Bug#893803: stretch-pu: package adminer/4.2.5-3+deb9u1

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 893803@bugs.debian.org
Subject: Bug#893803: stretch-pu: package adminer/4.2.5-3+deb9u1
From: Chris Lamb <lamby@debian.org>
Date: Sun, 01 Apr 2018 09:38:40 +0100
Message-id: <[🔎] 1522571920.2399268.1322707216.5982C7CC@webmail.messagingengine.com>
Reply-to: Chris Lamb <lamby@debian.org>, 893803@bugs.debian.org
In-reply-to: <1522529964.3129.85.camel@adam-barratt.org.uk>
References: <1521731147.2094583.1312405232.3DC4EFAF@webmail.messagingengine.com> <1522529964.3129.85.camel@adam-barratt.org.uk> <1521731147.2094583.1312405232.3DC4EFAF@webmail.messagingengine.com>

tags 893803 + pending
thanks

Dear Adam,

> >   adminer (4.2.5-3+deb9u1) stretch; urgency=high
[…]
> s/coul /could /

Well spotted and thanks for the ACK. adminer_4.2.5-3+deb9u1_amd64.changes
uploaded. For completeness, I've also attached the full updated debdiff.

(I assume another RT member is responsible for ACK/NACK on jessie's
equivalent here? ie. #893804)


Best wishes,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

diffstat for adminer-4.2.5 adminer-4.2.5

 changelog                   |    9 +++++++++
 patches/CVE-2018-7667.patch |   13 +++++++++++++
 patches/series              |    1 +
 3 files changed, 23 insertions(+)

diff -Nru adminer-4.2.5/debian/changelog adminer-4.2.5/debian/changelog
--- adminer-4.2.5/debian/changelog	2016-09-04 09:16:31.000000000 +0100
+++ adminer-4.2.5/debian/changelog	2018-03-21 02:40:06.000000000 +0000
@@ -1,3 +1,12 @@
+adminer (4.2.5-3+deb9u1) stretch; urgency=high
+
+  * CVE-2018-7667: Adminer allowed unauthenticated connections to be initiated
+    to arbitrary systems and ports which could bypass external firewalls to
+    identify internal hosts and/or perform port scanning of other servers.
+    (Closes: #893668)
+
+ -- Chris Lamb <lamby@debian.org>  Tue, 20 Mar 2018 22:40:06 -0400
+
 adminer (4.2.5-3) unstable; urgency=medium
 
   * Move mysql-server to default-mysql-server due to
diff -Nru adminer-4.2.5/debian/patches/CVE-2018-7667.patch adminer-4.2.5/debian/patches/CVE-2018-7667.patch
--- adminer-4.2.5/debian/patches/CVE-2018-7667.patch	1970-01-01 01:00:00.000000000 +0100
+++ adminer-4.2.5/debian/patches/CVE-2018-7667.patch	2018-03-21 02:40:06.000000000 +0000
@@ -0,0 +1,13 @@
+--- a/adminer/include/auth.inc.php
++++ b/adminer/include/auth.inc.php
+@@ -162,6 +162,10 @@ if (isset($_GET["username"])) {
+ 		page_footer("auth");
+ 		exit;
+ 	}
++	list($host, $port) = explode(":", SERVER, 2);
++	if (is_numeric($port) && $port < 1024) {
++		auth_error('Connecting to privileged ports is not allowed.');
++	}
+ 	$connection = connect();
+ }
+ 
diff -Nru adminer-4.2.5/debian/patches/series adminer-4.2.5/debian/patches/series
--- adminer-4.2.5/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ adminer-4.2.5/debian/patches/series	2018-03-21 02:40:06.000000000 +0000
@@ -0,0 +1 @@
+CVE-2018-7667.patch

Reply to:

Follow-Ups:
- Processed: Re: Bug#893803: stretch-pu: package adminer/4.2.5-3+deb9u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#893803: stretch-pu: package adminer/4.2.5-3+deb9u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Processed: Re: Bug#893803: stretch-pu: package adminer/4.2.5-3+deb9u1
Next by Date: Bug#893006: stretch-pu: package boost1.62/1.62.0+dfsg-4+deb9u1
Next by thread: Processed: Re: Bug#893803: stretch-pu: package adminer/4.2.5-3+deb9u1
Index(es):
- Date
- Thread