Bug#684955: unblock: phpmyadmin/4:3.4.11.1-1 (security issue)

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#684955: unblock: phpmyadmin/4:3.4.11.1-1 (security issue)
From: Thijs Kinkhorst <thijs@debian.org>
Date: Wed, 15 Aug 2012 07:16:02 +0200
Message-id: <[🔎] 20120815051602.31063.1632.reportbug@incagijs.uvt.nl>
Reply-to: Thijs Kinkhorst <thijs@debian.org>, 684955@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock


Hi,

Please unblock package phpmyadmin: it fixes two cross site scripting issues
and nothing else. The diff to db_structure.js may be a bit hard to read, but
it adds escapeHTML() calls to two parameters.

unblock phpmyadmin/4:3.4.11.1-1


Thanks,
Thijs

Title: phpMyAdmin 3.4.11 - Documentation

diff -Nru phpmyadmin-3.4.11/ChangeLog phpmyadmin-3.4.11.1/ChangeLog --- phpmyadmin-3.4.11/ChangeLog 2012-04-14 11:42:20.000000000 +0000 +++ phpmyadmin-3.4.11.1/ChangeLog 2012-08-12 13:38:18.000000000 +0000 @@ -1,6 +1,9 @@ phpMyAdmin - ChangeLog ====================== +3.4.11.1 (2012-08-12) +- [security] Fixed XSS vulnerabilities, see PMASA-2012-4 + 3.4.11.0 (2012-04-14) - bug #3486970 [import] Exception on XML import - bug #3488777 [navi] $cfg['ShowTooltipAliasTB'] and blank names in navigation diff -Nru phpmyadmin-3.4.11/Documentation.html phpmyadmin-3.4.11.1/Documentation.html --- phpmyadmin-3.4.11/Documentation.html 2012-04-14 11:42:20.000000000 +0000 +++ phpmyadmin-3.4.11.1/Documentation.html 2012-08-12 13:38:18.000000000 +0000 @@ -9,7 +9,7 @@ - + phpMyAdmin 3.4.11.1 - Documentation @@ -17,7 +17,7 @@ diff -Nru phpmyadmin-3.4.11/Documentation.txt phpmyadmin-3.4.11.1/Documentation.txt --- phpmyadmin-3.4.11/Documentation.txt 2012-04-14 11:42:20.000000000 +0000 +++ phpmyadmin-3.4.11.1/Documentation.txt 2012-08-12 13:38:18.000000000 +0000 @@ -1,4 +1,4 @@ -phpMyAdmin 3.4.11 Documentation +phpMyAdmin 3.4.11.1 Documentation * Top * Requirements diff -Nru phpmyadmin-3.4.11/README phpmyadmin-3.4.11.1/README --- phpmyadmin-3.4.11/README 2012-04-14 11:42:20.000000000 +0000 +++ phpmyadmin-3.4.11.1/README 2012-08-12 13:38:18.000000000 +0000 @@ -1,7 +1,7 @@ phpMyAdmin - Readme =================== -Version 3.4.11 +Version 3.4.11.1 A set of PHP-scripts to manage MySQL over the web. diff -Nru phpmyadmin-3.4.11/RELEASE-DATE-3.4.11 phpmyadmin-3.4.11.1/RELEASE-DATE-3.4.11 --- phpmyadmin-3.4.11/RELEASE-DATE-3.4.11 2012-04-14 11:42:20.000000000 +0000 +++ phpmyadmin-3.4.11.1/RELEASE-DATE-3.4.11 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -Sat Apr 14 11:41:12 UTC 2012 diff -Nru phpmyadmin-3.4.11/RELEASE-DATE-3.4.11.1 phpmyadmin-3.4.11.1/RELEASE-DATE-3.4.11.1 --- phpmyadmin-3.4.11/RELEASE-DATE-3.4.11.1 1970-01-01 00:00:00.000000000 +0000 +++ phpmyadmin-3.4.11.1/RELEASE-DATE-3.4.11.1 2012-08-12 13:38:18.000000000 +0000 @@ -0,0 +1 @@ +Sun Aug 12 13:37:09 UTC 2012 diff -Nru phpmyadmin-3.4.11/debian/changelog phpmyadmin-3.4.11.1/debian/changelog --- phpmyadmin-3.4.11/debian/changelog 2012-04-18 10:28:38.000000000 +0000 +++ phpmyadmin-3.4.11.1/debian/changelog 2012-08-13 13:25:51.000000000 +0000 @@ -1,3 +1,10 @@ +phpmyadmin (4:3.4.11.1-1) unstable; urgency=high + + * New upstream security release. + - Fixes cross site scripting [PMASA-2012-4]. + + -- Thijs Kinkhorst Mon, 13 Aug 2012 13:24:09 +0000 + phpmyadmin (4:3.4.11-1) unstable; urgency=low * New upstream release. diff -Nru phpmyadmin-3.4.11/js/db_structure.js phpmyadmin-3.4.11.1/js/db_structure.js --- phpmyadmin-3.4.11/js/db_structure.js 2012-04-14 11:42:20.000000000 +0000 +++ phpmyadmin-3.4.11.1/js/db_structure.js 2012-08-12 13:38:18.000000000 +0000 @@ -1,6 +1,6 @@ function PMA_adjustTotals(a){var b=a.closest("tr");a=b.find(".tbl_rows");var d=b.find(".tbl_size");b=parseInt(a.text());a.text("0");d.text("-");if(!isNaN(b)){$total_rows_td=$("#tbl_summary_row").find(".tbl_rows");a=parseInt($total_rows_td.text());isNaN(a)||$total_rows_td.text(a-b)}a=$("#tbl_summary_row").find(".tbl_size");a.text(a.text().replace(/^/,"~"))} -$(document).ready(function(){$(".truncate_table_anchor").live("click",function(a){a.preventDefault();var b=$(this);a="TRUNCATE "+b.parents("tr").children("th").children("a").text();b.PMA_confirm(a,b.attr("href"),function(d){PMA_ajaxShowMessage(PMA_messages.strProcessingRequest);$.get(d,{is_js_confirmed:1,ajax_request:true},function(c){if(c.success==true){PMA_ajaxShowMessage(c.message);c=b.html().replace(/b_empty.png/,"bd_empty.png");PMA_adjustTotals(b);b.replaceWith(c).removeClass("truncate_table_anchor")}else PMA_ajaxShowMessage(PMA_messages.strErrorProcessingRequest+ -" : "+c.error)})})});$(".drop_table_anchor").live("click",function(a){a.preventDefault();var b=$(this),d=b.parents("tr");a="DROP TABLE "+d.children("th").children("a").text();b.PMA_confirm(a,b.attr("href"),function(c){PMA_ajaxShowMessage(PMA_messages.strProcessingRequest);$.get(c,{is_js_confirmed:1,ajax_request:true},function(e){if(e.success==true){PMA_ajaxShowMessage(e.message);PMA_adjustTotals(b);d.hide("medium").remove();window.parent&&window.parent.frame_navigation&&window.parent.frame_navigation.location.reload()}else PMA_ajaxShowMessage(PMA_messages.strErrorProcessingRequest+ +$(document).ready(function(){$(".truncate_table_anchor").live("click",function(a){a.preventDefault();var b=$(this);a=b.parents("tr").children("th").children("a").text();a="TRUNCATE "+escapeHtml(a);b.PMA_confirm(a,b.attr("href"),function(d){PMA_ajaxShowMessage(PMA_messages.strProcessingRequest);$.get(d,{is_js_confirmed:1,ajax_request:true},function(c){if(c.success==true){PMA_ajaxShowMessage(c.message);c=b.html().replace(/b_empty.png/,"bd_empty.png");PMA_adjustTotals(b);b.replaceWith(c).removeClass("truncate_table_anchor")}else PMA_ajaxShowMessage(PMA_messages.strErrorProcessingRequest+ +" : "+c.error)})})});$(".drop_table_anchor").live("click",function(a){a.preventDefault();var b=$(this),d=b.parents("tr");a=d.children("th").children("a").text();a="DROP TABLE "+escapeHtml(a);b.PMA_confirm(a,b.attr("href"),function(c){PMA_ajaxShowMessage(PMA_messages.strProcessingRequest);$.get(c,{is_js_confirmed:1,ajax_request:true},function(e){if(e.success==true){PMA_ajaxShowMessage(e.message);PMA_adjustTotals(b);d.hide("medium").remove();window.parent&&window.parent.frame_navigation&&window.parent.frame_navigation.location.reload()}else