Bug#1007183: buster-pu: package libphp-adodb/5.20.14-1

To: submit@bugs.debian.org
Subject: Bug#1007183: buster-pu: package libphp-adodb/5.20.14-1
From: "Jean-Michel Vourgère" <jean-michel.vourgere@greenpeace.org>
Date: Sat, 12 Mar 2022 21:48:35 +0100
Message-id: <[🔎] 13392700.tFu2U2ve5Z@giga>
Reply-to: "Jean-Michel Vourgère" <jean-michel.vourgere@greenpeace.org>, 1007183@bugs.debian.org

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: buster
Severity: normal

Hello

I'd like to patch CVE-2021-3850

The one-line patch is already released in sid, and in old-old-security
as version 5.20.9-1+deb9u1 thanks to the ELTS team.

The patch, from upstream, removes the detection of a string being 
already quoted. This results in the proper escaping always taking place.
Note that this function is only called for escaping pg_connect arguments.

Is that ok?

Tell me if you think it's better to upload in buster-security.

diff -Nru libphp-adodb-5.20.14/debian/changelog libphp-adodb-5.20.14/debian/changelog
--- libphp-adodb-5.20.14/debian/changelog	2019-01-07 07:18:32.000000000 +0100
+++ libphp-adodb-5.20.14/debian/changelog	2022-03-12 21:40:01.000000000 +0100
@@ -1,3 +1,10 @@
+libphp-adodb (5.20.14-1+deb10u1) buster; urgency=high
+
+  * Add patch to prevent auth bypass with PostgreSQL
+    connections. (Fixes: CVE-2021-3850) (Closes: #1004376)
+
+ -- Jean-Michel Vourgère <nirgal@debian.org>  Sat, 12 Mar 2022 21:40:01 +0100
+
 libphp-adodb (5.20.14-1) unstable; urgency=medium
 
   * New upstream version.
diff -Nru libphp-adodb-5.20.14/debian/patches/CVE-2021-3850.patch libphp-adodb-5.20.14/debian/patches/CVE-2021-3850.patch
--- libphp-adodb-5.20.14/debian/patches/CVE-2021-3850.patch	1970-01-01 01:00:00.000000000 +0100
+++ libphp-adodb-5.20.14/debian/patches/CVE-2021-3850.patch	2022-02-06 09:56:10.000000000 +0100
@@ -0,0 +1,26 @@
+From 952de6c4273d9b1e91c2b838044f8c2111150c29 Mon Sep 17 00:00:00 2001
+From: Damien Regad <dregad@mantisbt.org>
+Date: Mon, 10 Jan 2022 09:41:32 +0100
+Subject: [PATCH] Prevent auth bypass with PostgreSQL connections
+
+Thanks to Emmet Leahy of Sorcery Ltd for reporting this vulnerability
+(CVE-2021-3850).
+
+This is a minimalistic approach to patch the issue, to reduce the risk
+of causing regressions in the legacy stable branch.
+
+Fixes #793
+---
+ drivers/adodb-postgres64.inc.php | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/adodb-postgres64.inc.php
++++ b/drivers/adodb-postgres64.inc.php
+@@ -51,7 +51,6 @@
+ {
+ 	$len = strlen($s);
+ 	if ($len == 0) return "''";
+-	if (strncmp($s,"'",1) === 0 && substr($s,$len-1) == "'") return $s; // already quoted
+ 
+ 	return "'".addslashes($s)."'";
+ }
diff -Nru libphp-adodb-5.20.14/debian/patches/series libphp-adodb-5.20.14/debian/patches/series
--- libphp-adodb-5.20.14/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libphp-adodb-5.20.14/debian/patches/series	2022-02-06 09:55:43.000000000 +0100
@@ -0,0 +1 @@
+CVE-2021-3850.patch

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Follow-Ups:
- Bug#1007183: marked as done (buster-pu: package libphp-adodb/5.20.14-1)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#1007181: bullseye-pu: package libphp-adodb/5.20.19-1
Next by Date: debian-archive-keyring, update for stretch, problem
Previous by thread: Bug#1007181: marked as done (bullseye-pu: package libphp-adodb/5.20.19-1)
Next by thread: Bug#1007183: marked as done (buster-pu: package libphp-adodb/5.20.14-1)
Index(es):
- Date
- Thread