[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1007183: marked as done (buster-pu: package libphp-adodb/5.20.14-1)

Your message dated Sun, 13 Mar 2022 11:08:43 +0100
with message-id <5023343.8jc8pb4lGu@giga>
and subject line Re: buster-pu, bullseye-pu: package libphp-adodb
has caused the Debian Bug report #1007183,
regarding buster-pu: package libphp-adodb/5.20.14-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1007183: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007183
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: buster
Severity: normal

Hello

I'd like to patch CVE-2021-3850

The one-line patch is already released in sid, and in old-old-security
as version 5.20.9-1+deb9u1 thanks to the ELTS team.

The patch, from upstream, removes the detection of a string being 
already quoted. This results in the proper escaping always taking place.
Note that this function is only called for escaping pg_connect arguments.

Is that ok?

Tell me if you think it's better to upload in buster-security.
diff -Nru libphp-adodb-5.20.14/debian/changelog libphp-adodb-5.20.14/debian/changelog
--- libphp-adodb-5.20.14/debian/changelog	2019-01-07 07:18:32.000000000 +0100
+++ libphp-adodb-5.20.14/debian/changelog	2022-03-12 21:40:01.000000000 +0100
@@ -1,3 +1,10 @@
+libphp-adodb (5.20.14-1+deb10u1) buster; urgency=high
+
+  * Add patch to prevent auth bypass with PostgreSQL
+    connections. (Fixes: CVE-2021-3850) (Closes: #1004376)
+
+ -- Jean-Michel Vourgère <nirgal@debian.org>  Sat, 12 Mar 2022 21:40:01 +0100
+
 libphp-adodb (5.20.14-1) unstable; urgency=medium
 
   * New upstream version.
diff -Nru libphp-adodb-5.20.14/debian/patches/CVE-2021-3850.patch libphp-adodb-5.20.14/debian/patches/CVE-2021-3850.patch
--- libphp-adodb-5.20.14/debian/patches/CVE-2021-3850.patch	1970-01-01 01:00:00.000000000 +0100
+++ libphp-adodb-5.20.14/debian/patches/CVE-2021-3850.patch	2022-02-06 09:56:10.000000000 +0100
@@ -0,0 +1,26 @@
+From 952de6c4273d9b1e91c2b838044f8c2111150c29 Mon Sep 17 00:00:00 2001
+From: Damien Regad <dregad@mantisbt.org>
+Date: Mon, 10 Jan 2022 09:41:32 +0100
+Subject: [PATCH] Prevent auth bypass with PostgreSQL connections
+
+Thanks to Emmet Leahy of Sorcery Ltd for reporting this vulnerability
+(CVE-2021-3850).
+
+This is a minimalistic approach to patch the issue, to reduce the risk
+of causing regressions in the legacy stable branch.
+
+Fixes #793
+---
+ drivers/adodb-postgres64.inc.php | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/adodb-postgres64.inc.php
++++ b/drivers/adodb-postgres64.inc.php
+@@ -51,7 +51,6 @@
+ {
+ 	$len = strlen($s);
+ 	if ($len == 0) return "''";
+-	if (strncmp($s,"'",1) === 0 && substr($s,$len-1) == "'") return $s; // already quoted
+ 
+ 	return "'".addslashes($s)."'";
+ }
diff -Nru libphp-adodb-5.20.14/debian/patches/series libphp-adodb-5.20.14/debian/patches/series
--- libphp-adodb-5.20.14/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libphp-adodb-5.20.14/debian/patches/series	2022-02-06 09:55:43.000000000 +0100
@@ -0,0 +1 @@
+CVE-2021-3850.patch

Attachment: signature.asc
Description: This is a digitally signed message part.


--- End Message ---
--- Begin Message --- 
Hi

Similar fixes were uploaded yesterday by carnil in buster-security and in
bullseye-security (thanks!)

As a result, #1007181 and #100783 are no longer relevant.

Closing

--- End Message ---
Reply to: