Bug#960396: web security flaws in src:adminer/4.7.1-1 in stable?
Hi,
> Thanks. Can you attach the debdiff between the current version in
> buster and the proposed one to this bug?
Here it is.
Alex
diff -Nru adminer-4.7.1/debian/adminer.apache2 adminer-4.7.1/debian/adminer.apache2
--- adminer-4.7.1/debian/adminer.apache2 1970-01-01 01:00:00.000000000 +0100
+++ adminer-4.7.1/debian/adminer.apache2 2021-03-08 13:31:21.000000000 +0100
@@ -0,0 +1 @@
+conf debian/adminer.conf
diff -Nru adminer-4.7.1/debian/adminer.conf adminer-4.7.1/debian/adminer.conf
--- adminer-4.7.1/debian/adminer.conf 1970-01-01 01:00:00.000000000 +0100
+++ adminer-4.7.1/debian/adminer.conf 2021-03-08 13:31:21.000000000 +0100
@@ -0,0 +1,6 @@
+Alias /adminer /etc/adminer
+
+<Directory /etc/adminer>
+ Require all granted
+ DirectoryIndex conf.php
+</Directory>
diff -Nru adminer-4.7.1/debian/changelog adminer-4.7.1/debian/changelog
--- adminer-4.7.1/debian/changelog 2019-01-29 09:37:13.000000000 +0100
+++ adminer-4.7.1/debian/changelog 2021-05-26 09:06:37.000000000 +0200
@@ -1,3 +1,17 @@
+adminer (4.7.1-1+deb10u1) buster; urgency=medium
+
+ * provide a compiled version and configuration files (Closes: #952755)
+ * privacy: default to disable check for new version
+ * Backport security patch series from upstream:
+ - Fix open redirect if Adminer is accessible at //adminer.php%2F@
+ - Fix XSS if Adminer is accessible at URL /data
+ - CVE-2020-35572: Fix XSS in browsers which don't encode URL parameters
+ - CVE-2021-21311: Elasticsearch: Do not print response if HTTP code is
+ not 200
+ - CVE-2021-29625: XSS in doc_link
+
+ -- Alexandre Rossi <alexandre.rossi@gmail.com> Wed, 26 May 2021 09:06:37 +0200
+
adminer (4.7.1-1) unstable; urgency=medium
* New upstream release.
diff -Nru adminer-4.7.1/debian/conf.php adminer-4.7.1/debian/conf.php
--- adminer-4.7.1/debian/conf.php 1970-01-01 01:00:00.000000000 +0100
+++ adminer-4.7.1/debian/conf.php 2021-03-08 13:31:21.000000000 +0100
@@ -0,0 +1,33 @@
+<?php
+
+define('ADMINER_DIR', '/usr/share/adminer');
+
+function adminer_object() {
+ // required to run any plugin
+ include_once ADMINER_DIR . "/plugins/plugin.php";
+
+ // autoloader
+ foreach (glob(ADMINER_DIR . "/plugins/*.php") as $filename) {
+ include_once $filename;
+ }
+
+ $plugins = array(
+ // specify enabled plugins here
+ new AdminerVersionNoverify(), // disable phoning home
+ //new AdminerLoginServers([
+ // 'my' => ['server' => 'localhost', 'driver' => 'server'], // mysql
+ // 'pg' => ['server' => 'localhost', 'driver' => 'pgsql'],
+ //]),
+ );
+
+ /* It is possible to combine customization and plugins:
+ class AdminerCustomization extends AdminerPlugin {
+ }
+ return new AdminerCustomization($plugins);
+ */
+
+ return new AdminerPlugin($plugins);
+}
+
+include ADMINER_DIR . "/adminer.php";
+?>
diff -Nru adminer-4.7.1/debian/control adminer-4.7.1/debian/control
--- adminer-4.7.1/debian/control 2019-01-29 09:37:13.000000000 +0100
+++ adminer-4.7.1/debian/control 2021-05-26 09:06:37.000000000 +0200
@@ -3,7 +3,7 @@
Priority: optional
Maintainer: Chris Lamb <lamby@debian.org>
Build-Depends:
- debhelper-compat (= 11),
+ debhelper-compat (= 11), php-cli, dh-apache2
Standards-Version: 4.3.0
Homepage: https://www.adminer.org/
Vcs-Git: https://salsa.debian.org/lamby/pkg-adminer.git
@@ -20,6 +20,7 @@
php-mysql,
php-pgsql,
php-sqlite3,
+ ${misc:Recommends},
Suggests:
default-mysql-server | virtual-mysql-server | postgresql | sqlite3,
Description: Web-based database administration tool
diff -Nru adminer-4.7.1/debian/install adminer-4.7.1/debian/install
--- adminer-4.7.1/debian/install 2019-01-29 09:37:13.000000000 +0100
+++ adminer-4.7.1/debian/install 2021-03-08 13:31:21.000000000 +0100
@@ -4,3 +4,4 @@
editor usr/share/adminer
externals usr/share/adminer
plugins usr/share/adminer
+debian/conf.php etc/adminer/
diff -Nru adminer-4.7.1/debian/patches/6a2de873e194cf4bf3f2edb489ba98580a17a632.patch adminer-4.7.1/debian/patches/6a2de873e194cf4bf3f2edb489ba98580a17a632.patch
--- adminer-4.7.1/debian/patches/6a2de873e194cf4bf3f2edb489ba98580a17a632.patch 1970-01-01 01:00:00.000000000 +0100
+++ adminer-4.7.1/debian/patches/6a2de873e194cf4bf3f2edb489ba98580a17a632.patch 2021-05-26 09:06:37.000000000 +0200
@@ -0,0 +1,44 @@
+From 6a2de873e194cf4bf3f2edb489ba98580a17a632 Mon Sep 17 00:00:00 2001
+From: Jakub Vrana <jakub@vrana.cz>
+Date: Mon, 11 May 2020 11:49:46 +0200
+Subject: [PATCH] Fix open redirect if Adminer is accessible at
+ //adminer.php%2F@ (thanks to Prakash Sharma)
+
+diff --git a/adminer/include/bootstrap.inc.php b/adminer/include/bootstrap.inc.php
+index 00baf919..621ec465 100644
+--- a/adminer/include/bootstrap.inc.php
++++ b/adminer/include/bootstrap.inc.php
+@@ -84,7 +84,7 @@
+
+ define("SERVER", $_GET[DRIVER]); // read from pgsql=localhost
+ define("DB", $_GET["db"]); // for the sake of speed and size
+-define("ME", str_replace(":", "%3a", preg_replace('~^[^?]*/([^?]*).*~', '\1', $_SERVER["REQUEST_URI"])) . '?'
++define("ME", str_replace(":", "%3a", preg_replace('~\?.*~', '', relative_uri())) . '?'
+ . (sid() ? SID . '&' : '')
+ . (SERVER !== null ? DRIVER . "=" . urlencode(SERVER) . '&' : '')
+ . (isset($_GET["username"]) ? "username=" . urlencode($_GET["username"]) . '&' : '')
+diff --git a/adminer/include/functions.inc.php b/adminer/include/functions.inc.php
+index 787ab79b..adcf1fbd 100644
+--- a/adminer/include/functions.inc.php
++++ b/adminer/include/functions.inc.php
+@@ -721,12 +721,19 @@ function format_time($start) {
+ return lang('%.3f s', max(0, microtime(true) - $start));
+ }
+
++/** Get relative REQUEST_URI
++* @return string
++*/
++function relative_uri() {
++ return preg_replace('~^[^?]*/([^?]*)~', '\1', $_SERVER["REQUEST_URI"]);
++}
++
+ /** Remove parameter from query string
+ * @param string
+ * @return string
+ */
+ function remove_from_uri($param = "") {
+- return substr(preg_replace("~(?<=[?&])($param" . (SID ? "" : "|" . session_name()) . ")=[^&]*&~", '', "$_SERVER[REQUEST_URI]&"), 0, -1);
++ return substr(preg_replace("~(?<=[?&])($param" . (SID ? "" : "|" . session_name()) . ")=[^&]*&~", '', relative_uri() . "&"), 0, -1);
+ }
+
+ /** Generate page number for pagination
diff -Nru adminer-4.7.1/debian/patches/789ebc07bdac01ab8b99ad831eba872849eaa7fe.patch adminer-4.7.1/debian/patches/789ebc07bdac01ab8b99ad831eba872849eaa7fe.patch
--- adminer-4.7.1/debian/patches/789ebc07bdac01ab8b99ad831eba872849eaa7fe.patch 1970-01-01 01:00:00.000000000 +0100
+++ adminer-4.7.1/debian/patches/789ebc07bdac01ab8b99ad831eba872849eaa7fe.patch 2021-05-26 09:06:37.000000000 +0200
@@ -0,0 +1,18 @@
+From 789ebc07bdac01ab8b99ad831eba872849eaa7fe Mon Sep 17 00:00:00 2001
+From: Jakub Vrana <jakub@vrana.cz>
+Date: Tue, 22 Oct 2019 08:30:32 +0200
+Subject: [PATCH] Fix XSS if Adminer is accessible at URL /data:
+
+diff --git a/adminer/include/bootstrap.inc.php b/adminer/include/bootstrap.inc.php
+index 9f09b326..00baf919 100644
+--- a/adminer/include/bootstrap.inc.php
++++ b/adminer/include/bootstrap.inc.php
+@@ -84,7 +84,7 @@
+
+ define("SERVER", $_GET[DRIVER]); // read from pgsql=localhost
+ define("DB", $_GET["db"]); // for the sake of speed and size
+-define("ME", preg_replace('~^[^?]*/([^?]*).*~', '\1', $_SERVER["REQUEST_URI"]) . '?'
++define("ME", str_replace(":", "%3a", preg_replace('~^[^?]*/([^?]*).*~', '\1', $_SERVER["REQUEST_URI"])) . '?'
+ . (sid() ? SID . '&' : '')
+ . (SERVER !== null ? DRIVER . "=" . urlencode(SERVER) . '&' : '')
+ . (isset($_GET["username"]) ? "username=" . urlencode($_GET["username"]) . '&' : '')
diff -Nru adminer-4.7.1/debian/patches/CVE-2020-35572.patch adminer-4.7.1/debian/patches/CVE-2020-35572.patch
--- adminer-4.7.1/debian/patches/CVE-2020-35572.patch 1970-01-01 01:00:00.000000000 +0100
+++ adminer-4.7.1/debian/patches/CVE-2020-35572.patch 2021-05-26 09:06:37.000000000 +0200
@@ -0,0 +1,17 @@
+From 5c395afc098e501be3417017c6421968aac477bd Mon Sep 17 00:00:00 2001
+From: Jakub Vrana <jakub@vrana.cz>
+Date: Sat, 6 Feb 2021 19:04:15 +0100
+Subject: [PATCH] Fix XSS in browsers which don't encode URL parameters (bug
+ #775)
+
+--- a/adminer/sql.inc.php
++++ b/adminer/sql.inc.php
+@@ -222,7 +222,7 @@
+ }
+ echo "<p>";
+ textarea("query", $q, 20);
+- echo script(($_POST ? "" : "qs('textarea').focus();\n") . "qs('#form').onsubmit = partial(sqlSubmit, qs('#form'), '" . remove_from_uri("sql|limit|error_stops|only_errors") . "');");
