CVE Request: Zend Framework: Potential SQL injection in ORDER and GROUP statements of Zend_Db_Select

[Salvatore Bonaccorso <carnil () debian org>]

Hi

The Zend Framework project released security advisory ZF2016-02[0] to
address a potential SQL injection in ORDER and GROUP statements of
Zend_Db_Select.

> From the advisory:

> The implementation of ORDER BY and GROUP BY in Zend_Db_Select of ZF1
> is vulnerable by the following SQL injection:
>
> $db = Zend_Db::factory(/* options here */);
> $select = new Zend_Db_Select($db);
> $select->from('p');
> $select->order("MD5(\"(\");DELETE FROM p2; #)"); // same with group()
>
> The above $select will render the following SQL statement:
>
> SELECT `p`.* FROM `p` ORDER BY MD5("");DELETE FROM p2; #) ASC
>
> instead of the correct one:
>
> SELECT `p`.* FROM `p` ORDER BY "MD5("""");DELETE FROM p2; #)" ASC
>
> This security fix can be considered as an improvement of the previous
> ZF2014-04.

Upstream commit is at [1] as bf3f40605be3d8f136a07ae991079a7dcb34d967.

 [0] https://framework.zend.com/security/advisory/ZF2016-02
 [1]  https://github.com/zendframework/zf1/commit/bf3f40605be3d8f136a07ae991079a7dcb34d967

Could you please assign a CVE for this issue.

Regards,
Salvatore