[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1116017: marked as done (trixie-pu: package libphp-adodb/5.22.9-0.1+deb13u1)

Your message dated Sat, 10 Jan 2026 11:52:34 +0000
with message-id <E1veXWE-00000004RfT-2EUD@coccia.debian.org>
and subject line Released with 13.3
has caused the Debian Bug report #1116017,
regarding trixie-pu: package libphp-adodb/5.22.9-0.1+deb13u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1116017: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116017
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: trixie
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libphp-adodb@packages.debian.org
Control: affects -1 + src:libphp-adodb

please approve the upload of package libphp-adodb to trixie
to fix security issue. CVE-2025-54119

[ Reason ]

There is a SQL injection vulnerability in the sqlite3 driver.

[ Impact ]
Impacts the use of sqlite3 driver where SQL injection possible in
metaColumns(), metaForeignKeys() or metaIndexes() methods.

[ Tests ]
No tests in package. But The patch is backported from upstream without
any fuzzs.

[ Risks ]
Unlikely. patch backported from v5.22.10. Just a point version above.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

--abhijith

diff -Nru libphp-adodb-5.22.9/debian/changelog libphp-adodb-5.22.9/debian/changelog
--- libphp-adodb-5.22.9/debian/changelog	2025-05-02 19:18:03.000000000 +0530
+++ libphp-adodb-5.22.9/debian/changelog	2025-09-23 12:44:45.000000000 +0530
@@ -1,3 +1,10 @@
+libphp-adodb (5.22.9-0.1+deb13u1) trixie; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2025-54119: SQL injection in sqlite3 driver (Closes: #1110464)
+
+ -- Abhijith PA <abhijith@debian.org>  Tue, 23 Sep 2025 12:44:45 +0530
+
 libphp-adodb (5.22.9-0.1) unstable; urgency=high
 
   * Non-maintainer upload.
diff -Nru libphp-adodb-5.22.9/debian/patches/CVE-2025-54119.patch libphp-adodb-5.22.9/debian/patches/CVE-2025-54119.patch
--- libphp-adodb-5.22.9/debian/patches/CVE-2025-54119.patch	1970-01-01 05:30:00.000000000 +0530
+++ libphp-adodb-5.22.9/debian/patches/CVE-2025-54119.patch	2025-09-23 12:44:45.000000000 +0530
@@ -0,0 +1,89 @@
+From 5b8bd52cdcffefb4ecded1b399c98cfa516afe03 Mon Sep 17 00:00:00 2001
+From: Damien Regad <dregad@mantisbt.org>
+Date: Sat, 19 Jul 2025 18:37:59 +0200
+Subject: [PATCH] Prevent SQL injection in sqlite3 driver
+
+Use query parameters instead of injecting the table name in the SQL, in
+the following methods:
+- metaColumns()
+- metaForeignKeys()
+- metaIndexes()
+
+Thanks to Marco Nappi (@mrcnpp) for reporting this vulnerability.
+
+Fixes #1083, CVE-2025-54119, GHSA-vf2r-cxg9-p7rf
+---
+ drivers/adodb-sqlite3.inc.php | 37 ++++++++++++++---------------------
+ 1 file changed, 15 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/adodb-sqlite3.inc.php b/drivers/adodb-sqlite3.inc.php
+index 7e5f5ffdc..564eec958 100644
+--- a/drivers/adodb-sqlite3.inc.php
++++ b/drivers/adodb-sqlite3.inc.php
+@@ -168,7 +168,9 @@ function MetaColumns($table, $normalize=true)
+ 		if ($this->fetchMode !== false) {
+ 			$savem = $this->SetFetchMode(false);
+ 		}
+-		$rs = $this->Execute("PRAGMA table_info('$table')");
++
++		$rs = $this->execute("PRAGMA table_info(?)", array($table));
++
+ 		if (isset($savem)) {
+ 			$this->SetFetchMode($savem);
+ 		}
+@@ -222,9 +224,8 @@ public function metaForeignKeys($table, $owner = '', $upper =  false, $associati
+ 			          )
+ 				WHERE type != 'meta'
+ 				  AND sql NOTNULL
+-				  AND LOWER(name) ='" . strtolower($table) . "'";
+-
+-		$tableSql = $this->getOne($sql);
++				  AND LOWER(name) = ?";
++		$tableSql = $this->getOne($sql, [strtolower($table)]);
+ 
+ 		$fkeyList = array();
+ 		$ylist = preg_split("/,+/",$tableSql);
+@@ -441,6 +442,7 @@ function metaIndexes($table, $primary = FALSE, $owner = false)
+ 			$savem = $this->SetFetchMode(FALSE);
+ 		}
+ 
++		$table = strtolower($table);
+ 		$pragmaData = array();
+ 
+ 		/*
+@@ -449,26 +451,17 @@ function metaIndexes($table, $primary = FALSE, $owner = false)
+ 		*/
+ 		if ($primary)
+ 		{
+-			$sql = sprintf('PRAGMA table_info([%s]);',
+-						   strtolower($table)
+-						   );
+-			$pragmaData = $this->getAll($sql);
++			$sql = 'PRAGMA table_info(?)';
++			$pragmaData = $this->getAll($sql, [$table]);
+ 		}
+ 
+-		/*
+-		* Exclude the empty entry for the primary index
+-		*/
+-		$sqlite = "SELECT name,sql
+-					 FROM sqlite_master
+-					WHERE type='index'
+-					  AND sql IS NOT NULL
+-					  AND LOWER(tbl_name)='%s'";
+-
+-		$SQL = sprintf($sqlite,
+-				     strtolower($table)
+-					 );
+-
+-		$rs = $this->execute($SQL);
++		// Exclude the empty entry for the primary index
++		$sql = "SELECT name,sql
++				FROM sqlite_master
++				WHERE type='index'
++				  AND sql IS NOT NULL
++				  AND LOWER(tbl_name)=?";
++		$rs = $this->execute($sql, [$table]);
+ 
+ 		if (!is_object($rs)) {
+ 			if (isset($savem)) {
diff -Nru libphp-adodb-5.22.9/debian/patches/series libphp-adodb-5.22.9/debian/patches/series
--- libphp-adodb-5.22.9/debian/patches/series	1970-01-01 05:30:00.000000000 +0530
+++ libphp-adodb-5.22.9/debian/patches/series	2025-09-23 12:44:45.000000000 +0530
@@ -0,0 +1 @@
+CVE-2025-54119.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org\nVersion: 13.3\n\nThis update has been released as part of Debian 13.3.

--- End Message ---
Reply to: