[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1104821: marked as done (bookworm-pu: package libphp-adobd/5.21.4-1+deb12u1)

Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id <ee4c0876608d99eb3f8b333b556fbd92e7a652eb.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1104821,
regarding bookworm-pu: package libphp-adobd/5.21.4-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1104821: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104821
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: libphp-adodb@packages.debian.org, jmv_deb@nirgal.com,
nirgal@debian.org, camrdale@gmail.com, leandrocunha016@gmail.com
User: release.debian.org@packages.debian.org
Usertags: pu

Version 5.21.4-0.1+deb12u1 has a patch that fixes the CVE with
critical severity 10/10, defined as CVE-2025-46337. Reported in bug
#1104548 (severity: serious (RC bug)).

[ Reason ]
ADOdb is a PHP database class library that provides abstractions for
performing queries and managing databases. Prior to version 5.22.9,
improper escaping of a query parameter may allow an attacker to
execute arbitrary SQL statements when the code using ADOdb connects to
a PostgreSQL database and calls pg_insert_id() with user-supplied
data. This issue has been patched in version 5.22.9. This as mentioned
in the bug above.
But the patch is introduced in version 5.21.4-0.1+deb12u1 which fixes
this vulnerability with a NMU.

[ Impact ]
No negative impact, but positive in view of the improvement presented
in the code that resolves a serious vulnerability.

[ Tests ]
Everything from Salsa CI running on my fork. In addition to
reproducing the library in question using a package that is a
dependency, such as phppgadmin.
It is needed in data manipulation as can be seen in
https://github.com/phppgadmin/phppgadmin/issues/162.

[ Risks ]
No imminent risk was detected during the analyses.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
It only adds the patch that fixes the security flaw that is provided
by the upstream itself.
All information is contained in
https://github.com/ADOdb/ADOdb/security/advisories/GHSA-8x27-jwjr-8545.
But in this case, I extracted the patch and documented it as per DEP-3
(https://dep-team.pages.debian.net/deps/dep3/).

[ Other info ]
It will be sent via my fork, and only approved after reviews and so
the same thing with MR. Because I never committed changes to
bookworm-pu.
https://salsa.debian.org/leandrocunha/adodb/-/compare/master...bookworm?from_project_id=12752
https://salsa.debian.org/debian/adodb/-/merge_requests/5

