Review and testing phpmyadmin for Jessie LTS
Hi,
I uploaded version 4.2.12-2+deb8u4 of phpmyadmin to:
https://people.debian.org/~kanashiro/jessie_lts/phpmyadmin/
It has patches fixing CVE-2018-19968 and CVE-2018-19970. I did not have
the time to determine whether jessie is affected by CVE-2018-19969
(requested by sunweaver), I did some superficial investigation with no
confirmation yet. This month I'll not have enough time to continue the
investigation.
I'd appreciate some review and testing, specially related to
CVE-2018-19968, the debdiff is attached if it helps.
Thanks in advance!
--
Lucas Kanashiro
diff -Nru phpmyadmin-4.2.12/debian/changelog phpmyadmin-4.2.12/debian/changelog
--- phpmyadmin-4.2.12/debian/changelog 2018-03-04 02:27:49.000000000 -0300
+++ phpmyadmin-4.2.12/debian/changelog 2019-01-23 11:47:22.000000000 -0200
@@ -1,3 +1,11 @@
+phpmyadmin (4:4.2.12-2+deb8u4) jessie-security; urgency=high
+
+ * Non-maintainer upload by the Debian LTS team.
+ * Fix CVE-2018-19968: Local file inclusion through transformation feature.
+ * Fix CVE-2018-19970: XSS vulnerability in the navigation tree.
+
+ -- Lucas Kanashiro <kanashiro@debian.org> Wed, 23 Jan 2019 11:14:59 -0200
+
phpmyadmin (4:4.2.12-2+deb8u3) jessie-security; urgency=high
* Non-maintainer upload by the Debian LTS Team.
diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2018-19968.patch phpmyadmin-4.2.12/debian/patches/CVE-2018-19968.patch
--- phpmyadmin-4.2.12/debian/patches/CVE-2018-19968.patch 1969-12-31 21:00:00.000000000 -0300
+++ phpmyadmin-4.2.12/debian/patches/CVE-2018-19968.patch 2019-01-23 11:47:00.000000000 -0200
@@ -0,0 +1,108 @@
+Description: Remove transformation plugin includes
+ Tranformation plugins should be loaded by the autoloader.
+ Fixes CVE-2018-19968. This patch is based on upstream patch:
+ https://github.com/phpmyadmin/phpmyadmin/commit/6a1ba61e29002f0305a9322a8af4eaaeb11c0732
+Author: Lucas Kanashiro <kanashiro@debian.org>
+Last-Updated: 2019-01-23
+
+--- a/libraries/DisplayResults.class.php
++++ b/libraries/DisplayResults.class.php
+@@ -2894,27 +2894,28 @@ class PMA_DisplayResults
+
+ if (file_exists($include_file)) {
+
+- include_once $include_file;
+ $class_name = str_replace('.class.php', '', $file);
+- // todo add $plugin_manager
+- $plugin_manager = null;
+- $transformation_plugin = new $class_name(
+- $plugin_manager
+- );
++ if (class_exists($class_name)) {
++ // todo add $plugin_manager
++ $plugin_manager = null;
++ $transformation_plugin = new $class_name(
++ $plugin_manager
++ );
+
+- $transform_options = PMA_Transformation_getOptions(
+- isset($mime_map[$meta->name]
++ $transform_options = PMA_Transformation_getOptions(
++ isset($mime_map[$meta->name]
++ ['transformation_options']
++ )
++ ? $mime_map[$meta->name]
+ ['transformation_options']
+- )
+- ? $mime_map[$meta->name]
+- ['transformation_options']
+- : ''
+- );
++ : ''
++ );
+
+- $meta->mimetype = str_replace(
+- '_', '/',
+- $mime_map[$meta->name]['mimetype']
+- );
++ $meta->mimetype = str_replace(
++ '_', '/',
++ $mime_map[$meta->name]['mimetype']
++ );
++ }
+
+ } // end if file_exists
+ } // end if transformation is set
+--- a/libraries/insert_edit.lib.php
++++ b/libraries/insert_edit.lib.php
+@@ -2151,20 +2151,21 @@ function PMA_transformEditedValues($db,
+
+ $include_file = 'libraries/plugins/transformations/' . $file;
+ if (file_exists($include_file)) {
+- include_once $include_file;
+-
+- $transform_options = PMA_Transformation_getOptions(
+- isset($transformation['transformation_options'])
+- ? $transformation['transformation_options']
+- : ''
+- );
+- $transform_options['wrapper_link']
+- = PMA_URL_getCommon($_url_params);
+ $class_name = str_replace('.class.php', '', $file);
+- $plugin_manager = null;
+- $transformation_plugin = new $class_name(
+- $plugin_manager
+- );
++ if (class_exists($class_name)) {
++
++ $transform_options = PMA_Transformation_getOptions(
++ isset($transformation['transformation_options'])
++ ? $transformation['transformation_options']
++ : ''
++ );
++ $transform_options['wrapper_link']
++ = PMA_URL_getCommon($_url_params);
++ $plugin_manager = null;
++ $transformation_plugin = new $class_name(
++ $plugin_manager
++ );
++ }
+ }
+
+ $extra_data['transformations'][$cell_index]
+--- a/libraries/transformations.lib.php
++++ b/libraries/transformations.lib.php
+@@ -145,9 +145,10 @@ function PMA_getTransformationDescriptio
+ $class_name = explode(".class.php", $file);
+ $class_name = $class_name[0];
+
+- // include and instantiate the class
+- include_once 'libraries/plugins/transformations/' . $file;
+- return $class_name::getInfo();
++ if (class_exists($class_name)) {
++ return $class_name::getInfo();
++ }
++ return ''
+ }
+
+ /**
diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2018-19970.patch phpmyadmin-4.2.12/debian/patches/CVE-2018-19970.patch
--- phpmyadmin-4.2.12/debian/patches/CVE-2018-19970.patch 1969-12-31 21:00:00.000000000 -0300
+++ phpmyadmin-4.2.12/debian/patches/CVE-2018-19970.patch 2019-01-23 11:47:04.000000000 -0200
@@ -0,0 +1,17 @@
+Description: Fix Stored Cross-Site Scripting (XSS) in navigation tree
+ Fixes CVE-2018-19970. This patch is based on upstream patch:
+ https://github.com/phpmyadmin/phpmyadmin/commit/b293ff5f234ef493336ed8638f623a12164d359e
+Author: Lucas Kanashiro <kanashiro@debian.org>
+Last-Updated: 2019-01-23
+
+--- a/libraries/navigation/NavigationTree.class.php
++++ b/libraries/navigation/NavigationTree.class.php
+@@ -612,7 +612,7 @@ class PMA_NavigationTree
+ $groups = array();
+ foreach ($prefixes as $key => $value) {
+ $groups[$key] = new Node(
+- $key,
++ htmlspecialchars($key),
+ Node::CONTAINER,
+ true
+ );
diff -Nru phpmyadmin-4.2.12/debian/patches/series phpmyadmin-4.2.12/debian/patches/series
--- phpmyadmin-4.2.12/debian/patches/series 2018-03-04 02:27:49.000000000 -0300
+++ phpmyadmin-4.2.12/debian/patches/series 2019-01-23 11:47:04.000000000 -0200
@@ -32,3 +32,5 @@
CVE-2016-6622.patch
CVE-2016-9865.patch
CVE-2017-18264.patch
+CVE-2018-19970.patch
+CVE-2018-19968.patch
Reply to: