6666 – php-ZendFramework new security issue CVE-2012-3363

Bug 6666 - php-ZendFramework new security issue CVE-2012-3363

Summary: php-ZendFramework new security issue CVE-2012-3363

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	2
Hardware:	i586 Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:

URL:	http://lwn.net/Vulnerabilities/504698/
Whiteboard:	MGA1TOO has_procedure MGA2-64-OK MGA2...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2012-07-02 22:28 CEST by David Walser
Modified:	2016-05-16 18:28 CEST (History)
CC List:	6 users (show)

See Also:	13102
Source RPM:	php-ZendFramework-1.11.11-1.mga2.src.rpm
CVE:
Status comment:

Attachments
Zend.tar.gz Sample quickstart application. (7.95 KB, application/octet-stream) 2012-08-04 23:08 CEST, Dave Hodgins	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2012-07-02 22:28:21 CEST

Debian has issued an advisory on June 29:
http://www.debian.org/security/2012/dsa-2505

Mageia 1 and Mageia 2 are also affected.

David Walser 2012-07-02 22:28:35 CEST

CC: (none) => thomas
Whiteboard: (none) => MGA2TOO, MGA1TOO

Comment 1 David Walser 2012-07-10 21:34:28 CEST

Updated package uploaded for Cauldron.

Patched packages uploaded for Mageia 1 and Mageia 2.

Advisory:
========================

Updated php-ZendFramework packages fix security vulnerability:

A file disclosure flaw was found in the way SimpleXMLElement class of
Zend Framework, a PHP framework, processed XML data provided within
certain XML-RPC requests (external XML entities were previously possible
to specify by adding a specific DOCTYPE element to particular XML-RPC
request). A remote attacker could use this flaw to obtain sensitive
information by issuing a specially-crafted XML-RPC request to the Zend
Framework based PHP application (CVE-2012-3363).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3363
http://framework.zend.com/security/advisory/ZF2012-01
https://bugzilla.redhat.com/show_bug.cgi?id=835560
http://www.debian.org/security/2012/dsa-2505
========================

Updated packages in core/updates_testing:
========================
php-ZendFramework-1.11.0-1.1.mga1
php-ZendFramework-demos-1.11.0-1.1.mga1
php-ZendFramework-tests-1.11.0-1.1.mga1
php-ZendFramework-extras-1.11.0-1.1.mga1
php-ZendFramework-Cache-Backend-Apc-1.11.0-1.1.mga1
php-ZendFramework-Cache-Backend-Memcached-1.11.0-1.1.mga1
php-ZendFramework-Captcha-1.11.0-1.1.mga1
php-ZendFramework-Dojo-1.11.0-1.1.mga1
php-ZendFramework-Feed-1.11.0-1.1.mga1
php-ZendFramework-Gdata-1.11.0-1.1.mga1
php-ZendFramework-Pdf-1.11.0-1.1.mga1
php-ZendFramework-Search-Lucene-1.11.0-1.1.mga1
php-ZendFramework-Services-1.11.0-1.1.mga1
php-ZendFramework-1.11.11-1.1.mga2
php-ZendFramework-demos-1.11.11-1.1.mga2
php-ZendFramework-tests-1.11.11-1.1.mga2
php-ZendFramework-extras-1.11.11-1.1.mga2
php-ZendFramework-Cache-Backend-Apc-1.11.11-1.1.mga2
php-ZendFramework-Cache-Backend-Memcached-1.11.11-1.1.mga2
php-ZendFramework-Captcha-1.11.11-1.1.mga2
php-ZendFramework-Dojo-1.11.11-1.1.mga2
php-ZendFramework-Feed-1.11.11-1.1.mga2
php-ZendFramework-Gdata-1.11.11-1.1.mga2
php-ZendFramework-Pdf-1.11.11-1.1.mga2
php-ZendFramework-Search-Lucene-1.11.11-1.1.mga2
php-ZendFramework-Services-1.11.11-1.1.mga2

from SRPMS:
php-ZendFramework-1.11.0-1.1.mga1.src.rpm
php-ZendFramework-1.11.11-1.1.mga2.src.rpm

Version: Cauldron => 2
Assignee: bugsquad => qa-bugs
Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO

Comment 2 Dave Hodgins 2012-07-21 21:14:13 CEST

Seems php-eaccelerator has to be uninstalled first, as it conflicts with php-apc.

I'm looking into how to test this one on Mageia 2 i586 now.

CC: (none) => davidwhodgins

Comment 3 Dave Hodgins 2012-07-21 21:22:47 CEST

# pwd
/usr/share/php/Zend/tests

# phpunit --list-groups AllTests.php
This verison of PHPUnit is not supported in Zend Framework 1.x unit tests.

Is there a compatibility problem, or do I need to set some environment variables
first?