The Debian Security Team, if they find this bug, can file an NMU on
your behalf using bookworm-security in the changelog.
But when I checked
https://security-tracker.debian.org/tracker/CVE-2025-46337, there was
no Debian Security Advisory for this package. But it is possible to do
that too.
An email was also sent to Salvatore (May 2nd), who is usually quite
busy, asking if he would do this, but so far no response has been
given.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGdTzVoBEADOhoTqLaOTfcJN2x7nNASOADc24NjmyBdxUwilTr4UzIPB9ojF
fcRSLz6Lg3n4p7Ff/yF35kk4iSGHyJ13YecNkAtVrZNG+5XaHvjRm38+6jeXZKyD
Ir8lp54ddJ4+rtZQ398TTKxjD7O0FiLCoDKkPoTYO4Qh0VJf6PXWMBmw6wxeXWP1
KS/xo2ttEXHVt6wyRVfRZN9Y/NPAfzonJ1dIM6C+prHlZQT+p7N/B9OM3HRXReHk
olxYRTbId3Qh1utt+TgqWdZJQW676d9q8/Z7D7VZiXBlopn5dyDeHo8q4vdeWk8P
EZDIOVSbOmXzt88vpfXFIpmIJzd0GX/oTDG913qdFqCY9HPr9dkfUBKFERcdxgI4
pYyWQ2YmOsN1by6x8YZYt+fzED+FXGVdof/d22cFJpPGiOHG3DwJxVaRQOXrbRHj
PiyR8bcAYASRe4AleWVXu86vTzMnRbAi/u83IMmwuKrqrfFP0J42ZAfyV9rOHADg
4UDCm3PKxIgezDJTm8DtiJcWPQRjocIO+nVX1crAXB2ymBfLXvTq0miyGC3UU3He
fIPE6azg4tMq1R5U3OckpnNUtyD5MqM/r0lLXUzIpRb/HjgtNnN6cCNrnAcUTDqJ
BatrVw7RciqVb78bAh/Fa1SJ6r2o57VrcKJ1bGXXCvhtvd+cwP7XtavXLQARAQAB
tI5MZWFuZHJvIGRhIEN1bmhhIERvbWluZ3VlcyAoRGVmYXVsdCBHUEcga2V5IHVu
dGlsIGV4cGlyYXRpb24gZGF0ZSBmb3Igc2lnbmluZyBwYWNrYWdlcywgY29tbWl0
cywgZW1haWxzIGFuZCB0YWdzLikgPGxlYW5kcm9jdW5oYTAxNkBnbWFpbC5jb20+
iQJUBBMBCgA+FiEEcZtClYXQUpbsa0pDNunpLuertXkFAmdTzVoCGwMFCQeEzgAF
CwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQNunpLuertXnZ1w/9G9wjWMc0Xyi0
OsVVcUuwLrPBH/VhUIrs3SRX4NzIXyYWWGZp+DvI9tP7trQ7MBiYE/YFgDkXpDLk
TIUU9XQ51n/A+zArOtM/JefSKqjE+FoWFVTQe/UirqyZG/ahuVqwY3LeEaBo6ldA
CQpsGhYlUn+4XzBC82CegE174SXcGYX+P9Uq8DK1KhXDvLQ/HrF8OZnQfUzY/+qz
5IWNSlSyiiw15aImcrHDFr2tRRqHdf2azRVdyQJOurrf5jXgy/MqDeLJDUzwPMo+
AmvIzscT/1sUzsHxultXMIQDht5gWZkD/JxDICDZGd5DhdVD+ASqmu9zk5LPTsm/
oFK9i3xLlkj1IOv03DeyMdWVEfeBr/hB9Sn2XQPI7ya5BmbHMdLlfWFRJvWFOGKg
2Oh5r14JRWHqFOm5sIJgEtWaNgmcXt+T6C+486l+lPjxR9gTGOZwfoSyGJeH+44n
s12sWjQefW//+F1sXp+oPWn7D4DRUs+IhWFzoOuhqixVRg8INoCURNFjRNq2vmVO
N22iayN9N6s2atPbQTYug1pUhU9cSpk/ZxuoBIM+GIDCGcUWBeugqBBp++bmmJVW
sTWff3WMSD7jg39EOBf+9FRAlgD55A9aGGFvNfbTjTgfqb/k57Jy3EvIL1BPpTkr
RT4zSub9NPeTiS7q4YJy7XfGbdclN6O5Ag0EZ1PNWgEQAK7Ygv9zl7vnNNAkfrdB
OthvPQP+wjlNlHEOU1RO2ZYceOLu16XMM6FI/VOkB5DYvQLC0i15YUxkuTZO+eUp
kZT63WCpg8WAjo1L7u+UUJxDAL8VrBJMP7UZonDbEnMk5RXK0vqTwVzOpBcEkevK
62bMY0Q5t6J/+3RqQW7ik4sAD1F0W0qYmXzxh4gMvKI7ugByXW/3GfG0MQuregB5
6zb/AvMPRz21wK3CgUTrZBY6qHBbdQ7CP5i+BYSrK40fTRipWsQLzGmwQ9QoFwF2
mgr3i3dC1Wjm7/FAoy/yK8tWMhhhkRi94B/EkXH4T9SANMilokZM4+OxxOSpjUat
pNDYFNxEz1yCtQmn4AJjawphriqCXva/r62eDFJkI9v2XOo2/VpiTdoAMvphu0OK
+mpE0XwyB8oN1xtZKDQef04yhg7GgxL807F1rWu/q4yK98OueJn29jYRbr0WwnMm
13b7TYie9yxjdNDstchXvQ9/O7fcLUGAo75gyEFnaKqE9rirB/e2UGRDNMrVyA9h
KnMJfJdsY/Wb42hixnnhD5p9Ae464inHpamtyyJrAexPUBURH1PLKu9Tj8vU15GU
OGoSCbYFrjIMNeIoZX7O6UHsL+EIPIfg/OGDTDuS8dEeaB8PPaVfPHePlb1qdTzx
TNGLGGUCcHREnzx7gI698tXzABEBAAGJAjwEGAEKACYWIQRxm0KVhdBSluxrSkM2
6eku56u1eQUCZ1PNWgIbDAUJB4TOAAAKCRA26eku56u1eSH5D/0SL9D6+3CuwM30
uMzbpfOK/4ASxo4nRvFgdRK7IpVGMzH3tipd3t4nDmcn/xnXcIeI8OWXA0LTLMG9
Fq/nODY4VOSSiYiB0bA2/6xOivGrWJKFlvUoZEM55yKqqgaMFieJaUaa7n/CKJHR
37k8CKjDkPTAGE8sHqBRXUnbrpBjr1R/z69dgOxCTENUySNu54Olj8lQ7BXHYABt
Os6G/b96maR3o2tFNgV4AV1YS5PsKbEBw9TuBNyudAkSIzpGWSwF2wqSpQge5e0F
e7wmGLesv4PAg0lntOEqT/HJudUzKc6p8Uzc5WTjSfiQuRxh5vc5+dpg0syBRb+p
CwXEUAN13eAVsYoRnFahY8cAMDVf08AUhc9WhCd45SEYgFFe5ucKJ1lfVHM7YyF5
gTAg3bZ+wtV2bwAkUHq6Ylcro1qnsOQfv3WA3aGi72whwCejpekYiw+mhl37yUp/
obe49flFrx9IKwU6eLPpSqjrtrOjsyu0yMo6MGJ9sP7GepMUbJ2sVbFdFhUZzSId
Ud4wBDk3oNiBdrXRfUfSGmx5B+PAjlzdG3ng7ME8kmsMKR/Fkg55zR1QAWWiWMR3
2n0phaKUe2Nqgk59wZUlBCOEuqpy8jvTGHKt8YmoFKjI5U7awsBav9V1iLcfmwbQ
flAYwMljzb9tvbAZvuK8QJBeAndcLg==
=JKeL
-----END PGP PUBLIC KEY BLOCK-----

diffstat for libphp-adodb-5.21.4 libphp-adodb-5.21.4

 changelog                                    |    7 +++++
 patches/00-fix-sec-pgsql-sql-injection.patch |   33 +++++++++++++++++++++++++++
 patches/series                               |    1 
 3 files changed, 41 insertions(+)

diff -Nru libphp-adodb-5.21.4/debian/changelog libphp-adodb-5.21.4/debian/changelog
--- libphp-adodb-5.21.4/debian/changelog	2022-03-12 11:11:01.000000000 -0300
+++ libphp-adodb-5.21.4/debian/changelog	2025-05-03 16:43:52.000000000 -0300
@@ -1,3 +1,10 @@
+libphp-adodb (5.21.4-0.1+deb12u1) bookworm; urgency=high
+
+  * Non-maintainer upload.
+    + Fix SQL injection in pg_insert_id(). (Closes: #1104548, CVE-2025-46337)
+
+ -- Leandro Cunha <leandrocunha016@gmail.com>  Sat, 03 May 2025 16:43:52 -0300
+
 libphp-adodb (5.21.4-1) unstable; urgency=medium
 
   * New upstream release. (Closes: #1004376)
diff -Nru libphp-adodb-5.21.4/debian/patches/00-fix-sec-pgsql-sql-injection.patch libphp-adodb-5.21.4/debian/patches/00-fix-sec-pgsql-sql-injection.patch
--- libphp-adodb-5.21.4/debian/patches/00-fix-sec-pgsql-sql-injection.patch	1969-12-31 21:00:00.000000000 -0300
+++ libphp-adodb-5.21.4/debian/patches/00-fix-sec-pgsql-sql-injection.patch	2025-05-03 16:43:52.000000000 -0300
@@ -0,0 +1,33 @@
+Description: Fix SQL injection in pg_insert_id()
+ Properly escape the $tablename and $fieldname parameters used to build
+ the sequence name.
+Forwarded: https://github.com/ADOdb/ADOdb/issues/1070
+Origin: https://github.com/ADOdb/ADOdb/commit/0774134f3311779495d16f74a35c872e353708c6.patch
+Bug-Debian: https://bugs.debian.org/1104548
+Author: Damien Regad <dregad@mantisbt.org>
+
+From 11107d6d6e5160b62e05dff8a3a2678cf0e3a426 Mon Sep 17 00:00:00 2001
+From: Damien Regad <dregad@mantisbt.org>
+Date: Sat, 26 Apr 2025 17:45:53 +0200
+Subject: [PATCH 1/2] Fix SQL injection in pg_insert_id()
+
+Properly escape the $tablename and $fieldname parameters used to build
+the sequence name.
+---
+ drivers/adodb-postgres64.inc.php | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/adodb-postgres64.inc.php b/drivers/adodb-postgres64.inc.php
+index b1d161d7c..5cbe77ed2 100644
+--- a/drivers/adodb-postgres64.inc.php
++++ b/drivers/adodb-postgres64.inc.php
+@@ -138,7 +138,8 @@ function IfNull( $field, $ifNull )
+ 	// get the last id - never tested
+ 	function pg_insert_id($tablename,$fieldname)
+ 	{
+-		$result=pg_query($this->_connectionID, 'SELECT last_value FROM '. $tablename .'_'. $fieldname .'_seq');
++		$sequence = pg_escape_identifier($this->_connectionID, $tablename .'_'. $fieldname .'_seq');
++		$result = pg_query($this->_connectionID, 'SELECT last_value FROM '. $sequence);
+ 		if ($result) {
+ 			$arr = @pg_fetch_row($result,0);
+ 			pg_free_result($result);
diff -Nru libphp-adodb-5.21.4/debian/patches/series libphp-adodb-5.21.4/debian/patches/series
--- libphp-adodb-5.21.4/debian/patches/series	1969-12-31 21:00:00.000000000 -0300
+++ libphp-adodb-5.21.4/debian/patches/series	2025-05-03 16:43:52.000000000 -0300
@@ -0,0 +1 @@
+00-fix-sec-pgsql-sql-injection.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 12.12

Hi,

Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.

Regards,

Adam

--- End Message ---
Reply to: