Re: stable update: phppgadmin 4.2.3-1.1squeeze1 possible XSS vulerability

To: debian-release <debian-release@lists.debian.org>
Subject: Re: stable update: phppgadmin 4.2.3-1.1squeeze1 possible XSS vulerability
From: Christoph Berg <myon@debian.org>
Date: Wed, 4 Apr 2012 21:19:44 +0200
Message-id: <[🔎] 20120404191943.GC20246@msgid.df7cb.de>
Mail-followup-to: Christoph Berg <myon@debian.org>, debian-release <debian-release@lists.debian.org>
In-reply-to: <[🔎] 1333566352.16478.14.camel@jacala.jungle.funky-badger.org>
References: <[🔎] 20120404183643.GA20246@msgid.df7cb.de> <[🔎] 1333566352.16478.14.camel@jacala.jungle.funky-badger.org>

Re: Adam D. Barratt 2012-04-04 <[🔎] 1333566352.16478.14.camel@jacala.jungle.funky-badger.org>
> I'd like to see a full debdiff for final confirmation but based on the
> commit link above it looks suitable; thanks for working on fixing this
> issue in stable.

diff -Nru phppgadmin-4.2.3/debian/changelog phppgadmin-4.2.3/debian/changelog
--- phppgadmin-4.2.3/debian/changelog	2011-10-26 21:53:31.000000000 +0200
+++ phppgadmin-4.2.3/debian/changelog	2012-03-27 12:33:25.000000000 +0200
@@ -1,3 +1,9 @@
+phppgadmin (4.2.3-1.1squeeze2) stable-security; urgency=low
+
+  * Cherry-pick from 5.0.4: Fix XSS in function.php, reported by Mateusz Goik.
+
+ -- Christoph Berg <myon@debian.org>  Tue, 27 Mar 2012 12:32:43 +0200
+
 phppgadmin (4.2.3-1.1squeeze1) stable-security; urgency=high
 
   * Fix CVE-2011-3598 (XSS).
diff -Nru phppgadmin-4.2.3/debian/patches/series phppgadmin-4.2.3/debian/patches/series
--- phppgadmin-4.2.3/debian/patches/series	2011-10-10 10:22:47.000000000 +0200
+++ phppgadmin-4.2.3/debian/patches/series	2012-03-27 12:32:11.000000000 +0200
@@ -2,3 +2,4 @@
 localhost.patch
 php5.3-reference-value-fix.patch
 CVE-2011-3598
+xss-function.php
diff -Nru phppgadmin-4.2.3/debian/patches/xss-function.php phppgadmin-4.2.3/debian/patches/xss-function.php
--- phppgadmin-4.2.3/debian/patches/xss-function.php	1970-01-01 01:00:00.000000000 +0100
+++ phppgadmin-4.2.3/debian/patches/xss-function.php	2012-03-27 12:32:39.000000000 +0200
@@ -0,0 +1,17 @@
+--- a/functions.php
++++ b/functions.php
+@@ -771,14 +771,12 @@
+ 			'function' => array(
+ 				'title' => $lang['strfunction'],
+ 				'field' => field('proproto'),
+-				'type'  => 'verbatim',
+ 				'url'   => "redirect.php?subject=function&amp;action=properties&amp;{$misc->href}&amp;",
+ 				'vars'  => array('function' => 'proproto', 'function_oid' => 'prooid'),
+ 			),
+ 			'returns' => array(
+ 				'title' => $lang['strreturns'],
+ 				'field' => field('proreturns'),
+-				'type'  => 'verbatim',
+ 			),
+ 			'owner' => array(
+ 				'title' => $lang['strowner'],


Christoph
-- 
cb@df7cb.de | http://www.df7cb.de/

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: stable update: phppgadmin 4.2.3-1.1squeeze1 possible XSS vulerability
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- stable update: phppgadmin 4.2.3-1.1squeeze1 possible XSS vulerability
  - From: Christoph Berg <myon@debian.org>
- Re: stable update: phppgadmin 4.2.3-1.1squeeze1 possible XSS vulerability
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: iceweasel-l10n-all on mips
Next by Date: Re: iceweasel-l10n-all on mips
Previous by thread: Re: stable update: phppgadmin 4.2.3-1.1squeeze1 possible XSS vulerability
Next by thread: Re: stable update: phppgadmin 4.2.3-1.1squeeze1 possible XSS vulerability
Index(es):
- Date
- Thread