[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1116015: marked as done (bookworm-pu: package libphp-adodb/5.21.4-1+deb12u2)

Your message dated Sat, 10 Jan 2026 11:59:45 +0000
with message-id <E1veXdB-00000004SJS-49jZ@coccia.debian.org>
and subject line Released with 12.13
has caused the Debian Bug report #1116015,
regarding bookworm-pu: package libphp-adodb/5.21.4-1+deb12u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1116015: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116015
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libphp-adodb@packages.debian.org
Control: affects -1 + src:libphp-adodb

please approve the upload of package libphp-adodb to bookworm
to fix security issue. CVE-2025-54119

[ Reason ]

There is a SQL injection vulnerability in the sqlite3 driver.

[ Impact ]
Impacts the use of sqlite3 driver where SQL injection possible in
metaColumns(), metaForeignKeys() or metaIndexes() methods.

[ Tests ]
No tests in package. But The patch is backported from upstream without
any fuzzs.

[ Risks ]
Unlikely. Since backported from upstream with zero fuzz.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

--abhijith

diff -Nru libphp-adodb-5.21.4/debian/changelog libphp-adodb-5.21.4/debian/changelog
--- libphp-adodb-5.21.4/debian/changelog	2025-05-07 03:09:03.000000000 +0530
+++ libphp-adodb-5.21.4/debian/changelog	2025-09-17 13:32:21.000000000 +0530
@@ -1,3 +1,10 @@
+libphp-adodb (5.21.4-1+deb12u2) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2025-54119: SQL injection in sqlite3 driver (Closes: #1110464)
+
+ -- Abhijith PA <abhijith@debian.org>  Wed, 17 Sep 2025 13:32:21 +0530
+
 libphp-adodb (5.21.4-1+deb12u1) bookworm; urgency=high
 
   * Non-maintainer upload.
diff -Nru libphp-adodb-5.21.4/debian/patches/CVE-2025-54119.patch libphp-adodb-5.21.4/debian/patches/CVE-2025-54119.patch
--- libphp-adodb-5.21.4/debian/patches/CVE-2025-54119.patch	1970-01-01 05:30:00.000000000 +0530
+++ libphp-adodb-5.21.4/debian/patches/CVE-2025-54119.patch	2025-09-17 13:28:24.000000000 +0530
@@ -0,0 +1,87 @@
+From 5b8bd52cdcffefb4ecded1b399c98cfa516afe03 Mon Sep 17 00:00:00 2001
+From: Damien Regad <dregad@mantisbt.org>
+Date: Sat, 19 Jul 2025 18:37:59 +0200
+Subject: [PATCH] Prevent SQL injection in sqlite3 driver
+
+Use query parameters instead of injecting the table name in the SQL, in
+the following methods:
+- metaColumns()
+- metaForeignKeys()
+- metaIndexes()
+
+Thanks to Marco Nappi (@mrcnpp) for reporting this vulnerability.
+
+Fixes #1083, CVE-2025-54119, GHSA-vf2r-cxg9-p7rf
+---
+ drivers/adodb-sqlite3.inc.php | 37 ++++++++++++++---------------------
+ 1 file changed, 15 insertions(+), 22 deletions(-)
+
+--- a/drivers/adodb-sqlite3.inc.php
++++ b/drivers/adodb-sqlite3.inc.php
+@@ -160,7 +160,9 @@ class ADODB_sqlite3 extends ADOConnectio
+ 		if ($this->fetchMode !== false) {
+ 			$savem = $this->SetFetchMode(false);
+ 		}
+-		$rs = $this->Execute("PRAGMA table_info('$table')");
++
++		$rs = $this->execute("PRAGMA table_info(?)", array($table));
++
+ 		if (isset($savem)) {
+ 			$this->SetFetchMode($savem);
+ 		}
+@@ -214,9 +216,8 @@ class ADODB_sqlite3 extends ADOConnectio
+ 			          )
+ 				WHERE type != 'meta'
+ 				  AND sql NOTNULL
+-		          AND LOWER(name) ='" . strtolower($table) . "'";
+-
+-		$tableSql = $this->getOne($sql);
++		          AND LOWER(name) = ?";
++		$tableSql = $this->getOne($sql, [strtolower($table)]);
+ 
+ 		$fkeyList = array();
+ 		$ylist = preg_split("/,+/",$tableSql);
+@@ -433,6 +434,7 @@ class ADODB_sqlite3 extends ADOConnectio
+ 			$savem = $this->SetFetchMode(FALSE);
+ 		}
+ 
++		$table = strtolower($table);
+ 		$pragmaData = array();
+ 
+ 		/*
+@@ -441,26 +443,17 @@ class ADODB_sqlite3 extends ADOConnectio
+ 		*/
+ 		if ($primary)
+ 		{
+-			$sql = sprintf('PRAGMA table_info([%s]);',
+-						   strtolower($table)
+-						   );
+-			$pragmaData = $this->getAll($sql);
++			$sql = 'PRAGMA table_info(?)';
++			$pragmaData = $this->getAll($sql, [$table]);
+ 		}
+ 
+-		/*
+-		* Exclude the empty entry for the primary index
+-		*/
+-		$sqlite = "SELECT name,sql
+-					 FROM sqlite_master
+-					WHERE type='index'
+-					  AND sql IS NOT NULL
+-					  AND LOWER(tbl_name)='%s'";
+-
+-		$SQL = sprintf($sqlite,
+-				     strtolower($table)
+-					 );
+-
+-		$rs = $this->execute($SQL);
++		// Exclude the empty entry for the primary index
++		$sql = "SELECT name,sql
++				FROM sqlite_master
++				WHERE type='index'
++				  AND sql IS NOT NULL
++				  AND LOWER(tbl_name)=?";
++		$rs = $this->execute($sql, [$table]);
+ 
+ 		if (!is_object($rs)) {
+ 			if (isset($savem)) {
diff -Nru libphp-adodb-5.21.4/debian/patches/series libphp-adodb-5.21.4/debian/patches/series
--- libphp-adodb-5.21.4/debian/patches/series	2025-05-07 03:09:03.000000000 +0530
+++ libphp-adodb-5.21.4/debian/patches/series	2025-09-17 11:56:11.000000000 +0530
@@ -1 +1,2 @@
 00-fix-sec-pgsql-sql-injection.patch
+CVE-2025-54119.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org\nVersion: 12.13\n\nThis update has been released as part of Debian 12.13.

--- End Message ---
Reply to: