Hi, There was a discussion internally with Debian security team, LTS team member rouca and Damien Regad and concluded that along with sqlite3, sqlite driver is also vulnerable.
I have fixed that and refreshed the debdiff. Please see http://security.debian.org/pool/updates/main/libp/libphp-adodb/libphp-adodb_5.20.19-1+deb11u3.dsc --abhijith
diff -Nru libphp-adodb-5.21.4/debian/changelog libphp-adodb-5.21.4/debian/changelog --- libphp-adodb-5.21.4/debian/changelog 2025-05-07 03:09:03.000000000 +0530 +++ libphp-adodb-5.21.4/debian/changelog 2025-09-17 13:32:21.000000000 +0530 @@ -1,3 +1,10 @@ +libphp-adodb (5.21.4-1+deb12u2) bookworm; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2025-54119: SQL injection in sqlite3 driver (Closes: #1110464) + + -- Abhijith PA <[email protected]> Wed, 17 Sep 2025 13:32:21 +0530 + libphp-adodb (5.21.4-1+deb12u1) bookworm; urgency=high * Non-maintainer upload. diff -Nru libphp-adodb-5.21.4/debian/patches/CVE-2025-54119-2.patch libphp-adodb-5.21.4/debian/patches/CVE-2025-54119-2.patch --- libphp-adodb-5.21.4/debian/patches/CVE-2025-54119-2.patch 1970-01-01 05:30:00.000000000 +0530 +++ libphp-adodb-5.21.4/debian/patches/CVE-2025-54119-2.patch 2025-09-17 13:32:21.000000000 +0530 @@ -0,0 +1,47 @@ +From 5b8bd52cdcffefb4ecded1b399c98cfa516afe03 Mon Sep 17 00:00:00 2001 +From: Damien Regad <[email protected]> +Date: Sat, 19 Jul 2025 18:37:59 +0200 +Subject: [PATCH] Prevent SQL injection in sqlite3 driver + +Use query parameters instead of injecting the table name in the SQL, in +the following methods: +- metaColumns() +- metaForeignKeys() +- metaIndexes() + +Thanks to Marco Nappi (@mrcnpp) for reporting this vulnerability. + +Fixes #1083, CVE-2025-54119, GHSA-vf2r-cxg9-p7rf +--- +--- a/drivers/adodb-sqlite.inc.php ++++ b/drivers/adodb-sqlite.inc.php +@@ -95,7 +95,9 @@ class ADODB_sqlite extends ADOConnection + if ($this->fetchMode !== false) { + $savem = $this->SetFetchMode(false); + } +- $rs = $this->Execute("PRAGMA table_info('$table')"); ++ ++ $rs = $this->execute("PRAGMA table_info(?)", array($table)); ++ + if (isset($savem)) { + $this->SetFetchMode($savem); + } +@@ -167,7 +169,6 @@ class ADODB_sqlite extends ADOConnection + return ($col) ? "adodb_date2($fmt,$col)" : "adodb_date($fmt)"; + } + +- + function _createFunctions() + { + @sqlite_create_function($this->_connectionID, 'adodb_date', 'adodb_date', 1); +@@ -319,8 +320,8 @@ class ADODB_sqlite extends ADOConnection + if ($this->fetchMode !== FALSE) { + $savem = $this->SetFetchMode(FALSE); + } +- $SQL=sprintf("SELECT name,sql FROM sqlite_master WHERE type='index' AND tbl_name='%s'", strtolower($table)); +- $rs = $this->Execute($SQL); ++ $SQL="SELECT name,sql FROM sqlite_master WHERE type='index' AND tbl_name=?"; ++ $rs = $this->Execute($SQL,[strtolower($table)]); + if (!is_object($rs)) { + if (isset($savem)) { + $this->SetFetchMode($savem); diff -Nru libphp-adodb-5.21.4/debian/patches/CVE-2025-54119.patch libphp-adodb-5.21.4/debian/patches/CVE-2025-54119.patch --- libphp-adodb-5.21.4/debian/patches/CVE-2025-54119.patch 1970-01-01 05:30:00.000000000 +0530 +++ libphp-adodb-5.21.4/debian/patches/CVE-2025-54119.patch 2025-09-17 13:28:24.000000000 +0530 @@ -0,0 +1,87 @@ +From 5b8bd52cdcffefb4ecded1b399c98cfa516afe03 Mon Sep 17 00:00:00 2001 +From: Damien Regad <[email protected]> +Date: Sat, 19 Jul 2025 18:37:59 +0200 +Subject: [PATCH] Prevent SQL injection in sqlite3 driver + +Use query parameters instead of injecting the table name in the SQL, in +the following methods: +- metaColumns() +- metaForeignKeys() +- metaIndexes() + +Thanks to Marco Nappi (@mrcnpp) for reporting this vulnerability. + +Fixes #1083, CVE-2025-54119, GHSA-vf2r-cxg9-p7rf +--- + drivers/adodb-sqlite3.inc.php | 37 ++++++++++++++--------------------- + 1 file changed, 15 insertions(+), 22 deletions(-) + +--- a/drivers/adodb-sqlite3.inc.php ++++ b/drivers/adodb-sqlite3.inc.php +@@ -160,7 +160,9 @@ class ADODB_sqlite3 extends ADOConnectio + if ($this->fetchMode !== false) { + $savem = $this->SetFetchMode(false); + } +- $rs = $this->Execute("PRAGMA table_info('$table')"); ++ ++ $rs = $this->execute("PRAGMA table_info(?)", array($table)); ++ + if (isset($savem)) { + $this->SetFetchMode($savem); + } +@@ -214,9 +216,8 @@ class ADODB_sqlite3 extends ADOConnectio + ) + WHERE type != 'meta' + AND sql NOTNULL +- AND LOWER(name) ='" . strtolower($table) . "'"; +- +- $tableSql = $this->getOne($sql); ++ AND LOWER(name) = ?"; ++ $tableSql = $this->getOne($sql, [strtolower($table)]); + + $fkeyList = array(); + $ylist = preg_split("/,+/",$tableSql); +@@ -433,6 +434,7 @@ class ADODB_sqlite3 extends ADOConnectio + $savem = $this->SetFetchMode(FALSE); + } + ++ $table = strtolower($table); + $pragmaData = array(); + + /* +@@ -441,26 +443,17 @@ class ADODB_sqlite3 extends ADOConnectio + */ + if ($primary) + { +- $sql = sprintf('PRAGMA table_info([%s]);', +- strtolower($table) +- ); +- $pragmaData = $this->getAll($sql); ++ $sql = 'PRAGMA table_info(?)'; ++ $pragmaData = $this->getAll($sql, [$table]); + } + +- /* +- * Exclude the empty entry for the primary index +- */ +- $sqlite = "SELECT name,sql +- FROM sqlite_master +- WHERE type='index' +- AND sql IS NOT NULL +- AND LOWER(tbl_name)='%s'"; +- +- $SQL = sprintf($sqlite, +- strtolower($table) +- ); +- +- $rs = $this->execute($SQL); ++ // Exclude the empty entry for the primary index ++ $sql = "SELECT name,sql ++ FROM sqlite_master ++ WHERE type='index' ++ AND sql IS NOT NULL ++ AND LOWER(tbl_name)=?"; ++ $rs = $this->execute($sql, [$table]); + + if (!is_object($rs)) { + if (isset($savem)) { diff -Nru libphp-adodb-5.21.4/debian/patches/series libphp-adodb-5.21.4/debian/patches/series --- libphp-adodb-5.21.4/debian/patches/series 2025-05-07 03:09:03.000000000 +0530 +++ libphp-adodb-5.21.4/debian/patches/series 2025-09-17 13:32:21.000000000 +0530 @@ -1 +1,3 @@ 00-fix-sec-pgsql-sql-injection.patch +CVE-2025-54119.patch +CVE-2025-54119-2.patch
signature.asc
Description: PGP signature
