preliminary work on phpmyadmin

To: debian-lts@lists.debian.org
Subject: preliminary work on phpmyadmin
From: Antoine Beaupré <anarcat@orangeseeds.org>
Date: Thu, 14 Apr 2016 19:26:22 -0400
Message-id: <[🔎] 87lh4fpyap.fsf@angela.anarcat.ath.cx>

I exhausted my allowed work time today, but still wanted to share some
work I did on phpMyAdmin to fix the issues pending in wheezy.

It's a little bit of a mess: originally, I started to mark all the
issues as resolved because our release (3.4) is not mentionned in the
upstream advisories. But that's because it is simply not supported. It's
the same for jessie, btw, which version (4.2) sits weirdly unsupported
between two supported upstream releases (4.0 and 4.5).

So I went back to see which patches I could actually backport. Two
patches, CVE-2016-2041 and CVE-2016-2039, can be easily ported from
squeeze.

The rest of it is just gruesome PHP digging and code discovery from
there on. There around 10 more vulnerabilities to patch there, and 3.4
is very old so the code is sometimes hard to find. I was only able to
work on CVE-2016-2560, and I attach the patch here for review.

Description: fix found issues for CVE-2016-2560
 That CVE was fixed by 5 distinct commits. Only two of those commits
 would affect code found in wheezy. The others were:
 .
  * 7ddce5e39a4e12cd351732955394bc7055c280eb: file not present, vulnerability not found in wheezy
  * 0667ea8ac7519d7e642eade2686dc393d5faeae3: vulnerability present in 3.4.3.1, but code mysteriously not found in wheezy
  * fe3be9f4b9edd54dc39919e7dfeaaf4a67c1cf83: vulnerability introduced in 052fd61f (3.5.1)
 .
 This patch is made of porting the remaining two commits to wheezy, by hand.
Author: Antoine Beaupré <anarcat@debian.org>
Origin: upstream, b8f1e0f325f8f32bd82af64111d8c2e9055a363c 73c8245a3d1893a710447957e28dcfb18d9b47ad
Forwarded: not-needed

--- phpmyadmin-3.4.11.1.orig/js/functions.js
+++ phpmyadmin-3.4.11.1/js/functions.js
@@ -31,7 +31,7 @@ function pdfPaperSize(a,b){switch(a.toUp
 "x"?1218.9:1729.13;case "RA3":return b=="x"?864.57:1218.9;case "RA4":return b=="x"?609.45:864.57;case "SRA0":return b=="x"?2551.18:3628.35;case "SRA1":return b=="x"?1814.17:2551.18;case "SRA2":return b=="x"?1275.59:1814.17;case "SRA3":return b=="x"?907.09:1275.59;case "SRA4":return b=="x"?637.8:907.09;case "LETTER":return b=="x"?612:792;case "LEGAL":return b=="x"?612:1008;case "EXECUTIVE":return b=="x"?521.86:756;case "FOLIO":return b=="x"?612:936}return 0}
 function popupBSMedia(a,b,c,d,e,f){if(e==undefined)e=640;if(f==undefined)f=480;window.open("bs_play_media.php?"+a+"&bs_reference="+b+"&media_type="+c+"&custom_type="+d,"viewBSMedia","width="+e+", height="+f+", resizable=1, scrollbars=1, status=0")}function requestMIMETypeChange(a,b,c,d){if(undefined==d)d="";var e=prompt("Enter custom MIME type",d);e&&e!=d&&changeMIMEType(a,b,c,e)}
 function changeMIMEType(a,b,c,d){jQuery.post("bs_change_mime_type.php",{bs_db:a,bs_table:b,bs_reference:c,bs_new_mime_type:d})}
-$(document).ready(function(){$(".inline_edit_sql").live("click",function(){var a=$(this).prev().find("input[name='server']").val(),b=$(this).prev().find("input[name='db']").val(),c=$(this).prev().find("input[name='table']").val(),d=$(this).prev().find("input[name='token']").val(),e=$(this).prev().find("input[name='sql_query']").val(),f=$(this).parent().prev().find(".inner_sql"),j=f.html(),g='<textarea name="sql_query_edit" id="sql_query_edit">'+e+"</textarea>\n";g+='<input type="button" class="btnSave" value="'+
+$(document).ready(function(){$(".inline_edit_sql").live("click",function(){var a=$(this).prev().find("input[name='server']").val(),b=$(this).prev().find("input[name='db']").val(),c=$(this).prev().find("input[name='table']").val(),d=$(this).prev().find("input[name='token']").val(),e=$(this).prev().find("input[name='sql_query']").val(),f=$(this).parent().prev().find(".inner_sql"),j=f.html(),g='<textarea name="sql_query_edit" id="sql_query_edit">'+escapeHtml(e)+"</textarea>\n";g+='<input type="button" class="btnSave" value="'+
 PMA_messages.strGo+'">\n';g+='<input type="button" class="btnDiscard" value="'+PMA_messages.strCancel+'">\n';f.replaceWith(g);$(".btnSave").each(function(){$(this).click(function(){e=$(this).prev().val();window.location.replace("import.php?server="+encodeURIComponent(a)+"&db="+encodeURIComponent(b)+"&table="+encodeURIComponent(c)+"&sql_query="+encodeURIComponent(e)+"&show_query=1&token="+d)})});$(".btnDiscard").each(function(){$(this).click(function(){$(this).closest(".sql").html('<span class="syntax"><span class="inner_sql">'+
 j+"</span></span>")})});return false});$(".sqlbutton").click(function(a){a.target.id=="clear"?$("#sqlquery").val(""):insertQuery(a.target.id);return false});$("#export_type").change(function(){if($("#export_type").val()=="svg"){$("#show_grid_opt").attr("disabled","disabled");$("#orientation_opt").attr("disabled","disabled");$("#with_doc").attr("disabled","disabled");$("#show_table_dim_opt").removeAttr("disabled");$("#all_table_same_wide").removeAttr("disabled");$("#paper_opt").removeAttr("disabled",
 "disabled");$("#show_color_opt").removeAttr("disabled","disabled")}else if($("#export_type").val()=="dia"){$("#show_grid_opt").attr("disabled","disabled");$("#with_doc").attr("disabled","disabled");$("#show_table_dim_opt").attr("disabled","disabled");$("#all_table_same_wide").attr("disabled","disabled");$("#paper_opt").removeAttr("disabled","disabled");$("#show_color_opt").removeAttr("disabled","disabled");$("#orientation_opt").removeAttr("disabled","disabled")}else if($("#export_type").val()=="eps"){$("#show_grid_opt").attr("disabled",
--- phpmyadmin-3.4.11.1.orig/libraries/Config.class.php
+++ phpmyadmin-3.4.11.1/libraries/Config.class.php
@@ -808,7 +808,7 @@ class PMA_Config
                 $pma_absolute_uri .= '@';
             }
             // Add hostname
-            $pma_absolute_uri .= $url['host'];
+            $pma_absolute_uri .= urlencode($url['host']);
             // Add port, if it not the default one
             if (! empty($url['port'])
               && (($url['scheme'] == 'http' && $url['port'] != 80)

I'll start working on the other patches now, but I wonder if we wouldn't
want to update to a supported release (e.g. 4.0 or 4.5) for
wheezy-lts.

We should probably see what we do with Jessie as well, as it will be
painful to maintain in the long run as well...

For the record, here's the support schedule of phpmyadmin:

 * 4.0: PHP 5.2, MySQL 5, april 2017
 * 4.4: PHP 5.3.7 - 7.0, MySQL 5.5, october 2016
 * 4.6: PHP 5.5 - 7.0, MySQL 5.5, unclear schedule

Wheezy has PHP 5.4, Jessie has 5.6, both have MySQL 5.5.47.

A.
-- 
Modern man has a kind of poverty of the spirit which stands
in great contrast to his remarkable scientific and technological
achievements. We've learned to walk in outer space and yet we
haven't learned to walk to earth as brothers and sisters.
                        - Dr. Martin Luther King, Jr.

Reply to:

Follow-Ups:
- phpmyadmin wheezy update ready for review
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

Prev by Date: Re: working for wheezy-security until wheezy-lts starts
Next by Date: Supporting armel/armhf in wheezy-lts
Previous by thread: Re: working for wheezy-security until wheezy-lts starts
Next by thread: phpmyadmin wheezy update ready for review
Index(es):
- Date
- Thread