Bug#1116017: trixie-pu: package libphp-adodb/5.22.9-0.1+deb13u1

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 1116017@bugs.debian.org
Subject: Bug#1116017: trixie-pu: package libphp-adodb/5.22.9-0.1+deb13u1
From: Abhijith PA <abhijith@debian.org>
Date: Mon, 3 Nov 2025 13:08:23 +0530
Message-id: <[🔎] aQhb7z7R2JggAFJT@debian.org>
Reply-to: Abhijith PA <abhijith@debian.org>, 1116017@bugs.debian.org
In-reply-to: <[🔎] 7d0b5fa9562a4e7820e563628753a2cc8a606a23.camel@adam-barratt.org.uk>
References: <175861369143.83930.7209644205771399685.reportbug@Adebian> <175861369143.83930.7209644205771399685.reportbug@Adebian> <[🔎] 7d0b5fa9562a4e7820e563628753a2cc8a606a23.camel@adam-barratt.org.uk> <175861369143.83930.7209644205771399685.reportbug@Adebian>

Hi,

There was a discussion internally with Debian security team, LTS team
member rouca and Damien Regad and concluded that along with sqlite3,
sqlite driver is also vulnerable.

I have fixed that and refreshed the debdiff. I am removing confirmed
tag for this bug report to re-review.

Please see
http://security.debian.org/pool/updates/main/libp/libphp-adodb/libphp-adodb_5.20
+.19-1+deb11u3.dsc

--abhijith

diff -Nru libphp-adodb-5.22.9/debian/changelog libphp-adodb-5.22.9/debian/changelog
--- libphp-adodb-5.22.9/debian/changelog	2025-05-02 19:18:03.000000000 +0530
+++ libphp-adodb-5.22.9/debian/changelog	2025-09-23 12:44:45.000000000 +0530
@@ -1,3 +1,10 @@
+libphp-adodb (5.22.9-0.1+deb13u1) trixie; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2025-54119: SQL injection in sqlite3 driver (Closes: #1110464)
+
+ -- Abhijith PA <abhijith@debian.org>  Tue, 23 Sep 2025 12:44:45 +0530
+
 libphp-adodb (5.22.9-0.1) unstable; urgency=high
 