++ echo script(($_POST ? "" : "qs('textarea').focus();\n") . "qs('#form').onsubmit = partial(sqlSubmit, qs('#form'), '" . js_escape(remove_from_uri("sql|limit|error_stops|only_errors|history")) . "');");
+ echo "<p>$execute\n";
+ echo lang('Limit rows') . ": <input type='number' name='limit' class='size' value='" . h($_POST ? $_POST["limit"] : $_GET["limit"]) . "'>\n";
+
diff -Nru adminer-4.7.1/debian/patches/CVE-2021-21311.patch adminer-4.7.1/debian/patches/CVE-2021-21311.patch
--- adminer-4.7.1/debian/patches/CVE-2021-21311.patch 1970-01-01 01:00:00.000000000 +0100
+++ adminer-4.7.1/debian/patches/CVE-2021-21311.patch 2021-05-26 09:06:37.000000000 +0200
@@ -0,0 +1,17 @@
+From ccd2374b0b12bd547417bf0dacdf153826c83351 Mon Sep 17 00:00:00 2001
+From: Jakub Vrana <jakub@vrana.cz>
+Date: Fri, 5 Feb 2021 16:16:23 +0100
+Subject: [PATCH] Elasticsearch: Do not print response if HTTP code is not 200
+ Thanks to Adam Crosser and Brian Sizemore
+
+--- a/adminer/drivers/elastic.inc.php
++++ b/adminer/drivers/elastic.inc.php
+@@ -27,7 +27,7 @@
+ return $file;
+ }
+ if (!preg_match('~^HTTP/[0-9.]+ 2~i', $http_response_header[0])) {
+- $this->error = $file;
++ $this->error = lang('Invalid credentials.') . " $http_response_header[0]";
+ return false;
+ }
+ $return = json_decode($file, true);
diff -Nru adminer-4.7.1/debian/patches/CVE-2021-29625.patch adminer-4.7.1/debian/patches/CVE-2021-29625.patch
--- adminer-4.7.1/debian/patches/CVE-2021-29625.patch 1970-01-01 01:00:00.000000000 +0100
+++ adminer-4.7.1/debian/patches/CVE-2021-29625.patch 2021-05-26 09:06:37.000000000 +0200
@@ -0,0 +1,18 @@
+From: 4043092ec2c0de2258d60a99d0c5958637d051a7
+Author: Jakub Vrana <jakub@vrana.cz>
+Date: Fri May 14 06:39:01 2021 +0200
+Subject: Escape link in doc_link (bug #797)
+
+diff --git a/adminer/include/editing.inc.php b/adminer/include/editing.inc.php
+index 88d66d44..5556b014 100644
+--- a/adminer/include/editing.inc.php
++++ b/adminer/include/editing.inc.php
+@@ -542,7 +542,7 @@ function doc_link($paths, $text = "<sup>?</sup>") {
+ $urls['sql'] = "https://mariadb.com/kb/en/library/";
+ $paths['sql'] = (isset($paths['mariadb']) ? $paths['mariadb'] : str_replace(".html", "/", $paths['sql']));
+ }
+- return ($paths[$jush] ? "<a href='$urls[$jush]$paths[$jush]'" . target_blank() . ">$text</a>" : "");
++ return ($paths[$jush] ? "<a href='" . h($urls[$jush] . $paths[$jush]) . "'" . target_blank() . ">$text</a>" : "");
+ }
+
+ /** Wrap gzencode() for usage in ob_start()
diff -Nru adminer-4.7.1/debian/patches/plugin-version-noverify-fix adminer-4.7.1/debian/patches/plugin-version-noverify-fix
--- adminer-4.7.1/debian/patches/plugin-version-noverify-fix 1970-01-01 01:00:00.000000000 +0100
+++ adminer-4.7.1/debian/patches/plugin-version-noverify-fix 2021-05-26 09:06:37.000000000 +0200
@@ -0,0 +1,17 @@
+Author: Alexandre Rossi <alexandre.rossi@gmail.com>
+Description: Fix VersionNoverify plugin
+Forwarded: https://sourceforge.net/p/adminer/bugs-and-features/705/
+
+Index: adminer.git/plugins/version-noverify.php
+===================================================================
+--- adminer.git.orig/plugins/version-noverify.php 2019-09-06 10:10:29.544811633 +0200
++++ adminer.git/plugins/version-noverify.php 2019-09-06 10:11:18.181666258 +0200
+@@ -8,7 +8,7 @@
+ */
+ class AdminerVersionNoverify {
+
+- function navigation($missing) {
++ function head() {
+ echo script("verifyVersion = function () {};");
+ }
+
diff -Nru adminer-4.7.1/debian/patches/series adminer-4.7.1/debian/patches/series
--- adminer-4.7.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ adminer-4.7.1/debian/patches/series 2021-05-26 09:06:37.000000000 +0200
@@ -0,0 +1,6 @@
+CVE-2021-29625.patch
+plugin-version-noverify-fix
+789ebc07bdac01ab8b99ad831eba872849eaa7fe.patch
+6a2de873e194cf4bf3f2edb489ba98580a17a632.patch
+CVE-2020-35572.patch
+CVE-2021-21311.patch
diff -Nru adminer-4.7.1/debian/README.Debian adminer-4.7.1/debian/README.Debian
--- adminer-4.7.1/debian/README.Debian 1970-01-01 01:00:00.000000000 +0100
+++ adminer-4.7.1/debian/README.Debian 2021-03-08 13:31:21.000000000 +0100
@@ -0,0 +1,59 @@
+# Setup overview
+
+The compiled version of adminer is located at /usr/share/adminer/adminer.php
+
+The recommended ways to deploy adminer are:
+- symlinking adminer.php into your directory of choice viewable by a
+ php-enabled webserver.
+- if you want to enable plugins, pointing your webserver configuration to
+ /etc/adminer with conf.php a directory index. Editing conf.php lets you
+ enable plugins.
+
+The compiled version for the editor is located at /usr/share/adminer/editor.php
+
+# Setup for standalone workstation
+
+The simplest way to run adminer consists in the following:
+$ cd /usr/share/adminer
+$ php -S localhost:8000
+
+and you'll find adminer at http://localhost:8000/adminer/ .
+
+# Setup with apache
+
+Enabling the adminer configuration should make adminer available at
+http://server/adminer work provided you have libapache2-mod-php enabled.
+
+$ sudo a2enconf adminer
+
+# Setup with apache+uwsgi
+
+uwsgi configuration file:
+
+ [uwsgi]
+ master = True
+ cheap = True
+
+ plugins = 0:php
+
+ project_dir = /etc/adminer
+ chdir = %(project_dir)
+ php-docroot = %(project_dir)
+ php-index = conf.php
+
+ plugins = router_rewrite
+ route = ^/adminer/(.*) rewrite:/conf.php
+
+ buffer-size = 8192
+
+ # PHP sessions storage
+ cache2 = name=dbadmsessions,items=200,store=/var/lib/www/adminer/uwsgi.cache,expires=3600
+ php-set = session.save_handler=uwsgi
+ php-set = session.save_path=dbadmsessions
+
+apache:
+
+ ProxyPassMatch "^/adminer/(.*)?$" "unix:/var/run/uwsgi/adminer.socket|uwsgi://uwsgi-uds-adminer/"
+ <Location /adminer>
+ Require all granted
+ </Location>
diff -Nru adminer-4.7.1/debian/rules adminer-4.7.1/debian/rules
--- adminer-4.7.1/debian/rules 2019-01-29 09:37:13.000000000 +0100
+++ adminer-4.7.1/debian/rules 2021-03-08 13:31:21.000000000 +0100
@@ -3,7 +3,7 @@
SHARE := $(CURDIR)/debian/$(shell dh_listpackages)/usr/share
%:
- dh $@
+ dh $@ --with apache2
override_dh_installchangelogs:
dh_installchangelogs changes.txt
@@ -15,3 +15,17 @@
set -e; for X in designs plugins; do \
mv -v $(SHARE)/adminer/$$X/readme.txt $(SHARE)/doc/adminer/readme-$$X.txt; \
done
+
+override_dh_auto_build:
+ dh_auto_build
+ php compile.php
+ mv adminer-*.php adminer.php
+ php compile.php editor
+ mv editor-*.php editor.php
+
+override_dh_apache2:
+ dh_apache2 --noenable
+
+override_dh_auto_clean:
+ rm -f adminer*.php editor*.php
+ dh_auto_clean
Reply to: