Package: release.debian.org Severity: normal Tags: wheezy User: release.debian....@packages.debian.org Usertags: pu
Hi,
As agreed with the security team, I’d like to fix another potential
entropy vulnerability that has been fixed in zendframework.
The fix also gets rid of openssl_random_pseudo_bytes() introduced in the
previous ZF2015-09 fix, and I also added a regression fix from the
CVE-2015-7695 (ZF2015-08) patch (this one was introduced in DSA-3369-1).
Please find attached the proposed debdiff for Wheezy, it’s pretty
similar to the one from #821042.
zendframework (1.11.13-1.1+deb7u6) wheezy; urgency=medium
* Fix regression from ZF2015-08: binary data corruption
* Backport security fix from 1.12.18:
- ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1
http://framework.zend.com/security/advisory/ZF2016-01
Regards
David
diff -u zendframework-1.11.13/debian/changelog zendframework-1.11.13/debian/changelog --- zendframework-1.11.13/debian/changelog +++ zendframework-1.11.13/debian/changelog @@ -1,6 +1,15 @@ +zendframework (1.11.13-1.1+deb7u6) wheezy; urgency=medium + + * Fix regression from ZF2015-08: binary data corruption + * Backport security fix from 1.12.18: + - ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1 + http://framework.zend.com/security/advisory/ZF2016-01 + + -- David Prévot <taf...@debian.org> Wed, 13 Apr 2016 16:34:02 -0400 + zendframework (1.11.13-1.1+deb7u5) wheezy; urgency=medium - * Backport security fix from 1.12.17 + * Backport security fix from 1.12.17: - ZF2015-09: Fixed entropy issue in word CAPTCHA http://framework.zend.com/security/advisory/ZF2015-09 @@ -8,7 +17,7 @@ zendframework (1.11.13-1.1+deb7u4) wheezy-security; urgency=high - * Backport security fixes from 1.12.16 + * Backport security fixes from 1.12.16: - ZF2015-07: Filesystem Permissions Issues in Multiple Components http://framework.zend.com/security/advisory/ZF2015-07 [CVE-2015-5723] diff -u zendframework-1.11.13/debian/patches/series zendframework-1.11.13/debian/patches/series --- zendframework-1.11.13/debian/patches/series +++ zendframework-1.11.13/debian/patches/series @@ -15,0 +16 @@ +0016-Fixed-the-rand-usage.patch diff -u zendframework-1.11.13/debian/patches/0014-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch zendframework-1.11.13/debian/patches/0014-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch --- zendframework-1.11.13/debian/patches/0014-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch +++ zendframework-1.11.13/debian/patches/0014-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch @@ -5,37 +5,31 @@ This addresses the same issue as found in ZF2014-06, but within the PDO MsSql adapter. Additionally, it fixes transaction tests for that adapter. -Origin: upstream, https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2 +Origin: upstream, https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2 https://github.com/zendframework/zf1/commit/70d8aba8c525190e906c663dfdc55355f6e74416 --- - library/Zend/Db/Adapter/Pdo/Abstract.php | 3 +- - library/Zend/Db/Adapter/Pdo/Mssql.php | 2 +- - tests/TestConfiguration.php.dist | 5 ++-- - tests/Zend/Db/Adapter/Pdo/MssqlTest.php | 47 +++++++------------------------- - tests/Zend/Db/Adapter/Pdo/TestCommon.php | 10 +++++++ - tests/Zend/Db/Adapter/TestCommon.php | 5 ++-- + library/Zend/Db/Adapter/Pdo/Abstract.php | 1 - + library/Zend/Db/Adapter/Pdo/Mssql.php | 19 +++++++++-- + library/Zend/Db/Adapter/Pdo/Sqlite.php | 14 ++++++++ + tests/TestConfiguration.php.dist | 5 +-- + tests/Zend/Db/Adapter/Pdo/MssqlTest.php | 58 ++++++++++++-------------------- + tests/Zend/Db/Adapter/Pdo/MysqlTest.php | 13 +++++-- + tests/Zend/Db/Adapter/Pdo/SqliteTest.php | 10 ++++++ + tests/Zend/Db/Adapter/Pdo/TestCommon.php | 10 ++++++ + tests/Zend/Db/Adapter/TestCommon.php | 5 ++- tests/Zend/Db/TestUtil/Pdo/Mssql.php | 4 ++- - 7 files changed, 31 insertions(+), 45 deletions(-) + 10 files changed, 91 insertions(+), 48 deletions(-) diff --git a/library/Zend/Db/Adapter/Pdo/Abstract.php b/library/Zend/Db/Adapter/Pdo/Abstract.php -index 95f3734..8fde066 100644 +index 95f3734..d718255 100644 --- a/library/Zend/Db/Adapter/Pdo/Abstract.php +++ b/library/Zend/Db/Adapter/Pdo/Abstract.php -@@ -292,6 +292,8 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract - if (is_int($value) || is_float($value)) { - return $value; - } -+ // Fix for null-byte injection -+ $value = addcslashes($value, "\000\032"); - $this->_connect(); - return $this->_connection->quote($value); - } -@@ -398,4 +400,3 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract +@@ -398,4 +398,3 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract } } } - diff --git a/library/Zend/Db/Adapter/Pdo/Mssql.php b/library/Zend/Db/Adapter/Pdo/Mssql.php -index 3faf82c..175360f 100644 +index 3faf82c..8665da7 100644 --- a/library/Zend/Db/Adapter/Pdo/Mssql.php +++ b/library/Zend/Db/Adapter/Pdo/Mssql.php @@ -410,7 +410,7 @@ class Zend_Db_Adapter_Pdo_Mssql extends Zend_Db_Adapter_Pdo_Abstract @@ -47,6 +41,51 @@ $result = $stmt->fetchAll(Zend_Db::FETCH_NUM); if (count($result)) { return $result[0][0]; +@@ -420,4 +420,19 @@ class Zend_Db_Adapter_Pdo_Mssql extends Zend_Db_Adapter_Pdo_Abstract + return null; + } + } +-} +\ No newline at end of file ++ ++ /** ++ * Quote a raw string. ++ * ++ * @param string $value Raw string ++ * @return string Quoted string ++ */ ++ protected function _quote($value) ++ { ++ if (!is_int($value) && !is_float($value)) { ++ // Fix for null-byte injection ++ $value = addcslashes($value, "\000\032"); ++ } ++ return parent::_quote($value); ++ } ++} +diff --git a/library/Zend/Db/Adapter/Pdo/Sqlite.php b/library/Zend/Db/Adapter/Pdo/Sqlite.php +index 02b3e40..3320b1f 100644 +--- a/library/Zend/Db/Adapter/Pdo/Sqlite.php ++++ b/library/Zend/Db/Adapter/Pdo/Sqlite.php +@@ -294,4 +294,18 @@ class Zend_Db_Adapter_Pdo_Sqlite extends Zend_Db_Adapter_Pdo_Abstract + return $sql; + } + ++ /** ++ * Quote a raw string. ++ * ++ * @param string $value Raw string ++ * @return string Quoted string ++ */ ++ protected function _quote($value) ++ { ++ if (!is_int($value) && !is_float($value)) { ++ // Fix for null-byte injection ++ $value = addcslashes($value, "\000\032"); ++ } ++ return parent::_quote($value); ++ } + } diff --git a/tests/TestConfiguration.php.dist b/tests/TestConfiguration.php.dist index be8ad15..c534ba2 100644 --- a/tests/TestConfiguration.php.dist @@ -78,7 +117,7 @@ */ defined('TESTS_ZEND_HTTP_USERAGENT_WURFL_LIB_DIR') || define('TESTS_ZEND_HTTP_USERAGENT_WURFL_LIB_DIR', false); diff --git a/tests/Zend/Db/Adapter/Pdo/MssqlTest.php b/tests/Zend/Db/Adapter/Pdo/MssqlTest.php -index 60ea18a..17cd37a 100644 +index 60ea18a..db80f28 100644 --- a/tests/Zend/Db/Adapter/Pdo/MssqlTest.php +++ b/tests/Zend/Db/Adapter/Pdo/MssqlTest.php @@ -211,11 +211,13 @@ class Zend_Db_Adapter_Pdo_MssqlTest extends Zend_Db_Adapter_Pdo_TestCommon @@ -172,6 +211,71 @@ } /** +@@ -388,6 +361,17 @@ class Zend_Db_Adapter_Pdo_MssqlTest extends Zend_Db_Adapter_Pdo_TestCommon + $this->assertArrayHasKey('product_name', $productsTableInfo); + } + ++ /** ++ * test that quote() escapes null byte character ++ * in a string. ++ */ ++ public function testAdapterQuoteNullByteCharacter() ++ { ++ $string = "1\0"; ++ $value = $this->_db->quote($string); ++ $this->assertEquals("'1\\000'", $value); ++ } ++ + public function getDriver() + { + return 'Pdo_Mssql'; +diff --git a/tests/Zend/Db/Adapter/Pdo/MysqlTest.php b/tests/Zend/Db/Adapter/Pdo/MysqlTest.php +index beb3842..f87244c 100644 +--- a/tests/Zend/Db/Adapter/Pdo/MysqlTest.php ++++ b/tests/Zend/Db/Adapter/Pdo/MysqlTest.php +@@ -315,7 +315,17 @@ class Zend_Db_Adapter_Pdo_MysqlTest extends Zend_Db_Adapter_Pdo_TestCommon + $adapter = new ZendTest_Db_Adapter_Pdo_Mysql(array('dbname' => 'foo', 'charset' => 'XYZ', 'username' => 'bar', 'password' => 'foo')); + $this->assertEquals('mysql:dbname=foo;charset=XYZ', $adapter->_dsn()); + } +- ++ ++ /** ++ * Test that quote() does not alter binary data ++ */ ++ public function testBinaryQuoteWithNulls() ++ { ++ $binary = pack("xxx"); ++ $value = $this->_db->quote($binary); ++ $this->assertEquals('\'\0\0\0\'', $value); ++ } ++ + public function getDriver() + { + return 'Pdo_Mysql'; +@@ -330,4 +340,3 @@ class ZendTest_Db_Adapter_Pdo_Mysql extends Zend_Db_Adapter_Pdo_Mysql + return parent::_dsn(); + } + } +- +diff --git a/tests/Zend/Db/Adapter/Pdo/SqliteTest.php b/tests/Zend/Db/Adapter/Pdo/SqliteTest.php +index 6e28f2c..5dc29c7 100644 +--- a/tests/Zend/Db/Adapter/Pdo/SqliteTest.php ++++ b/tests/Zend/Db/Adapter/Pdo/SqliteTest.php +@@ -200,4 +200,14 @@ class Zend_Db_Adapter_Pdo_SqliteTest extends Zend_Db_Adapter_Pdo_TestCommon + return 'Pdo_Sqlite'; + } + ++ /** ++ * test that quote() escapes null byte character ++ * in a string. ++ */ ++ public function testAdapterQuoteNullByteCharacter() ++ { ++ $string = "1\0"; ++ $value = $this->_db->quote($string); ++ $this->assertEquals("'1\\000'", $value); ++ } + } diff --git a/tests/Zend/Db/Adapter/Pdo/TestCommon.php b/tests/Zend/Db/Adapter/Pdo/TestCommon.php index c6f50b5..1467e8e 100644 --- a/tests/Zend/Db/Adapter/Pdo/TestCommon.php only in patch2: unchanged: --- zendframework-1.11.13.orig/debian/patches/0016-Fixed-the-rand-usage.patch +++ zendframework-1.11.13/debian/patches/0016-Fixed-the-rand-usage.patch @@ -0,0 +1,175 @@ +From: Enrico Zimuel <e.zim...@gmail.com> +Date: Mon, 11 Apr 2016 19:16:32 +0200 +Subject: Fixed the rand usage + +Origin: upstream, https://github.com/zendframework/zf1/commit/dbb9c8e1cf9f8ac8dcee89591f73d5a902d50b10 +--- + library/Zend/Crypt/Math.php | 10 +++++----- + library/Zend/Filter/Encrypt/Mcrypt.php | 6 ++++-- + library/Zend/Form/Element/Hash.php | 8 ++++---- + library/Zend/Gdata/HttpClient.php | 5 ++++- + library/Zend/Ldap/Attribute.php | 7 +++++-- + library/Zend/OpenId.php | 9 ++++----- + 6 files changed, 26 insertions(+), 19 deletions(-) + +diff --git a/library/Zend/Crypt/Math.php b/library/Zend/Crypt/Math.php +index 43f9167..37ff854 100644 +--- a/library/Zend/Crypt/Math.php ++++ b/library/Zend/Crypt/Math.php +@@ -77,11 +77,8 @@ class Zend_Crypt_Math extends Zend_Crypt_Math_BigInteger + if ($length <= 0) { + return false; + } +- if (function_exists('openssl_random_pseudo_bytes')) { +- $bytes = openssl_random_pseudo_bytes($length, $usable); +- if ($strong === $usable) { +- return $bytes; +- } ++ if (function_exists('random_bytes')) { // available in PHP 7 ++ return random_bytes($length); + } + if (function_exists('mcrypt_create_iv')) { + $bytes = mcrypt_create_iv($length, MCRYPT_DEV_URANDOM); +@@ -134,6 +131,9 @@ class Zend_Crypt_Math extends Zend_Crypt_Math_BigInteger + 'The supplied range is too great to generate' + ); + } ++ if (function_exists('random_int')) { // available in PHP 7 ++ return random_int($min, $max); ++ } + // calculate number of bits required to store range on this machine + $r = $range; + $bits = 0; +diff --git a/library/Zend/Filter/Encrypt/Mcrypt.php b/library/Zend/Filter/Encrypt/Mcrypt.php +index 01d919c..cb32839 100644 +--- a/library/Zend/Filter/Encrypt/Mcrypt.php ++++ b/library/Zend/Filter/Encrypt/Mcrypt.php +@@ -24,6 +24,9 @@ + */ + require_once 'Zend/Filter/Encrypt/Interface.php'; + ++/** @see Zend_Crypt_Math */ ++require_once 'Zend/Crypt/Math.php'; ++ + /** + * Encryption adapter for mcrypt + * +@@ -355,9 +358,8 @@ class Zend_Filter_Encrypt_Mcrypt implements Zend_Filter_Encrypt_Interface + if (version_compare(PHP_VERSION, '5.3.0', '>=')) { + return; + } +- + if (!self::$_srandCalled) { +- srand((double) microtime() * 1000000); ++ srand(Zend_Crypt_Math::randInteger(0, PHP_INT_MAX)); + self::$_srandCalled = true; + } + } +diff --git a/library/Zend/Form/Element/Hash.php b/library/Zend/Form/Element/Hash.php +index 6e11239..aff129e 100644 +--- a/library/Zend/Form/Element/Hash.php ++++ b/library/Zend/Form/Element/Hash.php +@@ -22,6 +22,9 @@ + /** Zend_Form_Element_Xhtml */ + require_once 'Zend/Form/Element/Xhtml.php'; + ++/** @see Zend_Crypt_Math */ ++require_once 'Zend/Crypt/Math.php'; ++ + /** + * CSRF form protection + * +@@ -249,10 +252,7 @@ class Zend_Form_Element_Hash extends Zend_Form_Element_Xhtml + protected function _generateHash() + { + $this->_hash = md5( +- mt_rand(1,1000000) +- . $this->getSalt() +- . $this->getName() +- . mt_rand(1,1000000) ++ Zend_Crypt_Math::randBytes(32) + ); + $this->setValue($this->_hash); + } +diff --git a/library/Zend/Gdata/HttpClient.php b/library/Zend/Gdata/HttpClient.php +index cc5cc78..23ecda3 100644 +--- a/library/Zend/Gdata/HttpClient.php ++++ b/library/Zend/Gdata/HttpClient.php +@@ -25,6 +25,9 @@ + */ + require_once 'Zend/Http/Client.php'; + ++/** @see Zend_Crypt_Math */ ++require_once 'Zend/Crypt/Math.php'; ++ + /** + * Gdata Http Client object. + * +@@ -210,7 +213,7 @@ class Zend_Gdata_HttpClient extends Zend_Http_Client + if ($this->getAuthSubPrivateKeyId() != null) { + // secure AuthSub + $time = time(); +- $nonce = mt_rand(0, 999999999); ++ $nonce = Zend_Crypt_Math::randInteger(0, 999999999); + $dataToSign = $method . ' ' . $url . ' ' . $time . ' ' . $nonce; + + // compute signature +diff --git a/library/Zend/Ldap/Attribute.php b/library/Zend/Ldap/Attribute.php +index 81080e8..d9984ad 100644 +--- a/library/Zend/Ldap/Attribute.php ++++ b/library/Zend/Ldap/Attribute.php +@@ -24,6 +24,9 @@ + */ + require_once 'Zend/Ldap/Converter.php'; + ++/** @see Zend_Crypt_Math */ ++require_once 'Zend/Crypt/Math.php'; ++ + /** + * Zend_Ldap_Attribute is a collection of LDAP attribute related functions. + * +@@ -311,7 +314,7 @@ class Zend_Ldap_Attribute + } + return $password; + case self::PASSWORD_HASH_SSHA: +- $salt = substr(sha1(uniqid(mt_rand(), true), true), 0, 4); ++ $salt = Zend_Crypt_Math::randBytes(4); + $rawHash = sha1($password . $salt, true) . $salt; + $method = '{SSHA}'; + break; +@@ -320,7 +323,7 @@ class Zend_Ldap_Attribute + $method = '{SHA}'; + break; + case self::PASSWORD_HASH_SMD5: +- $salt = substr(sha1(uniqid(mt_rand(), true), true), 0, 4); ++ $salt = Zend_Crypt_Math::randBytes(4); + $rawHash = md5($password . $salt, true) . $salt; + $method = '{SMD5}'; + break; +diff --git a/library/Zend/OpenId.php b/library/Zend/OpenId.php +index 887668d..5efc7ad 100644 +--- a/library/Zend/OpenId.php ++++ b/library/Zend/OpenId.php +@@ -25,6 +25,9 @@ + */ + require_once "Zend/Controller/Response/Abstract.php"; + ++/** @see Zend_Crypt_Math */ ++require_once 'Zend/Crypt/Math.php'; ++ + /** + * Static class that contains common utility functions for + * {@link Zend_OpenId_Consumer} and {@link Zend_OpenId_Provider}. +@@ -470,11 +473,7 @@ class Zend_OpenId + */ + static public function randomBytes($len) + { +- $key = ''; +- for($i=0; $i < $len; $i++) { +- $key .= chr(mt_rand(0, 255)); +- } +- return $key; ++ return (string) Zend_Crypt_Math::randBytes($len); + } + + /**
signature.asc
Description: PGP signature
