Bug#1007948: marked as done (buster-pu: package phpliteadmin/1.9.7.1-2+deb10u1)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#1007948: marked as done (buster-pu: package phpliteadmin/1.9.7.1-2+deb10u1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 26 Mar 2022 12:07:29 +0000
Message-id: <[🔎] handler.1007948.D1007948.164829619012626.ackdone@bugs.debian.org>
Reply-to: 1007948@bugs.debian.org
References: <540de30a27d37c3ff416b94b1adf7ff2a2cab257.camel@adam-barratt.org.uk> <[🔎] becf490198d0382b0c5b70624607212b2a1f86fb.camel@guriev.su>

Your message dated Sat, 26 Mar 2022 12:02:22 +0000
with message-id <540de30a27d37c3ff416b94b1adf7ff2a2cab257.camel@adam-barratt.org.uk>
and subject line Closing requests for updates in 10.12
has caused the Debian Bug report #1007948,
regarding buster-pu: package phpliteadmin/1.9.7.1-2+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1007948: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007948
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: buster-pu: package phpliteadmin/1.9.7.1-2+deb10u1
From: Nicholas Guriev <nicholas@guriev.su>
Date: Sat, 19 Mar 2022 10:18:49 +0300
Message-id: <[🔎] becf490198d0382b0c5b70624607212b2a1f86fb.camel@guriev.su>

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Dear Stable Release Managers,

This request is about updating buster.

Salvatore Bonaccorso on the Security Team suggested me to fix a revealed
XSS vulnerability trough the upcoming point release. The issue has got
the assigned number CVE-2021-46709. The proposed fix is a trivial one-
liner patch casting $_POST['num'] to (int).


[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
 phpliteadmin (1.9.7.1-2+deb10u1) buster; urgency=medium
 .
   * Fix CVE-2021-46709, an XSS issue with the num POST parameter

diffstat for phpliteadmin-1.9.7.1 phpliteadmin-1.9.7.1

 changelog                      |    6 ++++++
 patches/Fix-post-num-XSS.patch |   16 ++++++++++++++++
 patches/series                 |    1 +
 3 files changed, 23 insertions(+)

diff -Nru phpliteadmin-1.9.7.1/debian/changelog phpliteadmin-1.9.7.1/debian/changelog
--- phpliteadmin-1.9.7.1/debian/changelog	2018-05-17 20:25:20.000000000 +0300
+++ phpliteadmin-1.9.7.1/debian/changelog	2022-03-19 09:37:15.000000000 +0300
@@ -1,3 +1,9 @@
+phpliteadmin (1.9.7.1-2+deb10u1) buster; urgency=medium
+
+  * Fix CVE-2021-46709, an XSS issue with the num POST parameter
+
+ -- Nicholas Guriev <guriev-ns@ya.ru>  Sat, 19 Mar 2022 09:37:15 +0300
+
 phpliteadmin (1.9.7.1-2) unstable; urgency=medium
 
   * Fix CVE-2018-10362 by Fix-authentication-bypass.patch (closes: #896682)
diff -Nru phpliteadmin-1.9.7.1/debian/patches/Fix-post-num-XSS.patch phpliteadmin-1.9.7.1/debian/patches/Fix-post-num-XSS.patch
--- phpliteadmin-1.9.7.1/debian/patches/Fix-post-num-XSS.patch	1970-01-01 03:00:00.000000000 +0300
+++ phpliteadmin-1.9.7.1/debian/patches/Fix-post-num-XSS.patch	2022-03-19 09:35:27.000000000 +0300
@@ -0,0 +1,16 @@
+Description: Fix an XSS vulnerability with the num POST parameter
+ Forcibly cast value to integer. CVE-2021-46709
+Author: Nicholas Guriev <guriev-ns@ya.ru>
+Last-Update: Sat, 19 Mar 2022 09:35:27 +0300
+
+--- a/index.php
++++ b/index.php
+@@ -2512,7 +2512,7 @@ if(isset($_GET['action']) && !isset($_GE
+ 			echo "<form action='?table=".urlencode($target_table)."&amp;action=row_create&amp;confirm=1' method='post'>";
+ 			echo $token_html;
+ 			if(isset($_POST['num']))
+-				$num = $_POST['num'];
++				$num = (int)$_POST['num'];
+ 			else
+ 				$num = 1;
+ 			echo "<input type='hidden' name='numRows' value='".$num."'/>";
diff -Nru phpliteadmin-1.9.7.1/debian/patches/series phpliteadmin-1.9.7.1/debian/patches/series
--- phpliteadmin-1.9.7.1/debian/patches/series	2018-05-17 20:25:20.000000000 +0300
+++ phpliteadmin-1.9.7.1/debian/patches/series	2022-03-19 09:35:27.000000000 +0300
@@ -1,3 +1,4 @@
 Remove-spontaneous-access-to-Internet.patch
 Remove-using-build-date.patch
 Fix-authentication-bypass.patch
+Fix-post-num-XSS.patch

Attachment: signature.asc
Description: This is a digitally signed message part

--- End Message ---

--- Begin Message ---

To: 959469-done@bugs.debian.org, 985063-done@bugs.debian.org, 987376-done@bugs.debian.org, 992546-done@bugs.debian.org, 992613-done@bugs.debian.org, 995748-done@bugs.debian.org, 996023-done@bugs.debian.org, 996024-done@bugs.debian.org, 996600-done@bugs.debian.org, 996624-done@bugs.debian.org, 996695-done@bugs.debian.org, 996929-done@bugs.debian.org, 996997-done@bugs.debian.org, 997079-done@bugs.debian.org, 998042-done@bugs.debian.org, 998248-done@bugs.debian.org, 998344-done@bugs.debian.org, 1000218-done@bugs.debian.org, 1000341-done@bugs.debian.org, 1000386-done@bugs.debian.org, 1000408-done@bugs.debian.org, 1000473-done@bugs.debian.org, 1000479-done@bugs.debian.org, 1000480-done@bugs.debian.org, 1000486-done@bugs.debian.org, 1000608-done@bugs.debian.org, 1001043-done@bugs.debian.org, 1001149-done@bugs.debian.org, 1001280-done@bugs.debian.org, 1001454-done@bugs.debian.org, 1001556-done@bugs.debian.org, 1001749-done@bugs.debian.org, 1001752-done@bugs.debian.org, 1002297-done@bugs.debian.org, 1002298-done@bugs.debian.org, 1002740-done@bugs.debian.org, 1002912-done@bugs.debian.org, 1003795-done@bugs.debian.org, 1003825-done@bugs.debian.org, 1003826-done@bugs.debian.org, 1003827-done@bugs.debian.org, 1003841-done@bugs.debian.org, 1003842-done@bugs.debian.org, 1004049-done@bugs.debian.org, 1004055-done@bugs.debian.org, 1004056-done@bugs.debian.org, 1004249-done@bugs.debian.org, 1004261-done@bugs.debian.org, 1004265-done@bugs.debian.org, 1004267-done@bugs.debian.org, 1004268-done@bugs.debian.org, 1005000-done@bugs.debian.org, 1005218-done@bugs.debian.org, 1005233-done@bugs.debian.org, 1005353-done@bugs.debian.org, 1005374-done@bugs.debian.org, 1006377-done@bugs.debian.org, 1006417-done@bugs.debian.org, 1006494-done@bugs.debian.org, 1006525-done@bugs.debian.org, 1007745-done@bugs.debian.org, 1007746-done@bugs.debian.org, 1007879-done@bugs.debian.org, 1007938-done@bugs.debian.org, 1007948-done@bugs.debian.org, 1007964-done@bugs.debian.org, 1008030-done@bugs.debian.org, 1008072-done@bugs.debian.org, 1006142-done@bugs.debian.org

Subject: Closing requests for updates in 10.12

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sat, 26 Mar 2022 12:02:22 +0000

Message-id: <540de30a27d37c3ff416b94b1adf7ff2a2cab257.camel@adam-barratt.org.uk>
Package: release.debian.org
Version: 10.12

Hi,

The updates referenced in these requests were included in oldstable as
part of today's 10.12 point release.

Regards,

Adam
--- End Message ---

Reply to:

References:
- Bug#1007948: buster-pu: package phpliteadmin/1.9.7.1-2+deb10u1
  - From: Nicholas Guriev <nicholas@guriev.su>

Prev by Date: Bug#1007746: marked as done (buster-pu: package glibc/2.28-10+deb10u1)
Next by Date: Bug#1007964: marked as done (buster-pu: package libdatetime-timezone-perl/1:2.23-1+2022a)
Previous by thread: Processed: phpliteadmin 1.9.7.1-2+deb10u1 flagged for acceptance
Next by thread: Bug#1007950: bullseye-pu: package tinyssh/20190101-1
Index(es):
- Date
- Thread