Bug#774210: marked as done (unblock: phpmyadmin/4:4.2.12-2)

To: Ivo De Decker <ivodd@debian.org>
Subject: Bug#774210: marked as done (unblock: phpmyadmin/4:4.2.12-2)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 30 Dec 2014 17:00:13 +0000
Message-id: <[🔎] handler.774210.D774210.141995875019465.ackdone@bugs.debian.org>
References: <20141230165853.GC19166@ugent.be> <[🔎] 20141230100103.21052.55588.reportbug@nutt.cihar.com>

Your message dated Tue, 30 Dec 2014 17:58:53 +0100
with message-id <20141230165853.GC19166@ugent.be>
and subject line Re: Bug#774210: unblock: phpmyadmin/4:4.2.12-2
has caused the Debian Bug report #774210,
regarding unblock: phpmyadmin/4:4.2.12-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
774210: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774210
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: phpmyadmin/4:4.2.12-2
From: Michal Čihař <nijel@debian.org>
Date: Tue, 30 Dec 2014 11:01:03 +0100
Message-id: <[🔎] 20141230100103.21052.55588.reportbug@nutt.cihar.com>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Please unblock package phpmyadmin

It fixes security bugs, see https://bugs.debian.org/774194
debdiff is attached.

unblock phpmyadmin/4:4.2.12-2

- -- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=cs_CZ.utf8, LC_CTYPE=cs_CZ.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUonfeAAoJEJwnsxNCt1EdsI8P/jBTOTNLzrcR18+qG2t/5Kn1
AgDXjjD2c90NTMEdWH74SjsCqoTA7yjZJQa46DeIk5pzgFDR49/LGyPBYsdxGkAH
D06/ykK1myCSGmjVOCMA4SyvDSU0quJFdYh8QoBXM/sg2DaDlL2VxWL8C6ulwDvZ
k02kzHdCE1VntTw7zHYMTGUKanTEyEhuFj7MiKfvrGPLcOkZ12KrAWYwPCoVDz2i
hwV0IEve0ptAH/+hXuYnPzQ6qgScOFK2/f7DdXAWApmuHD0SLr7LqEeGZ+v8zJoH
5XonWhHeDBDCajWva+ADD8jxDd046EGaA5gxqlcOQn5Rdzm5LptKkPp/9pxKYbUI
jIqOitySfST/e3A6hs5eSaaE3nTV3uFW+1aC3ShDof0BeMA1cU1bxMmuSfq+eO+s
kEtV+xou7xZnRra2HvTrD4LI+DYQNcYGp1ezan+b6ls3i8RVvtZW4qnonw2bgGda
/kux9xK94NFZVwqIsKufPFnwA3dmzTsTd1XUs3tvRWzdxmwlO5wid2Y1/UY++vfQ
7poFqR3hCmMXuuQZXSpybn4fL3PK3pGuD6UsRWY1zcHtnLMvDLe0bwUh/tGkF4Km
32RPnqB8mQwvKPsXonrzFaKWahZYQ4pJTf80nFmqm3ey4XjIxbSo643IetluGfqH
KW8zz8VPhbW8iCgvFs4H
=j4qh
-----END PGP SIGNATURE-----

diff -Nru phpmyadmin-4.2.12/debian/changelog phpmyadmin-4.2.12/debian/changelog
--- phpmyadmin-4.2.12/debian/changelog	2014-11-22 10:34:32.000000000 +0100
+++ phpmyadmin-4.2.12/debian/changelog	2014-12-30 10:54:34.000000000 +0100
@@ -1,3 +1,11 @@
+phpmyadmin (4:4.2.12-2) unstable; urgency=high
+
+  * Fix security issues (Closes: #774194).
+    - CVE-2014-9219 / PMASA-2014-18 - XSS vulnerability in redirection.
+    - CVE-2014-9218 / PMASA-2014-17 - DoS vulnerability with long passwords.
+
+ -- Michal Čihař <nijel@debian.org>  Tue, 30 Dec 2014 10:54:32 +0100
+
 phpmyadmin (4:4.2.12-1) unstable; urgency=medium
 
   * New upstrem release.
diff -Nru phpmyadmin-4.2.12/debian/patches/bug-4611-security-DOS-attack-with-long-passwords.patch phpmyadmin-4.2.12/debian/patches/bug-4611-security-DOS-attack-with-long-passwords.patch
--- phpmyadmin-4.2.12/debian/patches/bug-4611-security-DOS-attack-with-long-passwords.patch	1970-01-01 01:00:00.000000000 +0100
+++ phpmyadmin-4.2.12/debian/patches/bug-4611-security-DOS-attack-with-long-passwords.patch	2014-12-30 10:52:09.000000000 +0100
@@ -0,0 +1,80 @@
+From 1ac863c7573d12012374d5d41e5c7dc5505ea6e1 Mon Sep 17 00:00:00 2001
+From: Madhura Jayaratne <madhura.cj@gmail.com>
+Date: Tue, 2 Dec 2014 21:20:59 +0530
+Subject: [PATCH 1/1] bug #4611 [security] DOS attack with long passwords
+
+Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com>
+---
+ ChangeLog                                             |  1 +
+ libraries/common.inc.php                              |  5 +++++
+ libraries/plugins/AuthenticationPlugin.class.php      |  9 +++++++++
+ libraries/plugins/auth/AuthenticationCookie.class.php | 10 ++++++++++
+ 4 files changed, 25 insertions(+)
+
+diff --git a/libraries/common.inc.php b/libraries/common.inc.php
+index 2227c1e..5cea823 100644
+--- a/libraries/common.inc.php
++++ b/libraries/common.inc.php
+@@ -859,6 +859,9 @@ if (! defined('PMA_MINIMUM_COMMON')) {
+                 . ' ' . $cfg['Server']['auth_type']
+             );
+         }
++        if (isset($_REQUEST['pma_password'])) {
++            $_REQUEST['pma_password'] = substr($_REQUEST['pma_password'], 0, 256);
++        }
+         include_once  './libraries/plugins/auth/' . $auth_class . '.class.php';
+         // todo: add plugin manager
+         $plugin_manager = null;
+@@ -988,6 +991,8 @@ if (! defined('PMA_MINIMUM_COMMON')) {
+             $controllink = $userlink;
+         }
+ 
++        $auth_plugin->storeUserCredentials();
++
+         /* Log success */
+         PMA_logUser($cfg['Server']['user']);
+ 
+diff --git a/libraries/plugins/AuthenticationPlugin.class.php b/libraries/plugins/AuthenticationPlugin.class.php
+index 3ddf55e..7943d2c 100644
+--- a/libraries/plugins/AuthenticationPlugin.class.php
++++ b/libraries/plugins/AuthenticationPlugin.class.php
+@@ -42,6 +42,15 @@ abstract class AuthenticationPlugin extends PluginObserver
+     abstract public function authSetUser();
+ 
+     /**
++     * Stores user credentials after successful login.
++     *
++     * @return void
++     */
++    public function storeUserCredentials()
++    {
++    }
++
++    /**
+      * User is not allowed to login to MySQL -> authentication failed
+      *
+      * @return boolean
+diff --git a/libraries/plugins/auth/AuthenticationCookie.class.php b/libraries/plugins/auth/AuthenticationCookie.class.php
+index e21471c..68cb5d4 100644
+--- a/libraries/plugins/auth/AuthenticationCookie.class.php
++++ b/libraries/plugins/auth/AuthenticationCookie.class.php
+@@ -557,6 +557,16 @@ class AuthenticationCookie extends AuthenticationPlugin
+         unset($_SERVER['PHP_AUTH_PW']);
+ 
+         $_SESSION['last_access_time'] = time();
++    }
++
++    /**
++     * Stores user credentials after successful login.
++     *
++     * @return void
++     */
++    public function storeUserCredentials()
++    {
++        global $cfg;
+ 
+         $this->createBlowfishIV();
+ 
+-- 
+2.1.4
+
diff -Nru phpmyadmin-4.2.12/debian/patches/bug-4612-security-XSS-vulnerability-in-redirection-m.patch phpmyadmin-4.2.12/debian/patches/bug-4612-security-XSS-vulnerability-in-redirection-m.patch
--- phpmyadmin-4.2.12/debian/patches/bug-4612-security-XSS-vulnerability-in-redirection-m.patch	1970-01-01 01:00:00.000000000 +0100
+++ phpmyadmin-4.2.12/debian/patches/bug-4612-security-XSS-vulnerability-in-redirection-m.patch	2014-12-30 10:52:13.000000000 +0100
@@ -0,0 +1,39 @@
+From 9b2479b7216dd91a6cc2f231c0fd6b85d457f6e2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <michal@cihar.com>
+Date: Mon, 1 Dec 2014 21:51:59 +0530
+Subject: [PATCH 1/1] bug #4612 [security] XSS vulnerability in redirection
+ mechanism
+
+Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com>
+---
+ ChangeLog | 3 +++
+ url.php   | 6 +++++-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/url.php b/url.php
+index 71efc9f..82b2243 100644
+--- a/url.php
++++ b/url.php
+@@ -11,6 +11,10 @@
+  */
+ define('PMA_MINIMUM_COMMON', true);
+ require_once './libraries/common.inc.php';
++/**
++ * JavaScript escaping.
++ */
++require_once './libraries/js_escape.lib.php';
+ 
+ if (! PMA_isValid($_GET['url'])
+     || ! preg_match('/^https?:\/\/[^\n\r]*$/', $_GET['url'])
+@@ -24,7 +28,7 @@ if (! PMA_isValid($_GET['url'])
+     //  external site.
+     echo "<script type='text/javascript'>
+             window.onload=function(){
+-                window.location='" . htmlspecialchars($_GET['url']) . "';
++                window.location='" . PMA_escapeJsString($_GET['url']) . "';
+             }
+         </script>";
+     // Display redirecting msg on screen.
+-- 
+2.1.4
+
diff -Nru phpmyadmin-4.2.12/debian/patches/series phpmyadmin-4.2.12/debian/patches/series
--- phpmyadmin-4.2.12/debian/patches/series	2014-11-22 10:34:32.000000000 +0100
+++ phpmyadmin-4.2.12/debian/patches/series	2014-12-30 10:51:50.000000000 +0100
@@ -1,3 +1,5 @@
 debian.patch
 doc.patch
 setup-message.patch
+bug-4611-security-DOS-attack-with-long-passwords.patch
+bug-4612-security-XSS-vulnerability-in-redirection-m.patch

