Re: phpmyadmin update (Was Re: last call for wheezy updates and remaining work for transition)
- To: Emilio Pozuelo Monfort <pochu@debian.org>, debian-lts@lists.debian.org
- Subject: Re: phpmyadmin update (Was Re: last call for wheezy updates and remaining work for transition)
- From: Abhijith PA <abhijith@disroot.org>
- Date: Thu, 5 Jul 2018 16:15:51 +0530
- Message-id: <[🔎] 698e082a-3747-d2d8-9135-47e41724bbc7@disroot.org>
- In-reply-to: <2f0ac857-50dc-221e-4332-5678a453cbcd@debian.org>
- References: <87muwhuopl.fsf@curie.anarc.at> <28d88b9d-7404-1d1f-af01-e55324a0cee0@debian.org> <d676174e-794c-f71f-8c60-7b3eb4e35a12@disroot.org> <2f0ac857-50dc-221e-4332-5678a453cbcd@debian.org>
On Friday 22 June 2018 04:33 PM, Emilio Pozuelo Monfort wrote:
> Ah, nice! Your work looks very useful. My old work was for wheezy, so it only
> addressed one CVE (CVE-2017-18264). Since your work is on jessie (which is on a
> newer version) and fixes many more issues, I'll let you handle it. Let me know
> if you need a review or an upload when you are done with it.
>
> Cheers,
> Emilio
>
Emilio
Can you review and upload phpmyadmin. Debdiff is attached. Looks like
CVE-2018-10188 and CVE-2018-12581 are not affecting. Hence I am going to
mark it as not-affecting. Rest all are backported.
Thanks
--abhijith
diff -Nru phpmyadmin-4.2.12/debian/changelog phpmyadmin-4.2.12/debian/changelog
--- phpmyadmin-4.2.12/debian/changelog 2016-07-24 14:28:31.000000000 +0200
+++ phpmyadmin-4.2.12/debian/changelog 2018-03-04 06:27:49.000000000 +0100
@@ -1,3 +1,13 @@
+phpmyadmin (4:4.2.12-2+deb8u3) jessie-security; urgency=high
+
+ * Non-maintainer upload by the Debian LTS Team.
+ * Fix several security issues:
+ CVE-2016-6609, CVE-2016-6614, CVE-2016-6615, CVE-2016-6616,
+ CVE-2016-6618, CVE-2016-6619, CVE-2016-6620, CVE-2016-6621,
+ CVE-2016-6622, CVE-2016-9865, CVE-2017-18264
+
+ -- Abhijith PA <abhijith@disroot.org> Sun, 04 Mar 2018 10:57:49 +0530
+
phpmyadmin (4:4.2.12-2+deb8u2) jessie-security; urgency=high
* Fix several security issues:
diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2016-6609.patch phpmyadmin-4.2.12/debian/patches/CVE-2016-6609.patch
--- phpmyadmin-4.2.12/debian/patches/CVE-2016-6609.patch 1970-01-01 01:00:00.000000000 +0100
+++ phpmyadmin-4.2.12/debian/patches/CVE-2016-6609.patch 2018-03-04 06:27:49.000000000 +0100
@@ -0,0 +1,57 @@
+Description: Fix CVE-2016-6609
+ An issue was discovered in phpMyAdmin. A specially crafted database name could
+ be used to run arbitrary PHP commands through the array export feature.
+
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://github.com/phpmyadmin/phpmyadmin/commit/34a1ceb
+Last-Update: 2018-03-11
+
+Index: phpmyadmin-4.2.12/libraries/plugins/export/ExportPhparray.class.php
+===================================================================
+--- phpmyadmin-4.2.12.orig/libraries/plugins/export/ExportPhparray.class.php
++++ phpmyadmin-4.2.12/libraries/plugins/export/ExportPhparray.class.php
+@@ -82,6 +82,18 @@ class ExportPhparray extends ExportPlugi
+ {
+ }
+
++ /**
++ * Removes end of comment from a string
++ *
++ * @param string $string String to replace
++ *
++ * @return string
++ */
++ public function commentString($string)
++ {
++ return strtr($string, '*/', '-');
++ }
++
+ /**
+ * Outputs export header
+ *
+@@ -119,9 +131,9 @@ class ExportPhparray extends ExportPlugi
+ public function exportDBHeader ($db)
+ {
+ PMA_exportOutputHandler(
+- '//' . $GLOBALS['crlf']
+- . '// Database ' . PMA_Util::backquote($db)
+- . $GLOBALS['crlf'] . '//' . $GLOBALS['crlf']
++ '/**' . $GLOBALS['crlf']
++ . ' * Database ' . $this->commentString(PMA_Util::backquote($db))
++ . $GLOBALS['crlf'] . ' */' . $GLOBALS['crlf']
+ );
+ return true;
+ }
+@@ -195,9 +207,9 @@ class ExportPhparray extends ExportPlugi
+ $buffer = '';
+ $record_cnt = 0;
+ // Output table name as comment
+- $buffer .= $crlf . '// '
+- . PMA_Util::backquote($db) . '.'
+- . PMA_Util::backquote($table) . $crlf;
++ $buffer .= $crlf . '/* '
++ . $this->commentString(PMA_Util::backquote($db)) . '.'
++ . $this->commentString(PMA_Util::backquote($table)) . ' */' . $crlf;
+ $buffer .= '$' . $tablefixed . ' = array(';
+
+ while ($record = $GLOBALS['dbi']->fetchRow($result)) {
diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2016-6614.patch phpmyadmin-4.2.12/debian/patches/CVE-2016-6614.patch
--- phpmyadmin-4.2.12/debian/patches/CVE-2016-6614.patch 1970-01-01 01:00:00.000000000 +0100
+++ phpmyadmin-4.2.12/debian/patches/CVE-2016-6614.patch 2018-03-04 06:27:49.000000000 +0100
@@ -0,0 +1,21 @@
+Description: Fix CVE-2016-6614
+ An issue was discovered in phpMyAdmin involving the %u username replacement
+ functionality of the SaveDir and UploadDir features. When the username
+ substitution is configured, a specially-crafted user name can be used to
+ circumvent restrictions to traverse the file system.
+
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://github.com/phpmyadmin/phpmyadmin/commit/c6cfb58
+Last-Update: 2018-03-11
+
+--- phpmyadmin-4.2.12.orig/libraries/Util.class.php
++++ phpmyadmin-4.2.12/libraries/Util.class.php
+@@ -2530,7 +2530,7 @@ class PMA_Util
+ $dir .= '/';
+ }
+
+- return str_replace('%u', $GLOBALS['cfg']['Server']['user'], $dir);
++ return str_replace('%u', PMA_securePath($GLOBALS['cfg']['Server']['user']), $dir);
+ }
+
+ /**
diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2016-6615.patch phpmyadmin-4.2.12/debian/patches/CVE-2016-6615.patch
--- phpmyadmin-4.2.12/debian/patches/CVE-2016-6615.patch 1970-01-01 01:00:00.000000000 +0100
+++ phpmyadmin-4.2.12/debian/patches/CVE-2016-6615.patch 2018-03-04 06:27:49.000000000 +0100
@@ -0,0 +1,36 @@
+Description: Fix CVE-2016-6615
+ XSS issues were discovered in phpMyAdmin. This affects navigation pane and
+ database/table hiding feature (a specially-crafted database name can be used
+ to trigger an XSS attack); the "Tracking" feature (a specially-crafted query
+ can be used to trigger an XSS attack); and GIS visualization feature.
+
+ NOTE: The tracking feature code is not present in jessie version. Rest of the
+ vulnerabilities fully backported from upstream 4.4 branch.
+
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://www.phpmyadmin.net/security/PMASA-2016-38/
+Last-Update: 2018-03-11
+
+--- phpmyadmin-4.2.12.orig/libraries/navigation/Nodes/Node_Database.class.php
++++ phpmyadmin-4.2.12/libraries/navigation/Nodes/Node_Database.class.php
+@@ -359,7 +359,7 @@ class Node_Database extends Node
+ . '<a href="navigation.php?'
+ . PMA_URL_getCommon()
+ . '&showUnhideDialog=true'
+- . '&dbName=' . urldecode($db) . '"'
++ . '&dbName=' . urlencode($db) . '"'
+ . ' class="showUnhide ajax">'
+ . PMA_Util::getImage(
+ 'lightbulb.png', __('Show hidden items')
+--- phpmyadmin-4.2.12.orig/libraries/tbl_gis_visualization.lib.php
++++ phpmyadmin-4.2.12/libraries/tbl_gis_visualization.lib.php
+@@ -134,7 +134,8 @@ function PMA_getHtmlForColumn($column, $
+ }
+
+ $html .= PMA_getHtmlForOptionsList(
+- $columnCandidates, array($visualizationSettings[$column])
++ array_map("htmlspecialchars", $columnCandidates),
++ array(htmlspecialchars($visualizationSettings[$column]))
+ );
+
+ $html .= '</select></td>';
diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2016-6616.patch phpmyadmin-4.2.12/debian/patches/CVE-2016-6616.patch
--- phpmyadmin-4.2.12/debian/patches/CVE-2016-6616.patch 1970-01-01 01:00:00.000000000 +0100
+++ phpmyadmin-4.2.12/debian/patches/CVE-2016-6616.patch 2018-03-04 06:27:49.000000000 +0100
@@ -0,0 +1,22 @@
+Description: Fix CVE-2016-6616
+ An issue was discovered in phpMyAdmin. In the "User group" and "Designer"
+ features, a user can execute an SQL injection attack against the account of the
+ control user.
+ NOTE: The "Designer" feature is not present in jessie version. "User group"
+ vulnerability backported from upstream 4.4 branch.
+
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://github.com/phpmyadmin/phpmyadmin/commit/93a6913
+Last-Update: 2018-03-11
+
+--- phpmyadmin-4.2.12.orig/libraries/server_user_groups.lib.php
++++ phpmyadmin-4.2.12/libraries/server_user_groups.lib.php
+@@ -343,7 +343,7 @@ function PMA_editUserGroup($userGroup, $
+ $sql_query .= ", ";
+ }
+ $tabName = $tabGroupName . '_' . $tab;
+- $allowed = isset($_REQUEST[$tabName]) && $_REQUEST[$tabName] == 'Y';
++ $sql_query .= "('" . PMA_Util::sqlAddSlashes($userGroup) . "', '" . $tabName . "', '"
+ $sql_query .= "('" . $userGroup . "', '" . $tabName . "', '"
+ . ($allowed ? "Y" : "N") . "')";
+ $first = false;
diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2016-6618.patch phpmyadmin-4.2.12/debian/patches/CVE-2016-6618.patch
--- phpmyadmin-4.2.12/debian/patches/CVE-2016-6618.patch 1970-01-01 01:00:00.000000000 +0100
+++ phpmyadmin-4.2.12/debian/patches/CVE-2016-6618.patch 2018-03-04 06:27:49.000000000 +0100
@@ -0,0 +1,32 @@
+Description: Fix CVE-2016-6618
+ An issue was discovered in phpMyAdmin. The transformation feature allows a user
+ to trigger a denial-of-service (DoS) attack against the server.
+
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://github.com/phpmyadmin/phpmyadmin/commit/ff88cdb
+Last-Update: 2018-03-11
+
+--- phpmyadmin-4.2.12.orig/transformation_wrapper.php
++++ phpmyadmin-4.2.12/transformation_wrapper.php
+@@ -34,9 +34,20 @@ $request_params = array(
+ 'transform_key',
+ 'where_clause'
+ );
++$size_params = array(
++ 'newHeight',
++ 'newWidth',
++);
+ foreach ($request_params as $one_request_param) {
+ if (isset($_REQUEST[$one_request_param])) {
+- $GLOBALS[$one_request_param] = $_REQUEST[$one_request_param];
++ if (in_array($one_request_param, $size_params)) {
++ $GLOBALS[$one_request_param] = intval($_REQUEST[$one_request_param]);
++ if ($GLOBALS[$one_request_param] > 2000) {
++ $GLOBALS[$one_request_param] = 2000;
++ }
++ } else {
++ $GLOBALS[$one_request_param] = $_REQUEST[$one_request_param];
++ }
+ }
+ }
+
diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2016-6619.patch phpmyadmin-4.2.12/debian/patches/CVE-2016-6619.patch
--- phpmyadmin-4.2.12/debian/patches/CVE-2016-6619.patch 1970-01-01 01:00:00.000000000 +0100
+++ phpmyadmin-4.2.12/debian/patches/CVE-2016-6619.patch 2018-03-04 06:27:49.000000000 +0100
@@ -0,0 +1,40 @@
+Description: Fix CVE-2016-6619
+ An issue was discovered in phpMyAdmin. In the user interface preference feature
+ , a user can execute an SQL injection attack against the account of the control
+ user.
+
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://github.com/phpmyadmin/phpmyadmin/commit/8ac57b1281250cbf3f0eee3db23fed281ad2ba3d
+Last-Update: 2018-03-11
+
+--- phpmyadmin-4.2.12.orig/libraries/RecentFavoriteTable.class.php
++++ phpmyadmin-4.2.12/libraries/RecentFavoriteTable.class.php
+@@ -113,7 +113,7 @@ class PMA_RecentFavoriteTable
+ // Read from phpMyAdmin database, if recent tables is not in session
+ $sql_query
+ = " SELECT `tables` FROM " . $this->_pmaTable .
+- " WHERE `username` = '" . $GLOBALS['cfg']['Server']['user'] . "'";
++ " WHERE `username` = '" . PMA_Util::sqlAddSlashes($GLOBALS['cfg']['Server']['user']) . "'";
+
+ $return = array();
+ $result = PMA_queryAsControlUser($sql_query, false);
+--- phpmyadmin-4.2.12.orig/libraries/Table.class.php
++++ phpmyadmin-4.2.12/libraries/Table.class.php
+@@ -1523,7 +1523,7 @@ class PMA_Table
+
+ // Read from phpMyAdmin database
+ $sql_query = " SELECT `prefs` FROM " . $pma_table
+- . " WHERE `username` = '" . $GLOBALS['cfg']['Server']['user'] . "'"
++ . " WHERE `username` = '" . PMA_Util::sqlAddSlashes($GLOBALS['cfg']['Server']['user']) . "'"
+ . " AND `db_name` = '" . PMA_Util::sqlAddSlashes($this->db_name) . "'"
+ . " AND `table_name` = '" . PMA_Util::sqlAddSlashes($this->name) . "'";
+
+@@ -1549,7 +1549,7 @@ class PMA_Table
+
+ $username = $GLOBALS['cfg']['Server']['user'];
+ $sql_query = " REPLACE INTO " . $pma_table
+- . " VALUES ('" . $username . "', '" . $secureDbName
++ . " VALUES ('" . PMA_Util::sqlAddSlashes($username) . "', '" . PMA_Util::sqlAddSlashes($this->db_name)
+ . "', '" . PMA_Util::sqlAddSlashes($this->name) . "', '"
+ . PMA_Util::sqlAddSlashes(json_encode($this->uiprefs)) . "', NULL)";
+
diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2016-6620.patch phpmyadmin-4.2.12/debian/patches/CVE-2016-6620.patch
--- phpmyadmin-4.2.12/debian/patches/CVE-2016-6620.patch 1970-01-01 01:00:00.000000000 +0100
+++ phpmyadmin-4.2.12/debian/patches/CVE-2016-6620.patch 2018-03-04 06:27:49.000000000 +0100
@@ -0,0 +1,119 @@
+Description: Fix CVE-2016-6620
+ An issue was discovered in phpMyAdmin. Some data is passed to the PHP
+ unserialize() function without verification that it's valid serialized data.
+ The unserialization can result in code execution because of the interaction
+ with object instantiation and autoloading.
+
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://github.com/phpmyadmin/phpmyadmin/commit/80c9302
+Last-Update: 2018-03-12
+
+--- phpmyadmin-4.2.12.orig/libraries/core.lib.php
++++ phpmyadmin-4.2.12/libraries/core.lib.php
+@@ -903,4 +903,92 @@ if(! function_exists('hash_equals')) {
+ return ! $ret;
+ }
+ }
++
++/**
++ * Safe unserializer wrapper
++ *
++ * It does not unserialize data containing objects
++ *
++ * @param string $data Data to unserialize
++ *
++ * @return mixed
++ */
++function PMA_safeUnserialize($data)
++{
++ if (! is_string($data)) {
++ return null;
++ }
++
++ /* validate serialized data */
++ $length = strlen($data);
++ $depth = 0;
++ for ($i = 0; $i < $length; $i++) {
++ $value = $data[$i];
++
++ switch ($value)
++ {
++ case '}':
++ /* end of array */
++ if ($depth <= 0) {
++ return null;
++ }
++ $depth--;
++ break;
++ case 's':
++ /* string */
++ // parse sting length
++ $strlen = intval($data[$i + 2]);
++ // string start
++ $i = strpos($data, ':', $i + 2);
++ if ($i === false) {
++ return null;
++ }
++ // skip string, quotes and ;
++ $i += 2 + $strlen + 1;
++ if ($data[$i] != ';') {
++ return null;
++ }
++ break;
++
++ case 'b':
++ case 'i':
++ case 'd':
++ /* bool, integer or double */
++ // skip value to sepearator
++ $i = strpos($data, ';', $i);
++ if ($i === false) {
++ return null;
++ }
++ break;
++ case 'a':
++ /* array */
++ // find array start
++ $i = strpos($data, '{', $i);
++ if ($i === false) {
++ return null;
++ }
++ // remember nesting
++ $depth++;
++ break;
++ case 'N':
++ /* null */
++ // skip to end
++ $i = strpos($data, ';', $i);
++ if ($i === false) {
++ return null;
++ }
++ break;
++ default:
++ /* any other elements are not wanted */
++ return null;
++ }
++ }
++
++ // check unterminated arrays
++ if ($depth > 0) {
++ return null;
++ }
++
++ return unserialize($data);
++}
+ ?>
+--- phpmyadmin-4.2.12.orig/libraries/tbl_tracking.lib.php
++++ phpmyadmin-4.2.12/libraries/tbl_tracking.lib.php
+@@ -780,7 +780,10 @@ function PMA_getHtmlForSchemaSnapshot($u
+ );
+
+ // Unserialize snapshot
+- $temp = unserialize($data['schema_snapshot']);
++ $temp = PMA_safeUnserialize($data['schema_snapshot']);
++ if ($temp === null) {
++ $temp = array('COLUMNS' => array(), 'INDEXES' => array());
++ }
+ $columns = $temp['COLUMNS'];
+ $indexes = $temp['INDEXES'];
+ $html .= PMA_getHtmlForColumns($columns);
diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2016-6621.patch phpmyadmin-4.2.12/debian/patches/CVE-2016-6621.patch
--- phpmyadmin-4.2.12/debian/patches/CVE-2016-6621.patch 1970-01-01 01:00:00.000000000 +0100
+++ phpmyadmin-4.2.12/debian/patches/CVE-2016-6621.patch 2018-03-04 06:27:49.000000000 +0100
@@ -0,0 +1,222 @@
+Description: Fix CVE-2016-6621
+ The setup script for phpMyAdmin allows remote attackers to conduct server-side
+ request forgery (SSRF) attacks via unspecified vectors.
+
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://github.com/phpmyadmin/phpmyadmin/commit/801485a
+ https://github.com/phpmyadmin/phpmyadmin/commit/88cc11a
+Last-Update: 2018-03-12
+
+--- phpmyadmin-4.2.12.orig/libraries/config/ConfigFile.class.php
++++ phpmyadmin-4.2.12/libraries/config/ConfigFile.class.php
+@@ -478,21 +478,6 @@ class ConfigFile
+ }
+
+ /**
+- * Returns config file path, relative to phpMyAdmin's root path
+- *
+- * @return string
+- */
+- public function getFilePath()
+- {
+- // Load paths
+- if (!defined('SETUP_CONFIG_FILE')) {
+- include_once './libraries/vendor_config.php';
+- }
+-
+- return SETUP_CONFIG_FILE;
+- }
+-
+- /**
+ * Returns configuration array (full, multidimensional format)
+ *
+ * @return array
+--- phpmyadmin-4.2.12.orig/libraries/vendor_config.php
++++ phpmyadmin-4.2.12/libraries/vendor_config.php
+@@ -26,17 +26,6 @@ define('CHANGELOG_FILE', '/usr/share/doc
+ define('LICENSE_FILE', '/usr/share/doc/phpmyadmin/copyright');
+
+ /**
+- * Path to config file generated using setup script.
+- */
+-define('SETUP_CONFIG_FILE', '/var/lib/phpmyadmin/config.inc.php');
+-
+-/**
+- * Whether setup requires writable directory where config
+- * file will be generated.
+- */
+-define('SETUP_DIR_WRITABLE', false);
+-
+-/**
+ * Directory where configuration files are stored.
+ * It is not used directly in code, just a convenient
+ * define used further in this file.
+--- phpmyadmin-4.2.12.orig/setup/config.php
++++ phpmyadmin-4.2.12/setup/config.php
+@@ -19,7 +19,6 @@ require './libraries/config/setup.forms.
+ $form_display = new FormDisplay($GLOBALS['ConfigFile']);
+ $form_display->registerForm('_config.php', $forms['_config.php']);
+ $form_display->save('_config.php');
+-$config_file_path = $GLOBALS['ConfigFile']->getFilePath();
+
+ if (isset($_POST['eol'])) {
+ $_SESSION['eol'] = ($_POST['eol'] == 'unix') ? 'unix' : 'win';
+@@ -41,35 +40,7 @@ if (PMA_ifSetOr($_POST['submit_clear'],
+ PMA_downloadHeader('config.inc.php', 'text/plain');
+ echo ConfigGenerator::getConfigFile($GLOBALS['ConfigFile']);
+ exit;
+-} elseif (PMA_ifSetOr($_POST['submit_save'], '')) {
+- //
+- // Save generated config file on the server
+- //
+- file_put_contents(
+- $config_file_path,
+- ConfigGenerator::getConfigFile($GLOBALS['ConfigFile'])
+- );
+- header('HTTP/1.1 303 See Other');
+- header('Location: index.php?action_done=config_saved');
+- exit;
+-} elseif (PMA_ifSetOr($_POST['submit_load'], '')) {
+- //
+- // Load config file from the server
+- //
+- $cfg = array();
+- include_once $config_file_path;
+- $GLOBALS['ConfigFile']->setConfigData($cfg);
+- header('HTTP/1.1 303 See Other');
+- header('Location: index.php');
+- exit;
+-} elseif (PMA_ifSetOr($_POST['submit_delete'], '')) {
+- //
+- // Delete config file on the server
+- //
+- @unlink($config_file_path);
+- header('HTTP/1.1 303 See Other');
+- header('Location: index.php');
+- exit;
++
+ } else {
+ //
+ // Show generated config file in a <textarea>
+--- phpmyadmin-4.2.12.orig/setup/frames/config.inc.php
++++ phpmyadmin-4.2.12/setup/frames/config.inc.php
+@@ -17,10 +17,7 @@ require_once './libraries/config/FormDis
+ require_once './setup/lib/index.lib.php';
+ require_once './setup/lib/ConfigGenerator.class.php';
+
+-$config_readable = false;
+-$config_writable = false;
+-$config_exists = false;
+-PMA_checkConfigRw($config_readable, $config_writable, $config_exists);
++
+ echo '<h2>' . __('Configuration file') . '</h2>';
+
+ PMA_displayFormTop('config.php');
+@@ -39,11 +36,6 @@ echo '<tr>';
+ echo '<td class="lastrow" style="text-align: left">';
+ echo '<input type="submit" name="submit_download" value="'
+ . __('Download') . '" class="green" />';
+-echo '<input type="submit" name="submit_save" value="' . __('Save') . '"';
+-if (!$config_writable) {
+- echo ' disabled="disabled"';
+-}
+-echo '/>';
+ echo '</td>';
+ echo '</tr>';
+
+--- phpmyadmin-4.2.12.orig/setup/frames/index.inc.php
++++ phpmyadmin-4.2.12/setup/frames/index.inc.php
+@@ -44,23 +44,6 @@ $configChecker->performConfigChecks();
+ //
+ // Check whether we can read/write configuration
+ //
+-$config_readable = false;
+-$config_writable = false;
+-$config_exists = false;
+-PMA_checkConfigRw($config_readable, $config_writable, $config_exists);
+-if (!$config_writable || !$config_readable) {
+- PMA_messagesSet(
+- 'error', 'config_rw', __('Cannot load or save configuration'),
+- PMA_sanitize(
+- __(
+- 'Please create web server writable folder [em]config[/em] in '
+- . 'phpMyAdmin top level directory as described in '
+- . '[doc@setup_script]documentation[/doc]. Otherwise you will be '
+- . 'only able to download or display it.'
+- )
+- )
+- );
+-}
+ //
+ // Check https connection
+ //
+@@ -268,25 +251,6 @@ echo '<tr>';
+ echo '<td colspan="2" class="lastrow" style="text-align: left">';
+ echo '<input type="submit" name="submit_display" value="' . __('Display') . '" />';
+ echo '<input type="submit" name="submit_download" value="' . __('Download') . '" />';
+-echo ' ';
+-
+-echo '<input type="submit" name="submit_save" value="' . __('Save') . '"';
+-if (!$config_writable) {
+- echo ' disabled="disabled"';
+-}
+-echo '/>';
+-
+-echo '<input type="submit" name="submit_load" value="' . __('Load') . '"';
+-if (!$config_exists) {
+- echo ' disabled="disabled"';
+-}
+-echo '/>';
+-
+-echo '<input type="submit" name="submit_delete" value="' . __('Delete') . '"';
+-if (!$config_exists || !$config_writable) {
+- echo ' disabled="disabled"';
+-}
+-echo '/>';
+
+ echo ' ';
+ echo '<input type="submit" name="submit_clear" value="' . __('Clear')
+--- phpmyadmin-4.2.12.orig/setup/index.php
++++ phpmyadmin-4.2.12/setup/index.php
+@@ -12,6 +12,10 @@
+ */
+ require './lib/common.inc.php';
+
++if (file_exists(CONFIG_FILE)) {
++ PMA_fatalError(__('Configuration already exists, setup is disabled!'));
++}
++
+ $page = isset($_GET['page']) ? $_GET['page'] : null;
+ $page = preg_replace('/[^a-z]/', '', $page);
+ if ($page === '') {
+--- phpmyadmin-4.2.12.orig/setup/lib/index.lib.php
++++ phpmyadmin-4.2.12/setup/lib/index.lib.php
+@@ -174,28 +174,3 @@ function PMA_versionCheck()
+ }
+ }
+ }
+-
+-/**
+- * Checks whether config file is readable/writable
+- *
+- * @param bool &$is_readable whether the file is readable
+- * @param bool &$is_writable whether the file is writable
+- * @param bool &$file_exists whether the file exists
+- *
+- * @return void
+- */
+-function PMA_checkConfigRw(&$is_readable, &$is_writable, &$file_exists)
+-{
+- $file_path = $GLOBALS['ConfigFile']->getFilePath();
+- $file_dir = dirname($file_path);
+- $is_readable = true;
+- $is_writable = is_dir($file_dir);
+- if (SETUP_DIR_WRITABLE) {
+- $is_writable = $is_writable && is_writable($file_dir);
+- }
+- $file_exists = file_exists($file_path);
+- if ($file_exists) {
+- $is_readable = is_readable($file_path);
+- $is_writable = $is_writable && is_writable($file_path);
+- }
+-}
diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2016-6622.patch phpmyadmin-4.2.12/debian/patches/CVE-2016-6622.patch
--- phpmyadmin-4.2.12/debian/patches/CVE-2016-6622.patch 1970-01-01 01:00:00.000000000 +0100
+++ phpmyadmin-4.2.12/debian/patches/CVE-2016-6622.patch 2018-03-04 06:27:49.000000000 +0100
@@ -0,0 +1,68 @@
+Description: Fix CVE-2016-6622
+ A vulnerability was discovered where an unauthenticated user is able to execute
+ a denial-of-service (DOS) attack by forcing persistent connections when
+ phpMyAdmin is running with $cfg['AllowArbitraryServer']=true;.
+
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://github.com/phpmyadmin/phpmyadmin/commit/10bdb0d
+ https://github.com/phpmyadmin/phpmyadmin/commit/8e0918c
+Last-Update: 2018-03-12
+
+--- phpmyadmin-4.2.12.orig/libraries/config/Validator.class.php
++++ phpmyadmin-4.2.12/libraries/config/Validator.class.php
+@@ -226,6 +226,7 @@ class PMA_Validator
+ ) {
+ // static::testPHPErrorMsg();
+ $error = null;
++ $host = PMA_sanitizeMySQLHost($host);
+
+ if (PMA_DatabaseInterface::checkDbExtension('mysqli')) {
+ $socket = empty($socket) || $connect_type == 'tcp' ? null : $socket;
+--- phpmyadmin-4.2.12.orig/libraries/core.lib.php
++++ phpmyadmin-4.2.12/libraries/core.lib.php
+@@ -905,6 +905,23 @@ if(! function_exists('hash_equals')) {
+ }
+
+ /**
++ * Sanitizes MySQL hostname
++ *
++ * * strips p: prefix
++ *
++ * @param string $name User given hostname
++ *
++ * @return string
++ */
++function PMA_sanitizeMySQLHost($name)
++{
++ if (strtolower(substr($name, 0, 2)) == 'p:') {
++ return substr($name, 2);
++ }
++
++ return $name;
++}
++/**
+ * Safe unserializer wrapper
+ *
+ * It does not unserialize data containing objects
+--- phpmyadmin-4.2.12.orig/libraries/plugins/auth/AuthenticationCookie.class.php
++++ phpmyadmin-4.2.12/libraries/plugins/auth/AuthenticationCookie.class.php
+@@ -405,7 +405,7 @@ class AuthenticationCookie extends Authe
+ if ($GLOBALS['cfg']['AllowArbitraryServer']
+ && isset($_REQUEST['pma_servername'])
+ ) {
+- $GLOBALS['pma_auth_server'] = $_REQUEST['pma_servername'];
++ $GLOBALS['pma_auth_server'] = PMA_sanitizeMySQLHost($_REQUEST['pma_servername']);
+ }
+ return true;
+ }
+--- phpmyadmin-4.2.12.orig/libraries/replication.inc.php
++++ phpmyadmin-4.2.12/libraries/replication.inc.php
+@@ -264,7 +264,7 @@ function PMA_Replication_connectToMaster
+
+ // 5th parameter set to true means that it's an auxiliary connection
+ // and we must not go back to login page if it fails
+- return $GLOBALS['dbi']->connect($user, $password, false, $server, true);
++ return PMA_DBI_connect($user, $password, false, PMA_sanitizeMySQLHost($server), true);
+ }
+ /**
+ * Fetches position and file of current binary log on master
diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2016-9865.patch phpmyadmin-4.2.12/debian/patches/CVE-2016-9865.patch
--- phpmyadmin-4.2.12/debian/patches/CVE-2016-9865.patch 1970-01-01 01:00:00.000000000 +0100
+++ phpmyadmin-4.2.12/debian/patches/CVE-2016-9865.patch 2018-03-04 06:27:49.000000000 +0100
@@ -0,0 +1,19 @@
+Description: Fix CVE-2016-9865
+ Due to a bug in serialized string parsing, it was possible to bypass the
+ protection offered by PMA_safeUnserialize() function.
+
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://github.com/phpmyadmin/phpmyadmin/commit/5e108a3
+Last-Update: 2018-03-12
+
+--- phpmyadmin-4.2.12.orig/libraries/core.lib.php
++++ phpmyadmin-4.2.12/libraries/core.lib.php
+@@ -954,7 +954,7 @@ function PMA_safeUnserialize($data)
+ case 's':
+ /* string */
+ // parse sting length
+- $strlen = intval($data[$i + 2]);
++ $strlen = intval(substr($data, $i + 2));
+ // string start
+ $i = strpos($data, ':', $i + 2);
+ if ($i === false) {
diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2017-18264.patch phpmyadmin-4.2.12/debian/patches/CVE-2017-18264.patch
--- phpmyadmin-4.2.12/debian/patches/CVE-2017-18264.patch 1970-01-01 01:00:00.000000000 +0100
+++ phpmyadmin-4.2.12/debian/patches/CVE-2017-18264.patch 2018-03-04 06:27:49.000000000 +0100
@@ -0,0 +1,22 @@
+Description: CVE-2017-18264
+ Restrictions caused by $cfg['Servers'][$i]['AllowNoPassword'] = false can be
+ bypassed. This can allow the login of users who have no password set even if
+ the administrator has set $cfg['Servers'][$i]['AllowNoPassword'] to false
+ (which is also the default). This patch avoids returning false when
+ first parameter to substr is ''.
+
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://github.com/phpmyadmin/phpmyadmin/commit/b6ca92cc75c8a16001425be7881e73430bcc35b8
+Last-Update: 2018-07-05
+
+--- phpmyadmin-4.2.12.orig/libraries/common.inc.php
++++ phpmyadmin-4.2.12/libraries/common.inc.php
+@@ -859,7 +859,7 @@ if (! defined('PMA_MINIMUM_COMMON')) {
+ . ' ' . $cfg['Server']['auth_type']
+ );
+ }
+- if (isset($_REQUEST['pma_password'])) {
++ if (isset($_REQUEST['pma_password']) && strlen($_REQUEST['pma_password']) > 256) {
+ $_REQUEST['pma_password'] = substr($_REQUEST['pma_password'], 0, 256);
+ }
+ include_once './libraries/plugins/auth/' . $auth_class . '.class.php';
diff -Nru phpmyadmin-4.2.12/debian/patches/series phpmyadmin-4.2.12/debian/patches/series
--- phpmyadmin-4.2.12/debian/patches/series 2016-07-24 14:28:41.000000000 +0200
+++ phpmyadmin-4.2.12/debian/patches/series 2018-03-04 06:27:49.000000000 +0100
@@ -21,3 +21,14 @@
CVE-2016-5731.patch
CVE-2016-5733.patch
CVE-2016-5739.patch
+CVE-2016-6609.patch
+CVE-2016-6614.patch
+CVE-2016-6615.patch
+CVE-2016-6616.patch
+CVE-2016-6618.patch
+CVE-2016-6619.patch
+CVE-2016-6620.patch
+CVE-2016-6621.patch
+CVE-2016-6622.patch
+CVE-2016-9865.patch
+CVE-2017-18264.patch
Reply to: