tags 508026 fixed-upstream thanks Hi,
Thijs Kinkhorst ha scritto: > As it seems, upstream does already support running in register_globals=0 mode > for a long time (according to their changelog since 2002...). Therefore I > guess this bug would be fixed if the statement turning register_globals on > was removed from the Apache configuration file. Of course this does need some > thorough testing. > > When doing that, including the fix from this bug report aswell is a good idea > since it can't hurt and will provide some extra protection for those running > unsafe setups. Upstream released a new version to fix this issue. In attachment the debdiff for stable/testing/unstable with the trivial backported patch[1], and register_globals off (not in stable). I also tested phppgadmin with register_globals off, and I didn't find any evidently problems. I'm not a DD, so these need a review and an upload. [1]http://github.com/xzilla/phppgadmin/commit/a4531f0f3345f92c721aaeae0226fea0b634aed4 Giuseppe.
diff -u phppgadmin-4.0.1/debian/changelog phppgadmin-4.0.1/debian/changelog --- phppgadmin-4.0.1/debian/changelog +++ phppgadmin-4.0.1/debian/changelog @@ -1,3 +1,11 @@ +phppgadmin (4.0.1-3.2) stable-security; urgency=high + + * Non-maintainer upload. + * Fix local file inclusion vulnerability: (CVE-2008-5587) + Unset language variable before determine file includes (Closes: #508026) + + -- Giuseppe Iuculano <[email protected]> Tue, 23 Dec 2008 11:20:56 +0100 + phppgadmin (4.0.1-3.1) unstable; urgency=low * Non-maintainer upload to fix pending l10n issues. only in patch2: unchanged: --- phppgadmin-4.0.1.orig/libraries/lib.inc.php +++ phppgadmin-4.0.1/libraries/lib.inc.php @@ -94,6 +94,8 @@ } // Determine language file to import: + unset($_language); + // 1. Check for the language from a request var if (isset($_REQUEST['language']) && isset($appLangFiles[$_REQUEST['language']])) $_language = $_REQUEST['language'];
diff -u phppgadmin-4.2.1/debian/changelog phppgadmin-4.2.1/debian/changelog --- phppgadmin-4.2.1/debian/changelog +++ phppgadmin-4.2.1/debian/changelog @@ -1,3 +1,12 @@ +phppgadmin (4.2.1-1.1) unstable; urgency=low + + * Non-maintainer upload. + * debian/patches/CVE-2008-5587.patch: Unset language variable before + determine file includes (CVE-2008-5587) (Closes: #508026) + * debian/apache.conf: Removing register_globals on directive + + -- Giuseppe Iuculano <[email protected]> Tue, 23 Dec 2008 10:35:24 +0100 + phppgadmin (4.2.1-1) unstable; urgency=low * New upstream release diff -u phppgadmin-4.2.1/debian/apache.conf phppgadmin-4.2.1/debian/apache.conf --- phppgadmin-4.2.1/debian/apache.conf +++ phppgadmin-4.2.1/debian/apache.conf @@ -15,7 +15,6 @@ <IfModule mod_php5.c> php_flag magic_quotes_gpc Off php_flag track_vars On - php_flag register_globals On php_value include_path . </IfModule> diff -u phppgadmin-4.2.1/debian/patches/series phppgadmin-4.2.1/debian/patches/series --- phppgadmin-4.2.1/debian/patches/series +++ phppgadmin-4.2.1/debian/patches/series @@ -2,0 +3 @@ +CVE-2008-5587.patch only in patch2: unchanged: --- phppgadmin-4.2.1.orig/debian/patches/CVE-2008-5587.patch +++ phppgadmin-4.2.1/debian/patches/CVE-2008-5587.patch @@ -0,0 +1,12 @@ +Unset language variable before determine file includes +--- a/libraries/lib.inc.php ++++ b/libraries/lib.inc.php +@@ -95,6 +95,8 @@ + } + + // Determine language file to import: ++ unset($_language); ++ + // 1. Check for the language from a request var + if (isset($_REQUEST['language']) && isset($appLangFiles[$_REQUEST['language']])) + $_language = $_REQUEST['language'];
diff -u phppgadmin-4.2/debian/apache.conf phppgadmin-4.2/debian/apache.conf --- phppgadmin-4.2/debian/apache.conf +++ phppgadmin-4.2/debian/apache.conf @@ -15,7 +15,6 @@ <IfModule mod_php5.c> php_flag magic_quotes_gpc Off php_flag track_vars On - php_flag register_globals On php_value include_path . </IfModule> diff -u phppgadmin-4.2/debian/changelog phppgadmin-4.2/debian/changelog --- phppgadmin-4.2/debian/changelog +++ phppgadmin-4.2/debian/changelog @@ -1,3 +1,12 @@ +phppgadmin (4.2-1.1) testing-security; urgency=high + + * Non-maintainer upload. + * debian/patches/CVE-2008-5587.patch: Unset language variable before + determine file includes (CVE-2008-5587) (Closes: #508026) + * debian/apache.conf: Removing register_globals on directive + + -- Giuseppe Iuculano <[email protected]> Tue, 23 Dec 2008 10:04:17 +0100 + phppgadmin (4.2-1) unstable; urgency=low * New upstream release diff -u phppgadmin-4.2/debian/patches/series phppgadmin-4.2/debian/patches/series --- phppgadmin-4.2/debian/patches/series +++ phppgadmin-4.2/debian/patches/series @@ -2,0 +3 @@ +CVE-2008-5587.patch only in patch2: unchanged: --- phppgadmin-4.2.orig/debian/patches/CVE-2008-5587.patch +++ phppgadmin-4.2/debian/patches/CVE-2008-5587.patch @@ -0,0 +1,12 @@ +Unset language variable before determine file includes +--- a/libraries/lib.inc.php ++++ b/libraries/lib.inc.php +@@ -95,6 +95,8 @@ + } + + // Determine language file to import: ++ unset($_language); ++ + // 1. Check for the language from a request var + if (isset($_REQUEST['language']) && isset($appLangFiles[$_REQUEST['language']])) + $_language = $_REQUEST['language'];
signature.asc
Description: OpenPGP digital signature