--- End Message ---

--- Begin Message ---

To: Michal Čihař <nijel@debian.org>, 774210-done@bugs.debian.org

Subject: Re: Bug#774210: unblock: phpmyadmin/4:4.2.12-2

From: Ivo De Decker <ivodd@debian.org>

Date: Tue, 30 Dec 2014 17:58:53 +0100

Message-id: <20141230165853.GC19166@ugent.be>

In-reply-to: <[🔎] 20141230100103.21052.55588.reportbug@nutt.cihar.com>

References: <[🔎] 20141230100103.21052.55588.reportbug@nutt.cihar.com>
Hi,

On Tue, Dec 30, 2014 at 11:01:03AM +0100, Michal Čihař wrote:
> Please unblock package phpmyadmin

Unblocked earlier today.

Cheers,

Ivo
--- End Message ---

Reply to:

References:
- Bug#774210: unblock: phpmyadmin/4:4.2.12-2
  - From: Michal Čihař <nijel@debian.org>

Prev by Date: Bug#774235: marked as done (unblock: tiff/4.0.3-12)
Next by Date: Bug#774218: marked as done (unblock: libvirt/1.2.9-7)
Previous by thread: Bug#774210: unblock: phpmyadmin/4:4.2.12-2
Next by thread: Bug#774211: freeze exception for binutils 2.25-3
Index(es):
- Date
- Thread