Bug 860738 (CVE-2012-4451)

Summary: CVE-2012-4451 php-ZendFramework: XSS vectors in multiple Zend Framework components (ZF2012-03)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fedora, felix
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ZendFramework 2.0.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-13 22:42:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 860744, 860745    
Bug Blocks:    

Description Jan Lieskovsky 2012-09-26 15:30:46 UTC 
Multiple possibilities for cross-site scripting (XSS) flaws were corrected in upstream 2.0.1 version of Zend Framework:
[1] http://framework.zend.com/blog/zend-framework-2-0-1-released.html

More from upstream advisory - [2] http://framework.zend.com/security/advisory/ZF2012-03:

Zend\Debug, Zend\Feed\PubSubHubbub, Zend\Log\Formatter\Xml, Zend\Tag\Cloud\Decorator, Zend\Uri, Zend\View\Helper\HeadStyle, Zend\View\Helper\Navigation\Sitemap, and Zend\View\Helper\Placeholder\Container\AbstractStandalone were not using Zend\Escaper when escaping HTML, HTML attributes, and/or URLs. While most were performing some escaping, because they were not using context-appropriate escaping mechanisms, they could potentially be exploited to perform Cross Site Scripting (XSS) attacks.

Relevant upstream patch:
[3] https://github.com/zendframework/zf2/commit/27131ca9520bdf1d4c774c71459eba32f2b10733
Comment 1 Jan Lieskovsky 2012-09-26 15:38:40 UTC 
> Relevant upstream patch:
> [3]
> https://github.com/zendframework/zf2/commit/
> 27131ca9520bdf1d4c774c71459eba32f2b10733

While the above referenced upstream patch is against 2.0.1 branch, after backport / modification it would be applicable also against ZendFramework-1.x versions:

   Upstream ZF2 version:    -      Fedora / EPEL ZF1 version:
-------------------------------------------------------------
1) library/Zend/Debug/Debug.php => library/Zend/Debug.php,
2) library/Zend/Feed/PubSubHubbub/PubSubHubbub.php => library/Zend/Feed/Pubsubhubbub.php:

    141     /**
    142      * RFC 3986 safe url encoding method
    143      *
    144      * @param  string $string
    145      * @return string
    146      */
    147     public static function urlencode($string)

is the same in both versions (similarly would apply for other parts of upstream patch above).
Comment 2 Jan Lieskovsky 2012-09-26 15:39:53 UTC 
This issue affects the versions of the php-ZendFramework package, as shipped with Fedora release of 16 and 17. Please schedule an update.

--

This issue affects the version of the php-ZendFramework package, as shipped with Fedora EPEL 6. Please schedule an update.
Comment 3 Jan Lieskovsky 2012-09-26 15:41:08 UTC 
Created php-ZendFramework tracking bugs for this issue

Affects: fedora-all [bug 860744]
Affects: epel-6 [bug 860745]
Comment 4 Jan Lieskovsky 2012-09-26 15:58:56 UTC 
CVE request:
[4] http://www.openwall.com/lists/oss-security/2012/09/26/7
Comment 5 Vincent Danen 2012-09-26 20:39:47 UTC 
This was assigned CVE-2012-4451:

http://www.openwall.com/lists/oss-security/2012/09/26/9
Comment 6 Felix Kaechele 2013-02-13 22:42:45 UTC 
Fixed in 1.12.1 which we are shipping by now.