   * Non-maintainer upload.
diff -Nru libphp-adodb-5.22.9/debian/patches/CVE-2025-54119-2.patch libphp-adodb-5.22.9/debian/patches/CVE-2025-54119-2.patch
--- libphp-adodb-5.22.9/debian/patches/CVE-2025-54119-2.patch	1970-01-01 05:30:00.000000000 +0530
+++ libphp-adodb-5.22.9/debian/patches/CVE-2025-54119-2.patch	2025-09-23 12:44:45.000000000 +0530
@@ -0,0 +1,47 @@
+From 5b8bd52cdcffefb4ecded1b399c98cfa516afe03 Mon Sep 17 00:00:00 2001
+From: Damien Regad <dregad@mantisbt.org>
+Date: Sat, 19 Jul 2025 18:37:59 +0200
+Subject: [PATCH] Prevent SQL injection in sqlite3 driver
+
+Use query parameters instead of injecting the table name in the SQL, in
+the following methods:
+- metaColumns()
+- metaForeignKeys()
+- metaIndexes()
+
+Thanks to Marco Nappi (@mrcnpp) for reporting this vulnerability.
+
+Fixes #1083, CVE-2025-54119, GHSA-vf2r-cxg9-p7rf
+---
+--- a/drivers/adodb-sqlite.inc.php
++++ b/drivers/adodb-sqlite.inc.php
+@@ -95,7 +95,9 @@ class ADODB_sqlite extends ADOConnection
+ 		if ($this->fetchMode !== false) {
+ 			$savem = $this->SetFetchMode(false);
+ 		}
+-		$rs = $this->Execute("PRAGMA table_info('$table')");
++
++		$rs = $this->execute("PRAGMA table_info(?)", array($table));
++
+ 		if (isset($savem)) {
+ 			$this->SetFetchMode($savem);
+ 		}
+@@ -167,7 +169,6 @@ class ADODB_sqlite extends ADOConnection
+ 		return ($col) ? "adodb_date2($fmt,$col)" : "adodb_date($fmt)";
+ 	}
+ 
+-
+ 	function _createFunctions()
+ 	{
+ 		@sqlite_create_function($this->_connectionID, 'adodb_date', 'adodb_date', 1);
+@@ -318,8 +319,8 @@ class ADODB_sqlite extends ADOConnection
+ 		if ($this->fetchMode !== FALSE) {
+ 			$savem = $this->SetFetchMode(FALSE);
+ 		}
+-		$SQL=sprintf("SELECT name,sql FROM sqlite_master WHERE type='index' AND tbl_name='%s'", strtolower($table));
+-		$rs = $this->Execute($SQL);
++		$SQL="SELECT name,sql FROM sqlite_master WHERE type='index' AND tbl_name=?";
++		$rs = $this->Execute($SQL,[strtolower($table)]);
+ 		if (!is_object($rs)) {
+ 			if (isset($savem)) {
+ 				$this->SetFetchMode($savem);
diff -Nru libphp-adodb-5.22.9/debian/patches/CVE-2025-54119.patch libphp-adodb-5.22.9/debian/patches/CVE-2025-54119.patch
--- libphp-adodb-5.22.9/debian/patches/CVE-2025-54119.patch	1970-01-01 05:30:00.000000000 +0530
+++ libphp-adodb-5.22.9/debian/patches/CVE-2025-54119.patch	2025-09-23 12:44:45.000000000 +0530
@@ -0,0 +1,89 @@
+From 5b8bd52cdcffefb4ecded1b399c98cfa516afe03 Mon Sep 17 00:00:00 2001
+From: Damien Regad <dregad@mantisbt.org>
+Date: Sat, 19 Jul 2025 18:37:59 +0200
+Subject: [PATCH] Prevent SQL injection in sqlite3 driver
+
+Use query parameters instead of injecting the table name in the SQL, in
+the following methods:
+- metaColumns()
+- metaForeignKeys()
+- metaIndexes()
+
+Thanks to Marco Nappi (@mrcnpp) for reporting this vulnerability.
+
+Fixes #1083, CVE-2025-54119, GHSA-vf2r-cxg9-p7rf
+---
+ drivers/adodb-sqlite3.inc.php | 37 ++++++++++++++---------------------
+ 1 file changed, 15 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/adodb-sqlite3.inc.php b/drivers/adodb-sqlite3.inc.php
+index 7e5f5ffdc..564eec958 100644
+--- a/drivers/adodb-sqlite3.inc.php
++++ b/drivers/adodb-sqlite3.inc.php
+@@ -168,7 +168,9 @@ function MetaColumns($table, $normalize=true)
+ 		if ($this->fetchMode !== false) {
+ 			$savem = $this->SetFetchMode(false);
+ 		}
+-		$rs = $this->Execute("PRAGMA table_info('$table')");
++
++		$rs = $this->execute("PRAGMA table_info(?)", array($table));
++
+ 		if (isset($savem)) {
+ 			$this->SetFetchMode($savem);
+ 		}
+@@ -222,9 +224,8 @@ public function metaForeignKeys($table, $owner = '', $upper =  false, $associati
+ 			          )
+ 				WHERE type != 'meta'
+ 				  AND sql NOTNULL
+-				  AND LOWER(name) ='" . strtolower($table) . "'";
+-
+-		$tableSql = $this->getOne($sql);
++				  AND LOWER(name) = ?";
++		$tableSql = $this->getOne($sql, [strtolower($table)]);
+ 
+ 		$fkeyList = array();
+ 		$ylist = preg_split("/,+/",$tableSql);
+@@ -441,6 +442,7 @@ function metaIndexes($table, $primary = FALSE, $owner = false)
+ 			$savem = $this->SetFetchMode(FALSE);
+ 		}
+ 
++		$table = strtolower($table);
+ 		$pragmaData = array();
+ 
+ 		/*
+@@ -449,26 +451,17 @@ function metaIndexes($table, $primary = FALSE, $owner = false)
+ 		*/
+ 		if ($primary)
+ 		{
+-			$sql = sprintf('PRAGMA table_info([%s]);',
+-						   strtolower($table)
+-						   );
+-			$pragmaData = $this->getAll($sql);
++			$sql = 'PRAGMA table_info(?)';
++			$pragmaData = $this->getAll($sql, [$table]);
+ 		}
+ 
+-		/*
+-		* Exclude the empty entry for the primary index
+-		*/
+-		$sqlite = "SELECT name,sql
+-					 FROM sqlite_master
+-					WHERE type='index'
+-					  AND sql IS NOT NULL
+-					  AND LOWER(tbl_name)='%s'";
+-
+-		$SQL = sprintf($sqlite,
+-				     strtolower($table)
+-					 );
+-
+-		$rs = $this->execute($SQL);
++		// Exclude the empty entry for the primary index
++		$sql = "SELECT name,sql
++				FROM sqlite_master
++				WHERE type='index'
++				  AND sql IS NOT NULL
++				  AND LOWER(tbl_name)=?";
++		$rs = $this->execute($sql, [$table]);
+ 
+ 		if (!is_object($rs)) {
+ 			if (isset($savem)) {
diff -Nru libphp-adodb-5.22.9/debian/patches/series libphp-adodb-5.22.9/debian/patches/series
--- libphp-adodb-5.22.9/debian/patches/series	1970-01-01 05:30:00.000000000 +0530
+++ libphp-adodb-5.22.9/debian/patches/series	2025-09-23 12:44:45.000000000 +0530
@@ -0,0 +1,2 @@
+CVE-2025-54119.patch
+CVE-2025-54119-2.patch

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#1116017: trixie-pu: package libphp-adodb/5.22.9-0.1+deb13u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- Bug#1116017: trixie-pu: package libphp-adodb/5.22.9-0.1+deb13u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Processed: Re: Bug#1119886: transition: libsecp256k1
Next by Date: Processed: tagging 1116017
Previous by thread: Processed: Re: Bug#1116017: trixie-pu: package libphp-adodb/5.22.9-0.1+deb13u1
Next by thread: Bug#1116017: trixie-pu: package libphp-adodb/5.22.9-0.1+deb13u1
Index(es):
- Date
- Thread