Package: zendframework Version: 1.12.9+dfsg-2+deb8u2 Severity: critical Justification: breaks unrelated software
Dear Maintainer, After upgrading to version 1.12.9+dfsg-2+deb8u2 following security issue in CVE-2015-3154 (https://security-tracker.debian.org/tracker/CVE-2015-3154), the HTTP Client component of the framework throws exceptions after executing a request. These crashes didn't occur before the security upgrade. Code snippet to reproduce the issue: <?php //test.php $httpClient = new \Zend_Http_Client(); $httpClient->setUri('https://www.debian.org/Bugs/'); $response = $httpClient->request('POST'); var_dump($response); Results in: Fatal error: Uncaught exception 'Zend_Http_Exception' with message 'Invalid header value detected' in /debian/zend/library/Zend/Http/Client.php:1597 Stack trace: #0 /debian/zend/library/Zend/Http/Client.php(467): Zend_Http_Client->_validateHeaderValue(0) #1 /debian/zend/library/Zend/Http/Client.php(1358): Zend_Http_Client->setHeaders('Content-Length', 0) #2 /debian/zend/library/Zend/Http/Client.php(1061): Zend_Http_Client->_prepareBody() #3 /debian/test.php(15): Zend_Http_Client->request('POST') #4 {main} thrown in /debian/zend/library/Zend/Http/Client.php on line 1597 In "preparebody" or "setRawData" method in Zend_Http_Client.php, there are some calls "$this->setHeaders(self::CONTENT_LENGTH, strlen($this->raw_post_data))"; the length value is a numeric, but the "_validateHeaderValue" method that you added in the patch doesn't accept numeric value as argument. This throw the Zend_Http_Exception('Invalid header value detected'); maybe you can cast the value before calling _validateHeaderValue. Best regards, m. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
