On Friday 22 June 2018 04:33 PM, Emilio Pozuelo Monfort wrote: > Ah, nice! Your work looks very useful. My old work was for wheezy, so it only > addressed one CVE (CVE-2017-18264). Since your work is on jessie (which is on > a > newer version) and fixes many more issues, I'll let you handle it. Let me know > if you need a review or an upload when you are done with it. > > Cheers, > Emilio >
Emilio Can you review and upload phpmyadmin. Debdiff is attached. Looks like CVE-2018-10188 and CVE-2018-12581 are not affecting. Hence I am going to mark it as not-affecting. Rest all are backported. Thanks --abhijith
diff -Nru phpmyadmin-4.2.12/debian/changelog phpmyadmin-4.2.12/debian/changelog --- phpmyadmin-4.2.12/debian/changelog 2016-07-24 14:28:31.000000000 +0200 +++ phpmyadmin-4.2.12/debian/changelog 2018-03-04 06:27:49.000000000 +0100 @@ -1,3 +1,13 @@ +phpmyadmin (4:4.2.12-2+deb8u3) jessie-security; urgency=high + + * Non-maintainer upload by the Debian LTS Team. + * Fix several security issues: + CVE-2016-6609, CVE-2016-6614, CVE-2016-6615, CVE-2016-6616, + CVE-2016-6618, CVE-2016-6619, CVE-2016-6620, CVE-2016-6621, + CVE-2016-6622, CVE-2016-9865, CVE-2017-18264 + + -- Abhijith PA <[email protected]> Sun, 04 Mar 2018 10:57:49 +0530 + phpmyadmin (4:4.2.12-2+deb8u2) jessie-security; urgency=high * Fix several security issues: diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2016-6609.patch phpmyadmin-4.2.12/debian/patches/CVE-2016-6609.patch --- phpmyadmin-4.2.12/debian/patches/CVE-2016-6609.patch 1970-01-01 01:00:00.000000000 +0100 +++ phpmyadmin-4.2.12/debian/patches/CVE-2016-6609.patch 2018-03-04 06:27:49.000000000 +0100 @@ -0,0 +1,57 @@ +Description: Fix CVE-2016-6609 + An issue was discovered in phpMyAdmin. A specially crafted database name could + be used to run arbitrary PHP commands through the array export feature. + +Author: Abhijith PA <[email protected]> +Origin: https://github.com/phpmyadmin/phpmyadmin/commit/34a1ceb +Last-Update: 2018-03-11 + +Index: phpmyadmin-4.2.12/libraries/plugins/export/ExportPhparray.class.php +=================================================================== +--- phpmyadmin-4.2.12.orig/libraries/plugins/export/ExportPhparray.class.php ++++ phpmyadmin-4.2.12/libraries/plugins/export/ExportPhparray.class.php +@@ -82,6 +82,18 @@ class ExportPhparray extends ExportPlugi + { + } + ++ /** ++ * Removes end of comment from a string ++ * ++ * @param string $string String to replace ++ * ++ * @return string ++ */ ++ public function commentString($string) ++ { ++ return strtr($string, '*/', '-'); ++ } ++ + /** + * Outputs export header + * +@@ -119,9 +131,9 @@ class ExportPhparray extends ExportPlugi + public function exportDBHeader ($db) + { + PMA_exportOutputHandler( +- '//' . $GLOBALS['crlf'] +- . '// Database ' . PMA_Util::backquote($db) +- . $GLOBALS['crlf'] . '//' . $GLOBALS['crlf'] ++ '/**' . $GLOBALS['crlf'] ++ . ' * Database ' . $this->commentString(PMA_Util::backquote($db)) ++ . $GLOBALS['crlf'] . ' */' . $GLOBALS['crlf'] + ); + return true; + } +@@ -195,9 +207,9 @@ class ExportPhparray extends ExportPlugi + $buffer = ''; + $record_cnt = 0; + // Output table name as comment +- $buffer .= $crlf . '// ' +- . PMA_Util::backquote($db) . '.' +- . PMA_Util::backquote($table) . $crlf; ++ $buffer .= $crlf . '/* ' ++ . $this->commentString(PMA_Util::backquote($db)) . '.' ++ . $this->commentString(PMA_Util::backquote($table)) . ' */' . $crlf; + $buffer .= '$' . $tablefixed . ' = array('; + + while ($record = $GLOBALS['dbi']->fetchRow($result)) { diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2016-6614.patch phpmyadmin-4.2.12/debian/patches/CVE-2016-6614.patch --- phpmyadmin-4.2.12/debian/patches/CVE-2016-6614.patch 1970-01-01 01:00:00.000000000 +0100 +++ phpmyadmin-4.2.12/debian/patches/CVE-2016-6614.patch 2018-03-04 06:27:49.000000000 +0100 @@ -0,0 +1,21 @@ +Description: Fix CVE-2016-6614 + An issue was discovered in phpMyAdmin involving the %u username replacement + functionality of the SaveDir and UploadDir features. When the username + substitution is configured, a specially-crafted user name can be used to + circumvent restrictions to traverse the file system. + +Author: Abhijith PA <[email protected]> +Origin: https://github.com/phpmyadmin/phpmyadmin/commit/c6cfb58 +Last-Update: 2018-03-11 + +--- phpmyadmin-4.2.12.orig/libraries/Util.class.php ++++ phpmyadmin-4.2.12/libraries/Util.class.php +@@ -2530,7 +2530,7 @@ class PMA_Util + $dir .= '/'; + } + +- return str_replace('%u', $GLOBALS['cfg']['Server']['user'], $dir); ++ return str_replace('%u', PMA_securePath($GLOBALS['cfg']['Server']['user']), $dir); + } + + /** diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2016-6615.patch phpmyadmin-4.2.12/debian/patches/CVE-2016-6615.patch --- phpmyadmin-4.2.12/debian/patches/CVE-2016-6615.patch 1970-01-01 01:00:00.000000000 +0100 +++ phpmyadmin-4.2.12/debian/patches/CVE-2016-6615.patch 2018-03-04 06:27:49.000000000 +0100 @@ -0,0 +1,36 @@ +Description: Fix CVE-2016-6615 + XSS issues were discovered in phpMyAdmin. This affects navigation pane and + database/table hiding feature (a specially-crafted database name can be used + to trigger an XSS attack); the "Tracking" feature (a specially-crafted query + can be used to trigger an XSS attack); and GIS visualization feature. + + NOTE: The tracking feature code is not present in jessie version. Rest of the + vulnerabilities fully backported from upstream 4.4 branch. + +Author: Abhijith PA <[email protected]> +Origin: https://www.phpmyadmin.net/security/PMASA-2016-38/ +Last-Update: 2018-03-11 + +--- phpmyadmin-4.2.12.orig/libraries/navigation/Nodes/Node_Database.class.php ++++ phpmyadmin-4.2.12/libraries/navigation/Nodes/Node_Database.class.php +@@ -359,7 +359,7 @@ class Node_Database extends Node + . '<a href="navigation.php?' + . PMA_URL_getCommon() + . '&showUnhideDialog=true' +- . '&dbName=' . urldecode($db) . '"' ++ . '&dbName=' . urlencode($db) . '"' + . ' class="showUnhide ajax">' + . PMA_Util::getImage( + 'lightbulb.png', __('Show hidden items') +--- phpmyadmin-4.2.12.orig/libraries/tbl_gis_visualization.lib.php ++++ phpmyadmin-4.2.12/libraries/tbl_gis_visualization.lib.php +@@ -134,7 +134,8 @@ function PMA_getHtmlForColumn($column, $ + } + + $html .= PMA_getHtmlForOptionsList( +- $columnCandidates, array($visualizationSettings[$column]) ++ array_map("htmlspecialchars", $columnCandidates), ++ array(htmlspecialchars($visualizationSettings[$column])) + ); + + $html .= '</select></td>'; diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2016-6616.patch phpmyadmin-4.2.12/debian/patches/CVE-2016-6616.patch --- phpmyadmin-4.2.12/debian/patches/CVE-2016-6616.patch 1970-01-01 01:00:00.000000000 +0100 +++ phpmyadmin-4.2.12/debian/patches/CVE-2016-6616.patch 2018-03-04 06:27:49.000000000 +0100 @@ -0,0 +1,22 @@ +Description: Fix CVE-2016-6616 + An issue was discovered in phpMyAdmin. In the "User group" and "Designer" + features, a user can execute an SQL injection attack against the account of the + control user. + NOTE: The "Designer" feature is not present in jessie version. "User group" + vulnerability backported from upstream 4.4 branch. + +Author: Abhijith PA <[email protected]> +Origin: https://github.com/phpmyadmin/phpmyadmin/commit/93a6913 +Last-Update: 2018-03-11 + +--- phpmyadmin-4.2.12.orig/libraries/server_user_groups.lib.php ++++ phpmyadmin-4.2.12/libraries/server_user_groups.lib.php +@@ -343,7 +343,7 @@ function PMA_editUserGroup($userGroup, $ + $sql_query .= ", "; + } + $tabName = $tabGroupName . '_' . $tab; +- $allowed = isset($_REQUEST[$tabName]) && $_REQUEST[$tabName] == 'Y'; ++ $sql_query .= "('" . PMA_Util::sqlAddSlashes($userGroup) . "', '" . $tabName . "', '" + $sql_query .= "('" . $userGroup . "', '" . $tabName . "', '" + . ($allowed ? "Y" : "N") . "')"; + $first = false; diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2016-6618.patch phpmyadmin-4.2.12/debian/patches/CVE-2016-6618.patch --- phpmyadmin-4.2.12/debian/patches/CVE-2016-6618.patch 1970-01-01 01:00:00.000000000 +0100 +++ phpmyadmin-4.2.12/debian/patches/CVE-2016-6618.patch 2018-03-04 06:27:49.000000000 +0100 @@ -0,0 +1,32 @@ +Description: Fix CVE-2016-6618 + An issue was discovered in phpMyAdmin. The transformation feature allows a user + to trigger a denial-of-service (DoS) attack against the server. + +Author: Abhijith PA <[email protected]> +Origin: https://github.com/phpmyadmin/phpmyadmin/commit/ff88cdb +Last-Update: 2018-03-11 + +--- phpmyadmin-4.2.12.orig/transformation_wrapper.php ++++ phpmyadmin-4.2.12/transformation_wrapper.php +@@ -34,9 +34,20 @@ $request_params = array( + 'transform_key', + 'where_clause' + ); ++$size_params = array( ++ 'newHeight', ++ 'newWidth', ++); + foreach ($request_params as $one_request_param) { + if (isset($_REQUEST[$one_request_param])) { +- $GLOBALS[$one_request_param] = $_REQUEST[$one_request_param]; ++ if (in_array($one_request_param, $size_params)) { ++ $GLOBALS[$one_request_param] = intval($_REQUEST[$one_request_param]); ++ if ($GLOBALS[$one_request_param] > 2000) { ++ $GLOBALS[$one_request_param] = 2000; ++ } ++ } else { ++ $GLOBALS[$one_request_param] = $_REQUEST[$one_request_param]; ++ } + } + } + diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2016-6619.patch phpmyadmin-4.2.12/debian/patches/CVE-2016-6619.patch --- phpmyadmin-4.2.12/debian/patches/CVE-2016-6619.patch 1970-01-01 01:00:00.000000000 +0100 +++ phpmyadmin-4.2.12/debian/patches/CVE-2016-6619.patch 2018-03-04 06:27:49.000000000 +0100 @@ -0,0 +1,40 @@ +Description: Fix CVE-2016-6619 + An issue was discovered in phpMyAdmin. In the user interface preference feature + , a user can execute an SQL injection attack against the account of the control + user. + +Author: Abhijith PA <[email protected]> +Origin: https://github.com/phpmyadmin/phpmyadmin/commit/8ac57b1281250cbf3f0eee3db23fed281ad2ba3d +Last-Update: 2018-03-11 + +--- phpmyadmin-4.2.12.orig/libraries/RecentFavoriteTable.class.php ++++ phpmyadmin-4.2.12/libraries/RecentFavoriteTable.class.php +@@ -113,7 +113,7 @@ class PMA_RecentFavoriteTable + // Read from phpMyAdmin database, if recent tables is not in session + $sql_query + = " SELECT `tables` FROM " . $this->_pmaTable . +- " WHERE `username` = '" . $GLOBALS['cfg']['Server']['user'] . "'"; ++ " WHERE `username` = '" . PMA_Util::sqlAddSlashes($GLOBALS['cfg']['Server']['user']) . "'"; + + $return = array(); + $result = PMA_queryAsControlUser($sql_query, false); +--- phpmyadmin-4.2.12.orig/libraries/Table.class.php ++++ phpmyadmin-4.2.12/libraries/Table.class.php +@@ -1523,7 +1523,7 @@ class PMA_Table + + // Read from phpMyAdmin database + $sql_query = " SELECT `prefs` FROM " . $pma_table +- . " WHERE `username` = '" . $GLOBALS['cfg']['Server']['user'] . "'" ++ . " WHERE `username` = '" . PMA_Util::sqlAddSlashes($GLOBALS['cfg']['Server']['user']) . "'" + . " AND `db_name` = '" . PMA_Util::sqlAddSlashes($this->db_name) . "'" + . " AND `table_name` = '" . PMA_Util::sqlAddSlashes($this->name) . "'"; + +@@ -1549,7 +1549,7 @@ class PMA_Table + + $username = $GLOBALS['cfg']['Server']['user']; + $sql_query = " REPLACE INTO " . $pma_table +- . " VALUES ('" . $username . "', '" . $secureDbName ++ . " VALUES ('" . PMA_Util::sqlAddSlashes($username) . "', '" . PMA_Util::sqlAddSlashes($this->db_name) + . "', '" . PMA_Util::sqlAddSlashes($this->name) . "', '" + . PMA_Util::sqlAddSlashes(json_encode($this->uiprefs)) . "', NULL)"; + diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2016-6620.patch phpmyadmin-4.2.12/debian/patches/CVE-2016-6620.patch --- phpmyadmin-4.2.12/debian/patches/CVE-2016-6620.patch 1970-01-01 01:00:00.000000000 +0100 +++ phpmyadmin-4.2.12/debian/patches/CVE-2016-6620.patch 2018-03-04 06:27:49.000000000 +0100 @@ -0,0 +1,119 @@ +Description: Fix CVE-2016-6620 + An issue was discovered in phpMyAdmin. Some data is passed to the PHP + unserialize() function without verification that it's valid serialized data. + The unserialization can result in code execution because of the interaction + with object instantiation and autoloading. + +Author: Abhijith PA <[email protected]> +Origin: https://github.com/phpmyadmin/phpmyadmin/commit/80c9302 +Last-Update: 2018-03-12 + +--- phpmyadmin-4.2.12.orig/libraries/core.lib.php ++++ phpmyadmin-4.2.12/libraries/core.lib.php +@@ -903,4 +903,92 @@ if(! function_exists('hash_equals')) { + return ! $ret; + } + } ++ ++/** ++ * Safe unserializer wrapper ++ * ++ * It does not unserialize data containing objects ++ * ++ * @param string $data Data to unserialize ++ * ++ * @return mixed ++ */ ++function PMA_safeUnserialize($data) ++{ ++ if (! is_string($data)) { ++ return null; ++ } ++ ++ /* validate serialized data */ ++ $length = strlen($data); ++ $depth = 0; ++ for ($i = 0; $i < $length; $i++) { ++ $value = $data[$i]; ++ ++ switch ($value) ++ { ++ case '}': ++ /* end of array */ ++ if ($depth <= 0) { ++ return null; ++ } ++ $depth--; ++ break; ++ case 's': ++ /* string */ ++ // parse sting length ++ $strlen = intval($data[$i + 2]); ++ // string start ++ $i = strpos($data, ':', $i + 2); ++ if ($i === false) { ++ return null; ++ } ++ // skip string, quotes and ; ++ $i += 2 + $strlen + 1; ++ if ($data[$i] != ';') { ++ return null; ++ } ++ break; ++ ++ case 'b': ++ case 'i': ++ case 'd': ++ /* bool, integer or double */ ++ // skip value to sepearator ++ $i = strpos($data, ';', $i); ++ if ($i === false) { ++ return null; ++ } ++ break; ++ case 'a': ++ /* array */ ++ // find array start ++ $i = strpos($data, '{', $i); ++ if ($i === false) { ++ return null; ++ } ++ // remember nesting ++ $depth++; ++ break; ++ case 'N': ++ /* null */ ++ // skip to end ++ $i = strpos($data, ';', $i); ++ if ($i === false) { ++ return null; ++ } ++ break; ++ default: ++ /* any other elements are not wanted */ ++ return null; ++ } ++ } ++ ++ // check unterminated arrays ++ if ($depth > 0) { ++ return null; ++ } ++ ++ return unserialize($data); ++} + ?> +--- phpmyadmin-4.2.12.orig/libraries/tbl_tracking.lib.php ++++ phpmyadmin-4.2.12/libraries/tbl_tracking.lib.php +@@ -780,7 +780,10 @@ function PMA_getHtmlForSchemaSnapshot($u + ); + + // Unserialize snapshot +- $temp = unserialize($data['schema_snapshot']); ++ $temp = PMA_safeUnserialize($data['schema_snapshot']); ++ if ($temp === null) { ++ $temp = array('COLUMNS' => array(), 'INDEXES' => array()); ++ } + $columns = $temp['COLUMNS']; + $indexes = $temp['INDEXES']; + $html .= PMA_getHtmlForColumns($columns); diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2016-6621.patch phpmyadmin-4.2.12/debian/patches/CVE-2016-6621.patch --- phpmyadmin-4.2.12/debian/patches/CVE-2016-6621.patch 1970-01-01 01:00:00.000000000 +0100 +++ phpmyadmin-4.2.12/debian/patches/CVE-2016-6621.patch 2018-03-04 06:27:49.000000000 +0100 @@ -0,0 +1,222 @@ +Description: Fix CVE-2016-6621 + The setup script for phpMyAdmin allows remote attackers to conduct server-side + request forgery (SSRF) attacks via unspecified vectors. + +Author: Abhijith PA <[email protected]> +Origin: https://github.com/phpmyadmin/phpmyadmin/commit/801485a + https://github.com/phpmyadmin/phpmyadmin/commit/88cc11a +Last-Update: 2018-03-12 + +--- phpmyadmin-4.2.12.orig/libraries/config/ConfigFile.class.php ++++ phpmyadmin-4.2.12/libraries/config/ConfigFile.class.php +@@ -478,21 +478,6 @@ class ConfigFile + } + + /** +- * Returns config file path, relative to phpMyAdmin's root path +- * +- * @return string +- */ +- public function getFilePath() +- { +- // Load paths +- if (!defined('SETUP_CONFIG_FILE')) { +- include_once './libraries/vendor_config.php'; +- } +- +- return SETUP_CONFIG_FILE; +- } +- +- /** + * Returns configuration array (full, multidimensional format) + * + * @return array +--- phpmyadmin-4.2.12.orig/libraries/vendor_config.php ++++ phpmyadmin-4.2.12/libraries/vendor_config.php +@@ -26,17 +26,6 @@ define('CHANGELOG_FILE', '/usr/share/doc + define('LICENSE_FILE', '/usr/share/doc/phpmyadmin/copyright'); + + /** +- * Path to config file generated using setup script. +- */ +-define('SETUP_CONFIG_FILE', '/var/lib/phpmyadmin/config.inc.php'); +- +-/** +- * Whether setup requires writable directory where config +- * file will be generated. +- */ +-define('SETUP_DIR_WRITABLE', false); +- +-/** + * Directory where configuration files are stored. + * It is not used directly in code, just a convenient + * define used further in this file. +--- phpmyadmin-4.2.12.orig/setup/config.php ++++ phpmyadmin-4.2.12/setup/config.php +@@ -19,7 +19,6 @@ require './libraries/config/setup.forms. + $form_display = new FormDisplay($GLOBALS['ConfigFile']); + $form_display->registerForm('_config.php', $forms['_config.php']); + $form_display->save('_config.php'); +-$config_file_path = $GLOBALS['ConfigFile']->getFilePath(); + + if (isset($_POST['eol'])) { + $_SESSION['eol'] = ($_POST['eol'] == 'unix') ? 'unix' : 'win'; +@@ -41,35 +40,7 @@ if (PMA_ifSetOr($_POST['submit_clear'], + PMA_downloadHeader('config.inc.php', 'text/plain'); + echo ConfigGenerator::getConfigFile($GLOBALS['ConfigFile']); + exit; +-} elseif (PMA_ifSetOr($_POST['submit_save'], '')) { +- // +- // Save generated config file on the server +- // +- file_put_contents( +- $config_file_path, +- ConfigGenerator::getConfigFile($GLOBALS['ConfigFile']) +- ); +- header('HTTP/1.1 303 See Other'); +- header('Location: index.php?action_done=config_saved'); +- exit; +-} elseif (PMA_ifSetOr($_POST['submit_load'], '')) { +- // +- // Load config file from the server +- // +- $cfg = array(); +- include_once $config_file_path; +- $GLOBALS['ConfigFile']->setConfigData($cfg); +- header('HTTP/1.1 303 See Other'); +- header('Location: index.php'); +- exit; +-} elseif (PMA_ifSetOr($_POST['submit_delete'], '')) { +- // +- // Delete config file on the server +- // +- @unlink($config_file_path); +- header('HTTP/1.1 303 See Other'); +- header('Location: index.php'); +- exit; ++ + } else { + // + // Show generated config file in a <textarea> +--- phpmyadmin-4.2.12.orig/setup/frames/config.inc.php ++++ phpmyadmin-4.2.12/setup/frames/config.inc.php +@@ -17,10 +17,7 @@ require_once './libraries/config/FormDis + require_once './setup/lib/index.lib.php'; + require_once './setup/lib/ConfigGenerator.class.php'; + +-$config_readable = false; +-$config_writable = false; +-$config_exists = false; +-PMA_checkConfigRw($config_readable, $config_writable, $config_exists); ++ + echo '<h2>' . __('Configuration file') . '</h2>'; + + PMA_displayFormTop('config.php'); +@@ -39,11 +36,6 @@ echo '<tr>'; + echo '<td class="lastrow" style="text-align: left">'; + echo '<input type="submit" name="submit_download" value="' + . __('Download') . '" class="green" />'; +-echo '<input type="submit" name="submit_save" value="' . __('Save') . '"'; +-if (!$config_writable) { +- echo ' disabled="disabled"'; +-} +-echo '/>'; + echo '</td>'; + echo '</tr>'; + +--- phpmyadmin-4.2.12.orig/setup/frames/index.inc.php ++++ phpmyadmin-4.2.12/setup/frames/index.inc.php +@@ -44,23 +44,6 @@ $configChecker->performConfigChecks(); + // + // Check whether we can read/write configuration + // +-$config_readable = false; +-$config_writable = false; +-$config_exists = false; +-PMA_checkConfigRw($config_readable, $config_writable, $config_exists); +-if (!$config_writable || !$config_readable) { +- PMA_messagesSet( +- 'error', 'config_rw', __('Cannot load or save configuration'), +- PMA_sanitize( +- __( +- 'Please create web server writable folder [em]config[/em] in ' +- . 'phpMyAdmin top level directory as described in ' +- . '[doc@setup_script]documentation[/doc]. Otherwise you will be ' +- . 'only able to download or display it.' +- ) +- ) +- ); +-} + // + // Check https connection + // +@@ -268,25 +251,6 @@ echo '<tr>'; + echo '<td colspan="2" class="lastrow" style="text-align: left">'; + echo '<input type="submit" name="submit_display" value="' . __('Display') . '" />'; + echo '<input type="submit" name="submit_download" value="' . __('Download') . '" />'; +-echo ' '; +- +-echo '<input type="submit" name="submit_save" value="' . __('Save') . '"'; +-if (!$config_writable) { +- echo ' disabled="disabled"'; +-} +-echo '/>'; +- +-echo '<input type="submit" name="submit_load" value="' . __('Load') . '"'; +-if (!$config_exists) { +- echo ' disabled="disabled"'; +-} +-echo '/>'; +- +-echo '<input type="submit" name="submit_delete" value="' . __('Delete') . '"'; +-if (!$config_exists || !