Bug#837428: Re: jessie-pu: package libphp-adodb/5.15-1

Mon, 07 Nov 2016 08:06:35 -0800 

Control: tags -1 - moreinfo
Control: retitle -1 jessie-pu: package libphp-adodb/5.15-1+deb8u1

On Monday 31 October 2016 21:48:15 Adam D. Barratt wrote:
> (...) an upload to jessie needs to be built in a _jessie_ environment.

Ok. Will do.


> +libphp-adodb (5.15-1+deb8u1) jessie; urgency=medium
> +
> +  * Upload to jessie.
> +
> + -- Jean-Michel Vourgère <nir...@debian.org>  Sun, 11 Sep 2016 16:13:54
> +0200 +
> +libphp-adodb (5.15-1+deb7u1) wheezy; urgency=medium
> +
> +  * Cherry pick of upstream patches:
> +    - d/patch/pdo-qstr-sql-injection. Closes: #837211
> +    - d/patch/cve-2016-4855. Closes: #837418
> 
> That's an unusual way of forming the changelog. Why not simply a 5.15-1
> +deb8u1 stanza listing the changes, on top of 5.15-1? In fact, given
> that the +deb7u1 stanza doesn't match what actually got uploaded to
> wheezy-security, please drop it.

Ok.

Here's a new debdiff.
Please note that #837211 finally got its own CVE number.

Is that ok to upload, now, please?
diff -Nru libphp-adodb-5.15/debian/changelog libphp-adodb-5.15/debian/changelog
--- libphp-adodb-5.15/debian/changelog	2012-02-27 04:43:29.000000000 +0100
+++ libphp-adodb-5.15/debian/changelog	2016-11-07 16:28:04.000000000 +0100
@@ -1,3 +1,11 @@
+libphp-adodb (5.15-1+deb8u1) jessie; urgency=high
+
+  * Cherry pick of upstream patches:
+    - d/patch/cve-2016-7405. Closes: #837211
+    - d/patch/cve-2016-4855. Closes: #837418
+
+ -- Jean-Michel Vourgère <nir...@debian.org>  Mon, 07 Nov 2016 16:26:52 +0100
+
 libphp-adodb (5.15-1) unstable; urgency=low
 
   * New upstream release
diff -Nru libphp-adodb-5.15/debian/patches/cve-2016-4855 libphp-adodb-5.15/debian/patches/cve-2016-4855
--- libphp-adodb-5.15/debian/patches/cve-2016-4855	1970-01-01 01:00:00.000000000 +0100
+++ libphp-adodb-5.15/debian/patches/cve-2016-4855	2016-11-07 16:09:04.000000000 +0100
@@ -0,0 +1,36 @@
+Description: CVE-2016-4855: XSS vulnerability in old test script
+ This issue was reported by JPCERT Coordination Center (JPCERT/CC) with
+ reference JVN#48237713.
+ .
+ The root cause is a foreach loop processing all GET parameters and
+ blindly assigning them to variables, allowing an attacker to
+ replace contents of global variables.
+ .
+ This limits variable processing using a regex matching those used in
+ testdatabases.inc.php (i.e. beginning with 'test' or 'no').
+ .
+ Debian is not dirrectly affected by this, since test.php is only
+ shipped in /usr/share/doc/libphp-adodb/examples/.
+Author: Damien Regad <dre...@mantisbt.org>
+Origin: upstream, https://github.com/ADOdb/ADOdb/commit/ecb93d8c1
+Bug: https://github.com/ADOdb/ADOdb/issues/274
+Bug-Debian: https://bugs.debian.org/837418
+Reviewed-By: Jean-Michel Vourgère <nir...@debian.org>
+Last-Update: 2016-10-11
+
+--- libphp-adodb-5.12.orig/tests/test.php
++++ libphp-adodb-5.12/tests/test.php
+@@ -1714,8 +1714,11 @@ if (sizeof($_GET) == 0) $testmysql = tru
+ 
+ 
+ foreach($_GET as $k=>$v)  {
+-	//global $$k;
+-	$$k = $v;
++	// XSS protection (see Github issue #274) - only set variables for
++	// expected get parameters used in testdatabases.inc.php
++	if(preg_match('/^(test|no)\w+$/', $k)) {
++		$$k = $v;
++	}
+ }	
+ 
+ ?>
diff -Nru libphp-adodb-5.15/debian/patches/cve-2016-7405 libphp-adodb-5.15/debian/patches/cve-2016-7405
--- libphp-adodb-5.15/debian/patches/cve-2016-7405	1970-01-01 01:00:00.000000000 +0100
+++ libphp-adodb-5.15/debian/patches/cve-2016-7405	2016-11-07 16:09:04.000000000 +0100
@@ -0,0 +1,49 @@
+Description: PDO: fix incorrect quoting allowing SQL injection
+ The PDO driver was relying on ADOConnection::qstr() for quoting strings.
+ An application relying on qstr() to manually prepare SQL statements
+ rather than using parameterized queries may be vulnerable to SQL
+ injection attacks, as demonstrated by @jdavidlists.
+ .
+ This commit delegates string quoting to PDO::quote() when a connection
+ is available. If not, it simply replaces single quotes by the value of
+ $replaceQuote property.
+Author: Damien Regad <dre...@mantisbt.org>
+Origin: upstream, https://github.com/ADOdb/ADOdb/commit/bd9eca9f40220f9918ec3cc7ae9ef422b3e448b8
+Bug: https://github.com/ADOdb/ADOdb/issues/226
+Bug-Debian: https://bugs.debian.org/837211
+Reviewed-By: Jean-Michel Vourgère <nir...@debian.org>
+Last-Update: 2016-09-10
+
+--- libphp-adodb-5.20.6.orig/drivers/adodb-pdo.inc.php
++++ libphp-adodb-5.20.6/drivers/adodb-pdo.inc.php
+@@ -518,6 +518,30 @@ class ADODB_pdo extends ADOConnection {
+ 	{
+ 		return ($this->_connectionID) ? $this->_connectionID->lastInsertId() : 0;
+ 	}
++
++	/**
++	 * Quotes a string to be sent to the database.
++	 * If we have an active connection, delegates quoting to the underlying
++	 * PDO object. Otherwise, replace "'" by the value of $replaceQuote (same
++	 * behavior as mysqli driver)
++	 * @param string  $s            The string to quote
++	 * @param boolean $magic_quotes If false, use PDO::quote().
++	 * @return string Quoted string
++	 */
++	function qstr($s, $magic_quotes = false)
++	{
++		if (!$magic_quotes) {
++			if ($this->_connectionID) {
++				return $this->_connectionID->quote($s);
++			}
++			return "'" . str_replace("'", $this->replaceQuote, $s) . "'";
++		}
++
++		// undo magic quotes for "
++		$s = str_replace('\\"', '"', $s);
++		return "'$s'";
++	}
++
+ }
+ 
+ class ADODB_pdo_base extends ADODB_pdo {
diff -Nru libphp-adodb-5.15/debian/patches/series libphp-adodb-5.15/debian/patches/series
--- libphp-adodb-5.15/debian/patches/series	2010-03-21 09:12:16.000000000 +0100
+++ libphp-adodb-5.15/debian/patches/series	2016-11-07 16:25:52.000000000 +0100
@@ -1 +1,3 @@
 01_fix_broken_html_doc_links
+cve-2016-7405
+cve-2016-4855

Reply via email to