phpmyadmin CVE-2019-6799 review request
Hi,
I recently applied to join the Debian LTS project as a paid contributor.
As part of this process I'm preparing a DLA for phpmyadmin following
data/dla-needed.txt.
CVE-2019-6798 is actually not-affected (related Designer code was
refactored twice since Jessie).
CVE-2019-6799 is an annoying one that varies on whether:
- php5-mysql or php5-mysqlnd is installed,
- mysql.so or mysqli.so is used,
- open_basedir is in use,
- the user runs an arbitrary query or uses the import feature
Here is a package where I believe this vulnerability is fixed:
https://www.beuc.net/tmp/debian-lts/
Attached is the debdiff.
Testing a temporary database and attempting to run something like:
LOAD DATA LOCAL INFILE '/etc/phpmyadmin/config-db.php' INTO TABLE
test(text);
in one configuration from above would be a good test.
I would very much welcome your feedback :)
Cheers!
Sylvain
diff -Nru phpmyadmin-4.2.12/debian/changelog phpmyadmin-4.2.12/debian/changelog
--- phpmyadmin-4.2.12/debian/changelog 2019-01-29 18:10:17.000000000 +0100
+++ phpmyadmin-4.2.12/debian/changelog 2019-02-24 01:12:19.000000000 +0100
@@ -1,3 +1,11 @@
+phpmyadmin (4:4.2.12-2+deb8u5) UNRELEASED; urgency=high
+
+ * Non-maintainer upload by the Debian LTS team.
+ * Fix CVE-2019-6799: information leak (arbitrary file read) using SQL
+ queries.
+
+ -- Sylvain Beucler <beuc@debian.org> Sun, 24 Feb 2019 01:12:19 +0100
+
phpmyadmin (4:4.2.12-2+deb8u4) jessie-security; urgency=high
* Non-maintainer upload by the Debian LTS team.
diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2019-6799.patch phpmyadmin-4.2.12/debian/patches/CVE-2019-6799.patch
--- phpmyadmin-4.2.12/debian/patches/CVE-2019-6799.patch 1970-01-01 01:00:00.000000000 +0100
+++ phpmyadmin-4.2.12/debian/patches/CVE-2019-6799.patch 2019-02-24 01:12:19.000000000 +0100
@@ -0,0 +1,84 @@
+Description: Fix information leak (arbitrary file read) using SQL queries
+ Fix CVE-2019-6799
+ https://www.phpmyadmin.net/security/PMASA-2019-1/
+
+ This patch is based on upstream patches:
+ https://github.com/phpmyadmin/phpmyadmin/commit/c5e01f84ad48c5c626001cb92d7a95500920a900
+ https://github.com/phpmyadmin/phpmyadmin/commit/aeac90623e525057a7672ab3d98154b5c57c15ec
+ Avoid regression in 'Table > Import > Load CSV with LOAD DATA' by backporting:
+ https://github.com/phpmyadmin/phpmyadmin/commit/d02d61ada7c8e29753fd37440b511a1088efb060
+
+ Note: mitigated by /etc/phpmyadmin/apache.conf's open_basedir:
+ - php5-mysql: open_basedir fully disables LOAD DATA LOCAL INFILE;
+ - php5-mysqlnd: open_basedir is respected but some sensitive files
+ remain accessible, notably '/etc/phpmyadmin/config-db.php'.
+
+ Note: nothing to do with AllowArbitraryServer, works on local MySQL server as well.
+
+ Note: https://bugs.php.net/bug.php?id=77496 applies php5-mysqlnd but not php5-mysql.
+
+Author: Sylvain Beucler <beuc@debian.org>
+Last-Updated: 2019-02-24
+
+Index: phpmyadmin-4.2.12/import.php
+===================================================================
+--- phpmyadmin-4.2.12.orig/import.php
++++ phpmyadmin-4.2.12/import.php
+@@ -6,6 +6,11 @@
+ * @package PhpMyAdmin
+ */
+
++/* Enable LOAD DATA LOCAL INFILE for LDI plugin */
++if (isset($_POST['format']) && $_POST['format'] == 'ldi') {
++ define('PMA_ENABLE_LDI', 1);
++}
++
+ /**
+ * Get the variables sent or posted to this script and a core script
+ */
+Index: phpmyadmin-4.2.12/libraries/dbi/DBIMysql.class.php
+===================================================================
+--- phpmyadmin-4.2.12.orig/libraries/dbi/DBIMysql.class.php
++++ phpmyadmin-4.2.12/libraries/dbi/DBIMysql.class.php
+@@ -52,6 +52,10 @@ class PMA_DBI_Mysql implements PMA_DBI_E
+ ) {
+ global $cfg;
+
++ if (ini_get('mysql.allow_local_infile')) {
++ PMA_fatalError(__('Please disable mysql.allow_local_infile in your PHP configuration or install the mysqli extension.'));
++ }
++
+ if (empty($client_flags)) {
+ if ($cfg['PersistentConnections'] || $persistent) {
+ $link = @mysql_pconnect($server, $user, $password);
+Index: phpmyadmin-4.2.12/libraries/dbi/DBIMysqli.class.php
+===================================================================
+--- phpmyadmin-4.2.12.orig/libraries/dbi/DBIMysqli.class.php
++++ phpmyadmin-4.2.12/libraries/dbi/DBIMysqli.class.php
+@@ -156,7 +156,12 @@ class PMA_DBI_Mysqli implements PMA_DBI_
+
+ $link = mysqli_init();
+
+- mysqli_options($link, MYSQLI_OPT_LOCAL_INFILE, true);
++ // Note: CVE-2019-6799 for php5-mysql (non-nd)
++ if (defined('PMA_ENABLE_LDI')) {
++ mysqli_options($link, MYSQLI_OPT_LOCAL_INFILE, true);
++ } else {
++ mysqli_options($link, MYSQLI_OPT_LOCAL_INFILE, false);
++ }
+
+ $client_flags = 0;
+
+@@ -219,6 +224,12 @@ class PMA_DBI_Mysqli implements PMA_DBI_
+ }
+
+ if ($return_value != false) {
++ // Note: CVE-2019-6799 for php5-mysqlnd
++ if (defined('PMA_ENABLE_LDI')) {
++ mysqli_options($link, MYSQLI_OPT_LOCAL_INFILE, true);
++ } else {
++ mysqli_options($link, MYSQLI_OPT_LOCAL_INFILE, false);
++ }
+ $GLOBALS['dbi']->postConnect($link, $is_controluser);
+ return $link;
+ }
diff -Nru phpmyadmin-4.2.12/debian/patches/series phpmyadmin-4.2.12/debian/patches/series
--- phpmyadmin-4.2.12/debian/patches/series 2019-01-29 18:10:05.000000000 +0100
+++ phpmyadmin-4.2.12/debian/patches/series 2019-02-23 23:51:17.000000000 +0100
@@ -34,3 +34,4 @@
CVE-2017-18264.patch
CVE-2018-19970.patch
CVE-2018-19968.patch
+CVE-2019-6799.patch
Reply to: