Bug#821042: jessie-pu: package zendframework/1.12.9+dfsg-2+deb8u6

[Adam D. Barratt]

Control: tags -1 + pending

On Sat, 2016-05-14 at 18:43 +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Thu, 2016-04-14 at 18:06 -0400, David Prévot wrote:
> > As agreed with the security team, I’d like to fix another potential
> > entropy vulnerability has been fixed in zendframework.
> > 
> > The fix also gets rid of openssl_random_pseudo_bytes() introduced in the
> > previous ZF2015-09 fix, and I also added a regression fix from the
> > CVE-2015-7695 (ZF2015-08) patch (this one was introduced in DSA-3369-1).
> 
> Apologies for the delay in getting back to you. Please go ahed.

Uploaded and flagged for acceptance.

Regards,

Adam

Bug#821042: jessie-pu: package zendframework/1.12.9+dfsg-2+deb8u6

[Adam D. Barratt]

Control: tags -1 + confirmed

On Thu, 2016-04-14 at 18:06 -0400, David Prévot wrote:
> As agreed with the security team, I’d like to fix another potential
> entropy vulnerability has been fixed in zendframework.
> 
> The fix also gets rid of openssl_random_pseudo_bytes() introduced in the
> previous ZF2015-09 fix, and I also added a regression fix from the
> CVE-2015-7695 (ZF2015-08) patch (this one was introduced in DSA-3369-1).

Apologies for the delay in getting back to you. Please go ahed.

Regards,

Adam

Bug#821042: jessie-pu: package zendframework/1.12.9+dfsg-2+deb8u6

[David Prévot]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

As agreed with the security team, I’d like to fix another potential
entropy vulnerability has been fixed in zendframework.

The fix also gets rid of openssl_random_pseudo_bytes() introduced in the
previous ZF2015-09 fix, and I also added a regression fix from the
CVE-2015-7695 (ZF2015-08) patch (this one was introduced in DSA-3369-1).

Please find attached the proposed debdiff for Jessie (a similar request
for Wheezy follows), the changelog entry is:

zendframework (1.12.9+dfsg-2+deb8u6) jessie; urgency=medium

  * Fix regression from ZF2015-08: binary data corruption
  * Backport security fix from 1.12.18:
- ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1
  http://framework.zend.com/security/advisory/ZF2016-01

Regards

David
diff -Nru zendframework-1.12.9+dfsg/debian/changelog zendframework-1.12.9+dfsg/debian/changelog
--- zendframework-1.12.9+dfsg/debian/changelog	2015-11-24 18:25:30.0 -0400
+++ zendframework-1.12.9+dfsg/debian/changelog	2016-04-13 17:12:29.0 -0400
@@ -1,6 +1,15 @@
+zendframework (1.12.9+dfsg-2+deb8u6) jessie; urgency=medium
+
+  * Fix regression from ZF2015-08: binary data corruption
+  * Backport security fix from 1.12.18:
+- ZF2016-01: Potential Insufficient Entropy Vulnerability in ZF1
+  http://framework.zend.com/security/advisory/ZF2016-01
+
+ -- David Prévot   Wed, 13 Apr 2016 16:37:00 -0400
+
 zendframework (1.12.9+dfsg-2+deb8u5) jessie; urgency=medium
 
-  * Backport security fix from 1.12.17
+  * Backport security fix from 1.12.17:
 - ZF2015-09: Fixed entropy issue in word CAPTCHA
   http://framework.zend.com/security/advisory/ZF2015-09
 
diff -Nru zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch
--- zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch	2015-11-24 18:18:19.0 -0400
+++ zendframework-1.12.9+dfsg/debian/patches/0007-ZF2015-08-Fix-null-byte-injection-for-PDO-MsSql.patch	2016-04-13 17:12:29.0 -0400
@@ -5,37 +5,31 @@
 This addresses the same issue as found in ZF2014-06, but within the PDO MsSql
 adapter. Additionally, it fixes transaction tests for that adapter.
 
-Origin: upstream, https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2
+Origin: upstream, https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2 https://github.com/zendframework/zf1/commit/70d8aba8c525190e906c663dfdc55355f6e74416
 ---
- library/Zend/Db/Adapter/Pdo/Abstract.php |  3 +-
- library/Zend/Db/Adapter/Pdo/Mssql.php|  2 +-
- tests/TestConfiguration.php.dist |  5 ++--
- tests/Zend/Db/Adapter/Pdo/MssqlTest.php  | 47 +++-
- tests/Zend/Db/Adapter/Pdo/TestCommon.php | 10 +++
- tests/Zend/Db/Adapter/TestCommon.php |  5 ++--
+ library/Zend/Db/Adapter/Pdo/Abstract.php |  1 -
+ library/Zend/Db/Adapter/Pdo/Mssql.php| 17 +-
+ library/Zend/Db/Adapter/Pdo/Sqlite.php   | 14 
+ tests/TestConfiguration.php.dist |  5 +--
+ tests/Zend/Db/Adapter/Pdo/MssqlTest.php  | 58 
+ tests/Zend/Db/Adapter/Pdo/MysqlTest.php  | 13 +--
+ tests/Zend/Db/Adapter/Pdo/SqliteTest.php | 11 ++
+ tests/Zend/Db/Adapter/Pdo/TestCommon.php | 10 ++
+ tests/Zend/Db/Adapter/TestCommon.php |  5 ++-
  tests/Zend/Db/TestUtil/Pdo/Mssql.php |  4 ++-
- 7 files changed, 31 insertions(+), 45 deletions(-)
+ 10 files changed, 91 insertions(+), 47 deletions(-)
 
 diff --git a/library/Zend/Db/Adapter/Pdo/Abstract.php b/library/Zend/Db/Adapter/Pdo/Abstract.php
-index 84a76f3..7699d7a 100644
+index 84a76f3..e12b602 100644
 --- a/library/Zend/Db/Adapter/Pdo/Abstract.php
 +++ b/library/Zend/Db/Adapter/Pdo/Abstract.php
-@@ -292,6 +292,8 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract
- if (is_int($value) || is_float($value)) {
- return $value;
- }
-+// Fix for null-byte injection
-+$value = addcslashes($value, "\000\032");
- $this->_connect();
- return $this->_connection->quote($value);
- }
-@@ -398,4 +400,3 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract
+@@ -398,4 +398,3 @@ abstract class Zend_Db_Adapter_Pdo_Abstract extends Zend_Db_Adapter_Abstract
  }
  }
  }
 -
 diff --git a/library/Zend/Db/Adapter/Pdo/Mssql.php b/library/Zend/Db/Adapter/Pdo/Mssql.php
-index e3d8c7a..8a8d306 100644
+index e3d8c7a..6081887 100644
 --- a/library/Zend/Db/Adapter/Pdo/Mssql.php
 +++ b/library/Zend/Db/Adapter/Pdo/Mssql.php
 @@ -410,7 +410,7 @@ class Zend_Db_Adapter_Pdo_Mssql extends Zend_Db_Adapter_Pdo_Abstract
@@ -47,6 +41,49 @@
  $result