Bug#893803: stretch-pu: package adminer/4.2.5-3+deb9u1

To: submit@bugs.debian.org
Subject: Bug#893803: stretch-pu: package adminer/4.2.5-3+deb9u1
From: Chris Lamb <lamby@debian.org>
Date: Thu, 22 Mar 2018 15:05:47 +0000
Message-id: <[🔎] 1521731147.2094583.1312405232.3DC4EFAF@webmail.messagingengine.com>
Reply-to: Chris Lamb <lamby@debian.org>, 893803@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Dear stable release manager,

Please consider adminer (4.2.5-3+deb9u1) for stretch:
  
  adminer (4.2.5-3+deb9u1) stretch; urgency=high
  
    * CVE-2018-7667: Adminer allowed unauthenticated connections to be initiated
      to arbitrary systems and ports which coul bypass external firewalls to
      identify internal hosts and/or perform port scanning of other servers.
      (Closes: #893668)


The full diff is attached.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

commit f195f52274eef1cbea6c268c2b236bd299b7592c
Author: Chris Lamb <lamby@debian.org>
Date:   Thu Mar 22 11:04:48 2018 -0400

    CVE-2018-7667

diff --git a/debian/changelog b/debian/changelog
index 47403b2..8445861 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+adminer (4.2.5-3+deb9u1) stretch; urgency=high
+
+  * CVE-2018-7667: Adminer allowed unauthenticated connections to be initiated
+    to arbitrary systems and ports which coul bypass external firewalls to
+    identify internal hosts and/or perform port scanning of other servers.
+    (Closes: #893668)
+
+ -- Chris Lamb <lamby@debian.org>  Tue, 20 Mar 2018 22:40:06 -0400
+
 adminer (4.2.5-3) unstable; urgency=medium
 
   * Move mysql-server to default-mysql-server due to
diff --git a/debian/patches/CVE-2018-7667.patch b/debian/patches/CVE-2018-7667.patch
new file mode 100644
index 0000000..1d445a2
--- /dev/null
+++ b/debian/patches/CVE-2018-7667.patch
@@ -0,0 +1,13 @@
+--- pkg-adminer.orig/adminer/include/auth.inc.php
++++ pkg-adminer/adminer/include/auth.inc.php
+@@ -90,6 +90,10 @@ if (isset($_GET["username"])) {
+ 		page_footer("auth");
+ 		exit;
+ 	}
++	list($host, $port) = explode(":", SERVER, 2);
++	if (is_numeric($port) && $port < 1024) {
++		auth_error('Connecting to privileged ports is not allowed.');
++	}
+ 	$connection = connect();
+ }
+ if (is_string($connection) || !$adminer->login($_GET["username"], get_session("pwds"))) {
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..e4d99c3
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2018-7667.patch

Reply to:

Follow-Ups:
- Processed: Re: Bug#893803: stretch-pu: package adminer/4.2.5-3+deb9u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#893803: stretch-pu: package adminer/4.2.5-3+deb9u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Processed: retitle 893765 to transition: ruby2.3 removal
Next by Date: Bug#893804: jessie-pu: package adminer/3.3.3-1+deb8u1
Previous by thread: Processed: retitle 893765 to transition: ruby2.3 removal
Next by thread: Processed: Re: Bug#893803: stretch-pu: package adminer/4.2.5-3+deb9u1
Index(es):
- Date
- Thread