PMA_ajaxShowMessage(PMA_messages.strErrorProcessingRequest+ " : "+e.error)})})});$(".drop_event_anchor").live("click",function(a){a.preventDefault();var b=$(this).parents("tr");a="DROP EVENT "+$(b).children("td:first").text();$(this).PMA_confirm(a,$(this).attr("href"),function(d){PMA_ajaxShowMessage(PMA_messages.strDroppingEvent);$.get(d,{is_js_confirmed:1,ajax_request:true},function(c){if(c.success==true){PMA_ajaxShowMessage(c.message);$(b).hide("medium").remove()}else PMA_ajaxShowMessage(PMA_messages.strErrorProcessingRequest+" : "+c.error)})})});$(".drop_procedure_anchor").live("click", function(a){a.preventDefault();a=$(this).parents("tr");a=$(a).children("td").children(".drop_procedure_sql").val();$(this).PMA_confirm(a,$(this).attr("href"),function(b){PMA_ajaxShowMessage(PMA_messages.strDroppingProcedure);$.get(b,{is_js_confirmed:1,ajax_request:true},function(d){if(d.success==true){PMA_ajaxShowMessage(d.message);$(curr_event_row).hide("medium").remove()}else PMA_ajaxShowMessage(PMA_messages.strErrorProcessingRequest+" : "+d.error)})})});$(".drop_tracking_anchor").live("click", function(a){a.preventDefault();a=$(this);var b=a.parents("tr");a.PMA_confirm(PMA_messages.strDeleteTrackingData,a.attr("href"),function(d){PMA_ajaxShowMessage(PMA_messages.strDeletingTrackingData);$.get(d,{is_js_confirmed:1,ajax_request:true},function(c){if(c.success==true){PMA_ajaxShowMessage(c.message);$(b).hide("medium").remove()}else PMA_ajaxShowMessage(PMA_messages.strErrorProcessingRequest+" : "+c.error)})})});$("#real_end_input").live("click",function(a){a.preventDefault();a=PMA_messages.strOperationTakesLongTime; diff -Nru phpmyadmin-3.4.11/libraries/Config.class.php phpmyadmin-3.4.11.1/libraries/Config.class.php --- phpmyadmin-3.4.11/libraries/Config.class.php 2012-04-14 11:42:20.000000000 +0000 +++ phpmyadmin-3.4.11.1/libraries/Config.class.php 2012-08-12 13:38:18.000000000 +0000 @@ -96,7 +96,7 @@ */ function checkSystem() { - $this->set('PMA_VERSION', '3.4.11'); + $this->set('PMA_VERSION', '3.4.11.1'); /** * @deprecated */ diff -Nru phpmyadmin-3.4.11/tbl_create.php phpmyadmin-3.4.11.1/tbl_create.php --- phpmyadmin-3.4.11/tbl_create.php 2012-04-14 11:42:20.000000000 +0000 +++ phpmyadmin-3.4.11.1/tbl_create.php 2012-08-12 13:38:18.000000000 +0000 @@ -287,7 +287,9 @@ $new_table_string .= ' ' . "\n"; $new_table_string .= ''; - $new_table_string .= ''. $table . ''; + $new_table_string .= '' + . htmlspecialchars($table) . ''; if (PMA_Tracker::isActive()) { $truename = str_replace(' ', ' ', htmlspecialchars($table));

Reply to:

Follow-Ups:
- Bug#684955: marked as done (unblock: phpmyadmin/4:3.4.11.1-1 (security issue))
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Re: BinNMU breaks QT4
Next by Date: Bug#684961: unblock: rpm/4.10.0-5
Previous by thread: Bug#684950: pu: package clamav/0.97.5+dfsg-6~squeeze1
Next by thread: Bug#684955: marked as done (unblock: phpmyadmin/4:3.4.11.1-1 (security issue))
Index(es):
- Date
- Thread

Bug#684955: unblock: phpmyadmin/4:3.4.11.1-1 (security issue)

phpMyAdmin - 3.4.11 + 3.4.11.1 Documentation