$config_writable) { +- echo ' disabled="disabled"'; +-} +-echo '/>'; + + echo ' '; + echo '<input type="submit" name="submit_clear" value="' . __('Clear') +--- phpmyadmin-4.2.12.orig/setup/index.php ++++ phpmyadmin-4.2.12/setup/index.php +@@ -12,6 +12,10 @@ + */ + require './lib/common.inc.php'; + ++if (file_exists(CONFIG_FILE)) { ++ PMA_fatalError(__('Configuration already exists, setup is disabled!')); ++} ++ + $page = isset($_GET['page']) ? $_GET['page'] : null; + $page = preg_replace('/[^a-z]/', '', $page); + if ($page === '') { +--- phpmyadmin-4.2.12.orig/setup/lib/index.lib.php ++++ phpmyadmin-4.2.12/setup/lib/index.lib.php +@@ -174,28 +174,3 @@ function PMA_versionCheck() + } + } + } +- +-/** +- * Checks whether config file is readable/writable +- * +- * @param bool &$is_readable whether the file is readable +- * @param bool &$is_writable whether the file is writable +- * @param bool &$file_exists whether the file exists +- * +- * @return void +- */ +-function PMA_checkConfigRw(&$is_readable, &$is_writable, &$file_exists) +-{ +- $file_path = $GLOBALS['ConfigFile']->getFilePath(); +- $file_dir = dirname($file_path); +- $is_readable = true; +- $is_writable = is_dir($file_dir); +- if (SETUP_DIR_WRITABLE) { +- $is_writable = $is_writable && is_writable($file_dir); +- } +- $file_exists = file_exists($file_path); +- if ($file_exists) { +- $is_readable = is_readable($file_path); +- $is_writable = $is_writable && is_writable($file_path); +- } +-} diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2016-6622.patch phpmyadmin-4.2.12/debian/patches/CVE-2016-6622.patch --- phpmyadmin-4.2.12/debian/patches/CVE-2016-6622.patch 1970-01-01 01:00:00.000000000 +0100 +++ phpmyadmin-4.2.12/debian/patches/CVE-2016-6622.patch 2018-03-04 06:27:49.000000000 +0100 @@ -0,0 +1,68 @@ +Description: Fix CVE-2016-6622 + A vulnerability was discovered where an unauthenticated user is able to execute + a denial-of-service (DOS) attack by forcing persistent connections when + phpMyAdmin is running with $cfg['AllowArbitraryServer']=true;. + +Author: Abhijith PA <[email protected]> +Origin: https://github.com/phpmyadmin/phpmyadmin/commit/10bdb0d + https://github.com/phpmyadmin/phpmyadmin/commit/8e0918c +Last-Update: 2018-03-12 + +--- phpmyadmin-4.2.12.orig/libraries/config/Validator.class.php ++++ phpmyadmin-4.2.12/libraries/config/Validator.class.php +@@ -226,6 +226,7 @@ class PMA_Validator + ) { + // static::testPHPErrorMsg(); + $error = null; ++ $host = PMA_sanitizeMySQLHost($host); + + if (PMA_DatabaseInterface::checkDbExtension('mysqli')) { + $socket = empty($socket) || $connect_type == 'tcp' ? null : $socket; +--- phpmyadmin-4.2.12.orig/libraries/core.lib.php ++++ phpmyadmin-4.2.12/libraries/core.lib.php +@@ -905,6 +905,23 @@ if(! function_exists('hash_equals')) { + } + + /** ++ * Sanitizes MySQL hostname ++ * ++ * * strips p: prefix ++ * ++ * @param string $name User given hostname ++ * ++ * @return string ++ */ ++function PMA_sanitizeMySQLHost($name) ++{ ++ if (strtolower(substr($name, 0, 2)) == 'p:') { ++ return substr($name, 2); ++ } ++ ++ return $name; ++} ++/** + * Safe unserializer wrapper + * + * It does not unserialize data containing objects +--- phpmyadmin-4.2.12.orig/libraries/plugins/auth/AuthenticationCookie.class.php ++++ phpmyadmin-4.2.12/libraries/plugins/auth/AuthenticationCookie.class.php +@@ -405,7 +405,7 @@ class AuthenticationCookie extends Authe + if ($GLOBALS['cfg']['AllowArbitraryServer'] + && isset($_REQUEST['pma_servername']) + ) { +- $GLOBALS['pma_auth_server'] = $_REQUEST['pma_servername']; ++ $GLOBALS['pma_auth_server'] = PMA_sanitizeMySQLHost($_REQUEST['pma_servername']); + } + return true; + } +--- phpmyadmin-4.2.12.orig/libraries/replication.inc.php ++++ phpmyadmin-4.2.12/libraries/replication.inc.php +@@ -264,7 +264,7 @@ function PMA_Replication_connectToMaster + + // 5th parameter set to true means that it's an auxiliary connection + // and we must not go back to login page if it fails +- return $GLOBALS['dbi']->connect($user, $password, false, $server, true); ++ return PMA_DBI_connect($user, $password, false, PMA_sanitizeMySQLHost($server), true); + } + /** + * Fetches position and file of current binary log on master diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2016-9865.patch phpmyadmin-4.2.12/debian/patches/CVE-2016-9865.patch --- phpmyadmin-4.2.12/debian/patches/CVE-2016-9865.patch 1970-01-01 01:00:00.000000000 +0100 +++ phpmyadmin-4.2.12/debian/patches/CVE-2016-9865.patch 2018-03-04 06:27:49.000000000 +0100 @@ -0,0 +1,19 @@ +Description: Fix CVE-2016-9865 + Due to a bug in serialized string parsing, it was possible to bypass the + protection offered by PMA_safeUnserialize() function. + +Author: Abhijith PA <[email protected]> +Origin: https://github.com/phpmyadmin/phpmyadmin/commit/5e108a3 +Last-Update: 2018-03-12 + +--- phpmyadmin-4.2.12.orig/libraries/core.lib.php ++++ phpmyadmin-4.2.12/libraries/core.lib.php +@@ -954,7 +954,7 @@ function PMA_safeUnserialize($data) + case 's': + /* string */ + // parse sting length +- $strlen = intval($data[$i + 2]); ++ $strlen = intval(substr($data, $i + 2)); + // string start + $i = strpos($data, ':', $i + 2); + if ($i === false) { diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2017-18264.patch phpmyadmin-4.2.12/debian/patches/CVE-2017-18264.patch --- phpmyadmin-4.2.12/debian/patches/CVE-2017-18264.patch 1970-01-01 01:00:00.000000000 +0100 +++ phpmyadmin-4.2.12/debian/patches/CVE-2017-18264.patch 2018-03-04 06:27:49.000000000 +0100 @@ -0,0 +1,22 @@ +Description: CVE-2017-18264 + Restrictions caused by $cfg['Servers'][$i]['AllowNoPassword'] = false can be + bypassed. This can allow the login of users who have no password set even if + the administrator has set $cfg['Servers'][$i]['AllowNoPassword'] to false + (which is also the default). This patch avoids returning false when + first parameter to substr is ''. + +Author: Abhijith PA <[email protected]> +Origin: https://github.com/phpmyadmin/phpmyadmin/commit/b6ca92cc75c8a16001425be7881e73430bcc35b8 +Last-Update: 2018-07-05 + +--- phpmyadmin-4.2.12.orig/libraries/common.inc.php ++++ phpmyadmin-4.2.12/libraries/common.inc.php +@@ -859,7 +859,7 @@ if (! defined('PMA_MINIMUM_COMMON')) { + . ' ' . $cfg['Server']['auth_type'] + ); + } +- if (isset($_REQUEST['pma_password'])) { ++ if (isset($_REQUEST['pma_password']) && strlen($_REQUEST['pma_password']) > 256) { + $_REQUEST['pma_password'] = substr($_REQUEST['pma_password'], 0, 256); + } + include_once './libraries/plugins/auth/' . $auth_class . '.class.php'; diff -Nru phpmyadmin-4.2.12/debian/patches/series phpmyadmin-4.2.12/debian/patches/series --- phpmyadmin-4.2.12/debian/patches/series 2016-07-24 14:28:41.000000000 +0200 +++ phpmyadmin-4.2.12/debian/patches/series 2018-03-04 06:27:49.000000000 +0100 @@ -21,3 +21,14 @@ CVE-2016-5731.patch CVE-2016-5733.patch CVE-2016-5739.patch +CVE-2016-6609.patch +CVE-2016-6614.patch +CVE-2016-6615.patch +CVE-2016-6616.patch +CVE-2016-6618.patch +CVE-2016-6619.patch +CVE-2016-6620.patch +CVE-2016-6621.patch +CVE-2016-6622.patch +CVE-2016-9865.patch +CVE-2017-18264.patch