Comment 4 Thomas Spuhler 2012-07-21 21:30:14 CEST

Dave, let me look into this.
I have a kolab package for cauldron that doesn't build because of tests

Status: NEW => ASSIGNED

Comment 5 Samuel Verschelde 2012-07-31 21:27:18 CEST

Hi Thomas. Have you made progress? We are waiting for your input to continue validating this security update :)

CC: (none) => stormi

claire robinson 2012-08-02 11:11:43 CEST

Whiteboard: MGA1TOO => MGA1TOO feedback

David Walser 2012-08-02 23:36:01 CEST

Severity: normal => major

Comment 6 Thomas Spuhler 2012-08-03 06:58:45 CEST

I get:
# phpunit --list-groups AllTests.php
PHPUnit 3.3.17 by Sebastian Bergmann.

File "AllTests.php" does not exist.

What packages do you have installed? I suggest to push it as it isn't a regression.
I have similar results in cauldron, but I need to rebuild some php packages for php-5.4

Samuel Verschelde 2012-08-03 09:55:59 CEST

Whiteboard: MGA1TOO feedback => MGA1TOO

Comment 7 Dave Hodgins 2012-08-04 01:08:12 CEST

rpm -q -f /usr/share/php/Zend/tests/AllTests.php 
php-ZendFramework-tests-1.11.11-1.1.mga2

Testing complete on Mageia 2 x86-64 using
http://framework.zend.com/manual/en/learning.quickstart.create-project.html
putting the quickstart under /var/www/html/Zend, creating the symlink
in the library directory to /usr/share/php/Zend/,  and then using
http://127.0.0.1/Zend/public/index.php to access the welcome page.

I'll test Mageia 2 i586 shortly.

Whiteboard: MGA1TOO => MGA1TOO has_procedure MGA2-64-OK

Comment 8 Thomas Spuhler 2012-08-04 02:42:44 CEST

I am still getting $ phpunit --list-groups AllTests.php
PHPUnit 3.3.17 by Sebastian Bergmann.

File "AllTests.php" does not exist.

after installation of php-ZendFramework-tests in mga1, so no regression.
BTW a lot of these test have a problem. This is why we have to put so many % _define_exceptions into the spec files.
I will test mga2 tomorrow morning.

Comment 9 Dave Hodgins 2012-08-04 05:41:48 CEST

(In reply to comment #8)
> I am still getting $ phpunit --list-groups AllTests.php
> PHPUnit 3.3.17 by Sebastian Bergmann.
> 
> File "AllTests.php" does not exist.
> 
> after installation of php-ZendFramework-tests in mga1, so no regression.
> BTW a lot of these test have a problem. This is why we have to put so many %
> _define_exceptions into the spec files.
> I will test mga2 tomorrow morning.

Did you "/usr/share/php/Zend/tests/" first?

Comment 10 Dave Hodgins 2012-08-04 06:37:41 CEST

I'm having trouble getting the quickstart working on Mageia 2 i586.

The procedure I'm following is ...
urpmi task-lamp
rpm -e --nodeps php-eaccelerator-admin php-eaccelerator
urpmi php-pdo_sqlite
urpmi -a php-Zend
wget http://www.ody.ca/~dwhodgins/Zend.tar.gz
tar -xf Zend.tar.gz
cp -r css /var/www/html
cp -r Zend /var/www/html
chown -R apache:apache /var/www/html/Zend/data/db
service httpd start
Then go to http://127.0.0.1/Zend/public/index.php
Click on guestbook in the top right, and sign the
guestbook.

The Zend.tar.gz is the same as the quickstart but with an added
global.css file, and the database already loaded.

This worked in Mageia 2 x86-64, but in i586, I just get
An error occurred
Application error

How can I find out what the error is?  There's nothing in
/var/log/httpd/error_log.

Comment 11 Dave Hodgins 2012-08-04 06:38:31 CEST

(In reply to comment #9)
> (In reply to comment #8)
> > I am still getting $ phpunit --list-groups AllTests.php
> > PHPUnit 3.3.17 by Sebastian Bergmann.
> > 
> > File "AllTests.php" does not exist.
> > 
> > after installation of php-ZendFramework-tests in mga1, so no regression.
> > BTW a lot of these test have a problem. This is why we have to put so many %
> > _define_exceptions into the spec files.
> > I will test mga2 tomorrow morning.
> 
> Did you "/usr/share/php/Zend/tests/" first?

Arrgh. Meant to write

Did you "cd /usr/share/php/Zend/tests/" first?

Comment 12 Thomas Backlund 2012-08-04 10:41:13 CEST

(In reply to comment #10)
> 
> This worked in Mageia 2 x86-64, but in i586, I just get
> An error occurred
> Application error
> 
> How can I find out what the error is?  There's nothing in
> /var/log/httpd/error_log.

You need to enable php error logging, by setting log_errors=on in /etc/php.ini

The other one that can be helpful in php debugging is setting display_errors=on, also in /etc/php.ini

Both are disabled by default as they would flood logs with warnings (and errors).

Remember to restart apache after changing the configs

CC: (none) => tmb

Comment 13 Thomas Spuhler 2012-08-04 19:16:46 CEST

$ cd /usr/share/php/Zend/tests/
[spuhler@localhost tests]$ phpunit --list-groups AllTests.php
This verison of PHPUnit is not supported in Zend Framework 1.x unit tests.
add the update test repo
do # urpmi php-ZendFramework -a
The  php-ZendFramework              1.11.11      1.1.mga2 packages get installed
The do 
phpunit --list-groups AllTests.php
This verison of PHPUnit is not supported in Zend Framework 1.x unit tests.
This gives the same result, so again no regression

Comment 14 Dave Hodgins 2012-08-04 23:05:52 CEST

Thanks for the help. Figured out the problem.  When I created the
tar.gz file, I used file-roller, which defaults to following symlinks,
so I had x86-64 php stuff in the 32 bit system.

Testing complete on Mageia 2 32 bit.

I'll test Mageia 1 shortly.

Whiteboard: MGA1TOO has_procedure MGA2-64-OK => MGA1TOO has_procedure MGA2-64-OK MGA2-32-OK

Comment 15 Dave Hodgins 2012-08-04 23:08:56 CEST

Created attachment 2605 [details]
Zend.tar.gz Sample quickstart application.

Attachment for use in future qa testing for Zend-Framework.
Contains quickstart sample application ready for use.

Comment 16 Dave Hodgins 2012-08-04 23:26:14 CEST

Testing complete on Mageia 1 i586 using the procedure ...

urpmi task-lamp
rpm -e --nodeps php-eaccelerator-admin php-eaccelerator
urpmi php-pdo_sqlite # Required for sample app, not Zend-Framework itself
urpmi -a php-Zend
wget https://bugs.mageia.org/attachment.cgi?id=2605 -O Zend.tar.gz
tar -xf Zend.tar.gz
cp -r css /var/www/html
cp -r Zend /var/www/html
chown -R apache:apache /var/www/html/Zend/data/db
service httpd start
Then go to http://127.0.0.1/Zend/public/index.php
Click on guestbook in the top right, and sign the
guestbook.

Whiteboard: MGA1TOO has_procedure MGA2-64-OK MGA2-32-OK => MGA1TOO has_procedure MGA2-64-OK MGA2-32-OK MGA1-32-OK

Comment 17 Dave Hodgins 2012-08-04 23:37:15 CEST

Testing complete on Mageia 1 x86-64.

Could someone from the sysadmin team push the srpm
php-ZendFramework-1.11.11-1.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
php-ZendFramework-1.11.0-1.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated php-ZendFramework packages fix a security
vulnerability:

A file disclosure flaw was found in the way SimpleXMLElement class of
Zend Framework, a PHP framework, processed XML data provided within
certain XML-RPC requests (external XML entities were previously possible
to specify by adding a specific DOCTYPE element to particular XML-RPC
request). A remote attacker could use this flaw to obtain sensitive
information by issuing a specially-crafted XML-RPC request to the Zend
Framework based PHP application (CVE-2012-3363).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3363
http://framework.zend.com/security/advisory/ZF2012-01
https://bugzilla.redhat.com/show_bug.cgi?id=835560
http://www.debian.org/security/2012/dsa-2505

https://bugs.mageia.org/show_bug.cgi?id=6666

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO has_procedure MGA2-64-OK MGA2-32-OK MGA1-32-OK => MGA1TOO has_procedure MGA2-64-OK MGA2-32-OK MGA1-32-OK MGA1-64-OK

Comment 18 Thomas Backlund 2012-08-06 18:27:29 CEST

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0200

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-04-02 15:05:32 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=13102

Comment 19 Len Lawrence 2016-05-16 18:28:08 CEST

Running this update on x86_64

Installed the packages before enabling Updates Testing.
Updated all the packages then followed the procedure in bug 6666#c16.

$ sudo urpmi task-lamp
Package task-lamp-3-4.mga5.noarch is already installed
# rpm -e --nodeps php-eaccelerator-admin php-eaccelerator
error: package php-eaccelerator-admin is not installed
error: package php-eaccelerator is not installed
# urpmi php-pdo_sqlite
installing php-pdo_sqlite-5.6.21-1.mga5
# urpmi -a php-Zend
No package named php-Zend
# wget https://bugs.mageia.org/attachment.cgi?id=2605 -O Zend.tar.gz
# ls
css/  install  list  report  update*  Zend/  Zend.tar.gz
# ls css
global.css
# ls Zend
application/  data/  library/  public/  scripts/  tests/
# chown -R apache:apache /var/www/html/Zend/data/db
# systemctl start httpd.service
# systemctl status httpd.service
â httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled)
   Active: active (running) since Fri 2016-05-06 08:23:16 BST; 1 weeks 3 days ago

Pointed browser at localhost:/Zend/public/index.php

and, nothing.  Blank page.  I guess this has something to do with missing package php-Zend.  So, where can that be found, or has the name changed?  urpmq comes up empty.

CC: (none) => tarazed25

Comment 20 Len Lawrence 2016-05-16 18:28:44 CEST

Done it again!!!  Wrong bug!

Note You need to log in before you can comment on or make changes to this bug.