Package: zendframework / 1.12.9+dfsg-2+deb8u6

Metadata

Package Version Patches format
zendframework 1.12.9+dfsg-2+deb8u6 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
0001 Add shebang and set absolute path to PHP file.patch | (download)

bin/zf.php | 1 1 + 0 - 0 !
bin/zf.sh | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 1 deletion(-)

 add shebang and set absolute path to php file


0002 sk tfix.patch | (download)

resources/languages/sk/Zend_Validate.php | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 (sk) tfix


0003 ZF2015 04 Fix CRLF injections in HTTP and Mail.patch | (download)

library/Zend/Http/Client.php | 81 56 + 25 - 0 !
library/Zend/Http/Header/HeaderValue.php | 127 127 + 0 - 0 !
library/Zend/Http/Header/SetCookie.php | 8 8 + 0 - 0 !
library/Zend/Http/Response.php | 72 54 + 18 - 0 !
library/Zend/Mail/Header/HeaderName.php | 92 92 + 0 - 0 !
library/Zend/Mail/Header/HeaderValue.php | 136 136 + 0 - 0 !
library/Zend/Mail/Message.php | 1 1 + 0 - 0 !
library/Zend/Mail/Part.php | 40 37 + 3 - 0 !
tests/Zend/Http/Client/AllTests.php | 2 2 + 0 - 0 !
tests/Zend/Http/Client/ClientTest.php | 71 71 + 0 - 0 !
tests/Zend/Http/Client/CommonHttpTests.php | 1 0 + 1 - 0 !
tests/Zend/Http/Header/AllTests.php | 6 6 + 0 - 0 !
tests/Zend/Http/Header/HeaderValueTest.php | 116 116 + 0 - 0 !
tests/Zend/Http/Header/SetCookieTest.php | 22 21 + 1 - 0 !
tests/Zend/Http/ResponseTest.php | 66 47 + 19 - 0 !
tests/Zend/Mail/AllTests.php | 2 2 + 0 - 0 !
tests/Zend/Mail/Header/AllTests.php | 58 58 + 0 - 0 !
tests/Zend/Mail/Header/HeaderNameTest.php | 96 96 + 0 - 0 !
tests/Zend/Mail/Header/HeaderValueTest.php | 110 110 + 0 - 0 !
tests/Zend/Mail/MessageTest.php | 33 32 + 1 - 0 !
20 files changed, 1072 insertions(+), 68 deletions(-)

 [zf2015-04] fix crlf injections in http and mail

This patch mirrors that made in ZF2 to address ZF2015-04. It adds the following
classes:

- `Zend_Http_Header_HeaderValue`, which provides functionality for validating,
  filtering, and asserting that header values follow RFC 2822.
- `Zend_Mail_Header_HeaderName`, which provides functionality for validating,
  filtering, and asserting that header names follow RFC 2822.
- `Zend_Mail_Header_HeaderValue`, which provides functionality for validating,
  filtering, and asserting that header values follow RFC 7230.

The following specific changes were made to existing functionality:

- `Zend_Mail_Part::__construct()` was modified in order to validate mail headers
  provided to it.
- `Zend_Http_Header_SetCookie`'s `setName()`, `setValue()`, `setDomain()`, and
  `setPath()` methods were modified to validate incoming values.
- `Zend_Http_Response::extractHeaders()` was modified to follow RFC 7230 and
  only split on `\r\n` sequences when splitting header lines. Each value
  extracted is tested for validity.
- `Zend_Http_Response::extractBody()` was modified to follow RFC 7230 and
  only split on `\r\n` sequences when splitting the message from the headers.
- `Zend_Http_Client::setHeaders()` was modified to validate incoming header
  values.

0004 Cast int and float to string when creating headers.patch | (download)

library/Zend/Http/Client.php | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

 cast int and float to string when creating headers

With the ZF2015-04 patch, we were no longer allowing non-string, non-stringable
objects as header values. This broke a number of other classes, however, which
required integer and/or float values (e.g., to set a Content-Length header).
This patch casts those types to strings before attempting to set them as header
values.

0005 ZF2015 06 Fix potential XXE vector via BOM detection.patch | (download)

library/Zend/Xml/Security.php | 248 243 + 5 - 0 !
tests/Zend/Xml/AllTests.php | 2 2 + 0 - 0 !
tests/Zend/Xml/MultibyteTest.php | 158 158 + 0 - 0 !
3 files changed, 403 insertions(+), 5 deletions(-)

 [zf2015-06] fix potential xxe vector via bom detection

This patch fixes a potential XXE vector that occurs when a multibyte XML
string/file is provided to the security scanner under PHP-FPM when threading
is enabled.

php-src patched libxml to work thread-safe in

- https://github.com/php/php-src/commit/de31324c221c1791b26350ba106cc26bad23ace9

which is included in PHP 5.5 starting in 5.5.22 and PHP 5.6 starting in 5.6.6.
In those versions, we now *always* use the libxml checks.

However, for vulnerable PHP versions, we updated the heuristic algorithm to have
it generate a properly encoded `<!ENTITY` string against which to compare:

- Determine file encoding
  - Check for presence of an actual BOM
    - See https://en.wikipedia.org/wiki/Byte_order_mark for BOM => encoding pairs
  - If no BOM, lookup routine to encode `<?xml` to known encodings,
    and compare that to the current XML string, returning the encoding that
    matches.
  - Otherwise, assume UTF-8
- Find the XML encoding
  - Encode `>` and `encoding="` in the given charset, and see if the latter
    occurs before the former. If so:
    - encode the `"` character, and do get the `substr` from where `encoding="`
      completes to the next `"` character.
    - that string becomes the XML encoding; strip any null bytes and return it.
  - if no `encoding` set, use the file encoding.
- Using the detected encoding, pass encode the string `<!ENTITY`, and use that
  value for the `strpos()` heuristic check.

In point of fact, the patch will use both the XML declared encoding as well as
the file encoding to perform the heuristic check; in many cases, the file
encoding may trump the declared encoding.

0006 ZF2015 07 Use umask of 0002.patch | (download)

library/Zend/Cloud/StorageService/Adapter/FileSystem.php | 2 1 + 1 - 0 !
library/Zend/Search/Lucene/Storage/Directory/Filesystem.php | 5 3 + 2 - 0 !
library/Zend/Service/WindowsAzure/CommandLine/PackageScaffolder/PackageScaffolderAbstract.php | 12 7 + 5 - 0 !
3 files changed, 11 insertions(+), 8 deletions(-)

 [zf2015-07] use umask of 0002

Default to 0775 for directory creation, and apply umask of 0002 to any
user-supplied directory creation modes to prevent potential privilege escalation
attacks.

0007 ZF2015 08 Fix null byte injection for PDO MsSql.patch | (download)

library/Zend/Db/Adapter/Pdo/Abstract.php | 1 0 + 1 - 0 !
library/Zend/Db/Adapter/Pdo/Mssql.php | 17 16 + 1 - 0 !
library/Zend/Db/Adapter/Pdo/Sqlite.php | 14 14 + 0 - 0 !
tests/TestConfiguration.php.dist | 5 3 + 2 - 0 !
tests/Zend/Db/Adapter/Pdo/MssqlTest.php | 58 21 + 37 - 0 !
tests/Zend/Db/Adapter/Pdo/MysqlTest.php | 13 11 + 2 - 0 !
tests/Zend/Db/Adapter/Pdo/SqliteTest.php | 11 11 + 0 - 0 !
tests/Zend/Db/Adapter/Pdo/TestCommon.php | 10 10 + 0 - 0 !
tests/Zend/Db/Adapter/TestCommon.php | 5 2 + 3 - 0 !
tests/Zend/Db/TestUtil/Pdo/Mssql.php | 4 3 + 1 - 0 !
10 files changed, 91 insertions(+), 47 deletions(-)

 [zf2015-08] fix null byte injection for pdo mssql

This addresses the same issue as found in ZF2014-06, but within the PDO MsSql
adapter. Additionally, it fixes transaction tests for that adapter.

0008 ZF2015 09 Fixed entropy issue in word CAPTCHA.patch | (download)

library/Zend/Captcha/Word.php | 29 17 + 12 - 0 !
library/Zend/Crypt/Math.php | 100 94 + 6 - 0 !
tests/Zend/Crypt/MathTest.php | 75 72 + 3 - 0 !
3 files changed, 183 insertions(+), 21 deletions(-)

 zf2015-09: fixed entropy issue in word captcha

This patch fixes a potential entropy fixation vector with `Zend_Captcha_Word`.
Prior to the fix, when selecting letters for the CAPTCHA, `array_rand()` was
used, which does not use sufficient entropy during randomization. The patch
backports randomization routines from ZF2 in order to provide a more
cryptographically secure RNG.

0009 Fixed the rand usage.patch | (download)

library/Zend/Crypt/Math.php | 10 5 + 5 - 0 !
library/Zend/Filter/Encrypt/Mcrypt.php | 6 4 + 2 - 0 !
library/Zend/Form/Element/Hash.php | 8 4 + 4 - 0 !
library/Zend/Gdata/HttpClient.php | 5 4 + 1 - 0 !
library/Zend/Ldap/Attribute.php | 7 5 + 2 - 0 !
library/Zend/OpenId.php | 9 4 + 5 - 0 !
6 files changed, 26 insertions(+), 19 deletions(-)

 fixed the rand usage