:41 CEST
I'm having trouble getting the quickstart working on Mageia 2 i586.

The procedure I'm following is ...
urpmi task-lamp
rpm -e --nodeps php-eaccelerator-admin php-eaccelerator
urpmi php-pdo_sqlite
urpmi -a php-Zend
wget http://www.ody.ca/~dwhodgins/Zend.tar.gz
tar -xf Zend.tar.gz
cp -r css /var/www/html
cp -r Zend /var/www/html
chown -R apache:apache /var/www/html/Zend/data/db
service httpd start
Then go to http://127.0.0.1/Zend/public/index.php
Click on guestbook in the top right, and sign the
guestbook.

The Zend.tar.gz is the same as the quickstart but with an added
global.css file, and the database already loaded.

This worked in Mageia 2 x86-64, but in i586, I just get
An error occurred
Application error

How can I find out what the error is?  There's nothing in
/var/log/httpd/error_log.
Comment 11 Dave Hodgins 2012-08-04 06:38:31 CEST
(In reply to comment #9)
> (In reply to comment #8)
> > I am still getting $ phpunit --list-groups AllTests.php
> > PHPUnit 3.3.17 by Sebastian Bergmann.
> > 
> > File "AllTests.php" does not exist.
> > 
> > after installation of php-ZendFramework-tests in mga1, so no regression.
> > BTW a lot of these test have a problem. This is why we have to put so many %
> > _define_exceptions into the spec files.
> > I will test mga2 tomorrow morning.
> 
> Did you "/usr/share/php/Zend/tests/" first?

Arrgh. Meant to write

Did you "cd /usr/share/php/Zend/tests/" first?
Comment 12 Thomas Backlund 2012-08-04 10:41:13 CEST
(In reply to comment #10)
> 
> This worked in Mageia 2 x86-64, but in i586, I just get
> An error occurred
> Application error
> 
> How can I find out what the error is?  There's nothing in
> /var/log/httpd/error_log.

You need to enable php error logging, by setting log_errors=on in /etc/php.ini

The other one that can be helpful in php debugging is setting display_errors=on, also in /etc/php.ini

Both are disabled by default as they would flood logs with warnings (and errors).

Remember to restart apache after changing the configs
Comment 13 Thomas Spuhler 2012-08-04 19:16:46 CEST
$ cd /usr/share/php/Zend/tests/
[spuhler@localhost tests]$ phpunit --list-groups AllTests.php
This verison of PHPUnit is not supported in Zend Framework 1.x unit tests.
add the update test repo
do # urpmi php-ZendFramework -a
The  php-ZendFramework              1.11.11      1.1.mga2 packages get installed
The do 
phpunit --list-groups AllTests.php
This verison of PHPUnit is not supported in Zend Framework 1.x unit tests.
This gives the same result, so again no regression
Comment 14 Dave Hodgins 2012-08-04 23:05:52 CEST
Thanks for the help. Figured out the problem.  When I created the
tar.gz file, I used file-roller, which defaults to following symlinks,
so I had x86-64 php stuff in the 32 bit system.

Testing complete on Mageia 2 32 bit.

I'll test Mageia 1 shortly.
Comment 15 Dave Hodgins 2012-08-04 23:08:56 CEST
Created attachment 2605 [details]
Zend.tar.gz Sample quickstart application.

Attachment for use in future qa testing for Zend-Framework.
Contains quickstart sample application ready for use.
Comment 16 Dave Hodgins 2012-08-04 23:26:14 CEST
Testing complete on Mageia 1 i586 using the procedure ...

urpmi task-lamp
rpm -e --nodeps php-eaccelerator-admin php-eaccelerator
urpmi php-pdo_sqlite # Required for sample app, not Zend-Framework itself
urpmi -a php-Zend
wget https://bugs.mageia.org/attachment.cgi?id=2605 -O Zend.tar.gz
tar -xf Zend.tar.gz
cp -r css /var/www/html
cp -r Zend /var/www/html
chown -R apache:apache /var/www/html/Zend/data/db
service httpd start
Then go to http://127.0.0.1/Zend/public/index.php
Click on guestbook in the top right, and sign the
guestbook.
Comment 17 Dave Hodgins 2012-08-04 23:37:15 CEST
Testing complete on Mageia 1 x86-64.

Could someone from the sysadmin team push the srpm
php-ZendFramework-1.11.11-1.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
php-ZendFramework-1.11.0-1.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated php-ZendFramework packages fix a security
vulnerability:

A file disclosure flaw was found in the way SimpleXMLElement class of
Zend Framework, a PHP framework, processed XML data provided within
certain XML-RPC requests (external XML entities were previously possible
to specify by adding a specific DOCTYPE element to particular XML-RPC
request). A remote attacker could use this flaw to obtain sensitive
information by issuing a specially-crafted XML-RPC request to the Zend
Framework based PHP application (CVE-2012-3363).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3363
http://framework.zend.com/security/advisory/ZF2012-01
https://bugzilla.redhat.com/show_bug.cgi?id=835560
http://www.debian.org/security/2012/dsa-2505

https://bugs.mageia.org/show_bug.cgi?id=6666
Comment 18 Thomas Backlund 2012-08-06 18:27:29 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0200
Comment 19 Len Lawrence 2016-05-16 18:28:08 CEST
Running this update on x86_64

Installed the packages before enabling Updates Testing.
Updated all the packages then followed the procedure in bug 6666#c16.

$ sudo urpmi task-lamp
Package task-lamp-3-4.mga5.noarch is already installed
# rpm -e --nodeps php-eaccelerator-admin php-eaccelerator
error: package php-eaccelerator-admin is not installed
error: package php-eaccelerator is not installed
# urpmi php-pdo_sqlite
installing php-pdo_sqlite-5.6.21-1.mga5
# urpmi -a php-Zend
No package named php-Zend
# wget https://bugs.mageia.org/attachment.cgi?id=2605 -O Zend.tar.gz
# ls
css/  install  list  report  update*  Zend/  Zend.tar.gz
# ls css
global.css
# ls Zend
application/  data/  library/  public/  scripts/  tests/
# chown -R apache:apache /var/www/html/Zend/data/db
# systemctl start httpd.service
# systemctl status httpd.service
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled)
   Active: active (running) since Fri 2016-05-06 08:23:16 BST; 1 weeks 3 days ago

Pointed browser at localhost:/Zend/public/index.php

and, nothing.  Blank page.  I guess this has something to do with missing package php-Zend.  So, where can that be found, or has the name changed?  urpmq comes up empty.
Comment 20 Len Lawrence 2016-05-16 18:28:44 CEST
Done it again!!!  Wrong bug!

Note You need to log in before you can comment on or make changes to this bug.