[pkg-php-pear] Bug#786778: zendframework: HTTP Client component doesn't work after security upgrade

Marc Falzon debian at happn.fr
Mon May 25 13:52:42 UTC 2015

Package: zendframework
Version: 1.12.9+dfsg-2+deb8u2
Severity: critical
Justification: breaks unrelated software

Dear Maintainer,

After upgrading to version 1.12.9+dfsg-2+deb8u2 following security issue
in CVE-2015-3154 (https://security-tracker.debian.org/tracker/CVE-2015-3154),
the HTTP Client component of the framework throws exceptions after
executing a request. These crashes didn't occur before the security

Code snippet to reproduce the issue:


$httpClient = new \Zend_Http_Client();
$response = $httpClient->request('POST');

Results in:

Fatal error: Uncaught exception 'Zend_Http_Exception' with message
'Invalid header value detected' in
Stack trace:
#0 /debian/zend/library/Zend/Http/Client.php(467):
#1 /debian/zend/library/Zend/Http/Client.php(1358):
Zend_Http_Client->setHeaders('Content-Length', 0)
#2 /debian/zend/library/Zend/Http/Client.php(1061):
#3 /debian/test.php(15): Zend_Http_Client->request('POST')
#4 {main}
  thrown in /debian/zend/library/Zend/Http/Client.php on line 1597

In "preparebody" or "setRawData" method in Zend_Http_Client.php,
there are some calls "$this->setHeaders(self::CONTENT_LENGTH, strlen($this->raw_post_data))";
the length value is a numeric, but the "_validateHeaderValue" method that you added in the
patch doesn't accept numeric value as argument.
This throw the Zend_Http_Exception('Invalid header value detected');
maybe you can cast the value before calling _validateHeaderValue.

Best regards,


More information about the pkg-php-pear mailing list