Your message dated Sun, 13 Mar 2022 11:08:43 +0100 with message-id <5023343.8jc8pb4lGu@giga> and subject line Re: buster-pu, bullseye-pu: package libphp-adodb has caused the Debian Bug report #1007183, regarding buster-pu: package libphp-adodb/5.20.14-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1007183: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007183 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: buster-pu: package libphp-adodb/5.20.14-1
- From: "Jean-Michel Vourgère" <jean-michel.vourgere@greenpeace.org>
- Date: Sat, 12 Mar 2022 21:48:35 +0100
- Message-id: <[🔎] 13392700.tFu2U2ve5Z@giga>
Package: release.debian.org User: release.debian.org@packages.debian.org Usertags: pu Tags: buster Severity: normal Hello I'd like to patch CVE-2021-3850 The one-line patch is already released in sid, and in old-old-security as version 5.20.9-1+deb9u1 thanks to the ELTS team. The patch, from upstream, removes the detection of a string being already quoted. This results in the proper escaping always taking place. Note that this function is only called for escaping pg_connect arguments. Is that ok? Tell me if you think it's better to upload in buster-security.diff -Nru libphp-adodb-5.20.14/debian/changelog libphp-adodb-5.20.14/debian/changelog --- libphp-adodb-5.20.14/debian/changelog 2019-01-07 07:18:32.000000000 +0100 +++ libphp-adodb-5.20.14/debian/changelog 2022-03-12 21:40:01.000000000 +0100 @@ -1,3 +1,10 @@ +libphp-adodb (5.20.14-1+deb10u1) buster; urgency=high + + * Add patch to prevent auth bypass with PostgreSQL + connections. (Fixes: CVE-2021-3850) (Closes: #1004376) + + -- Jean-Michel Vourgère <nirgal@debian.org> Sat, 12 Mar 2022 21:40:01 +0100 + libphp-adodb (5.20.14-1) unstable; urgency=medium * New upstream version. diff -Nru libphp-adodb-5.20.14/debian/patches/CVE-2021-3850.patch libphp-adodb-5.20.14/debian/patches/CVE-2021-3850.patch --- libphp-adodb-5.20.14/debian/patches/CVE-2021-3850.patch 1970-01-01 01:00:00.000000000 +0100 +++ libphp-adodb-5.20.14/debian/patches/CVE-2021-3850.patch 2022-02-06 09:56:10.000000000 +0100 @@ -0,0 +1,26 @@ +From 952de6c4273d9b1e91c2b838044f8c2111150c29 Mon Sep 17 00:00:00 2001 +From: Damien Regad <dregad@mantisbt.org> +Date: Mon, 10 Jan 2022 09:41:32 +0100 +Subject: [PATCH] Prevent auth bypass with PostgreSQL connections + +Thanks to Emmet Leahy of Sorcery Ltd for reporting this vulnerability +(CVE-2021-3850). + +This is a minimalistic approach to patch the issue, to reduce the risk +of causing regressions in the legacy stable branch. + +Fixes #793 +--- + drivers/adodb-postgres64.inc.php | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/adodb-postgres64.inc.php ++++ b/drivers/adodb-postgres64.inc.php +@@ -51,7 +51,6 @@ + { + $len = strlen($s); + if ($len == 0) return "''"; +- if (strncmp($s,"'",1) === 0 && substr($s,$len-1) == "'") return $s; // already quoted + + return "'".addslashes($s)."'"; + } diff -Nru libphp-adodb-5.20.14/debian/patches/series libphp-adodb-5.20.14/debian/patches/series --- libphp-adodb-5.20.14/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libphp-adodb-5.20.14/debian/patches/series 2022-02-06 09:55:43.000000000 +0100 @@ -0,0 +1 @@ +CVE-2021-3850.patchAttachment: signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
- To: 1007181-done@bugs.debian.org, 1007183-done@bugs.debian.org
- Subject: Re: buster-pu, bullseye-pu: package libphp-adodb
- From: "Jean-Michel Vourgère" <jean-michel.vourgere@greenpeace.org>
- Date: Sun, 13 Mar 2022 11:08:43 +0100
- Message-id: <5023343.8jc8pb4lGu@giga>
Hi Similar fixes were uploaded yesterday by carnil in buster-security and in bullseye-security (thanks!) As a result, #1007181 and #100783 are no longer relevant. Closing
--- End Message ---