Hi, I uploaded version 4.2.12-2+deb8u4 of phpmyadmin to:
https://people.debian.org/~kanashiro/jessie_lts/phpmyadmin/ It has patches fixing CVE-2018-19968 and CVE-2018-19970. I did not have the time to determine whether jessie is affected by CVE-2018-19969 (requested by sunweaver), I did some superficial investigation with no confirmation yet. This month I'll not have enough time to continue the investigation. I'd appreciate some review and testing, specially related to CVE-2018-19968, the debdiff is attached if it helps. Thanks in advance! -- Lucas Kanashiro
diff -Nru phpmyadmin-4.2.12/debian/changelog phpmyadmin-4.2.12/debian/changelog --- phpmyadmin-4.2.12/debian/changelog 2018-03-04 02:27:49.000000000 -0300 +++ phpmyadmin-4.2.12/debian/changelog 2019-01-23 11:47:22.000000000 -0200 @@ -1,3 +1,11 @@ +phpmyadmin (4:4.2.12-2+deb8u4) jessie-security; urgency=high + + * Non-maintainer upload by the Debian LTS team. + * Fix CVE-2018-19968: Local file inclusion through transformation feature. + * Fix CVE-2018-19970: XSS vulnerability in the navigation tree. + + -- Lucas Kanashiro <[email protected]> Wed, 23 Jan 2019 11:14:59 -0200 + phpmyadmin (4:4.2.12-2+deb8u3) jessie-security; urgency=high * Non-maintainer upload by the Debian LTS Team. diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2018-19968.patch phpmyadmin-4.2.12/debian/patches/CVE-2018-19968.patch --- phpmyadmin-4.2.12/debian/patches/CVE-2018-19968.patch 1969-12-31 21:00:00.000000000 -0300 +++ phpmyadmin-4.2.12/debian/patches/CVE-2018-19968.patch 2019-01-23 11:47:00.000000000 -0200 @@ -0,0 +1,108 @@ +Description: Remove transformation plugin includes + Tranformation plugins should be loaded by the autoloader. + Fixes CVE-2018-19968. This patch is based on upstream patch: + https://github.com/phpmyadmin/phpmyadmin/commit/6a1ba61e29002f0305a9322a8af4eaaeb11c0732 +Author: Lucas Kanashiro <[email protected]> +Last-Updated: 2019-01-23 + +--- a/libraries/DisplayResults.class.php ++++ b/libraries/DisplayResults.class.php +@@ -2894,27 +2894,28 @@ class PMA_DisplayResults + + if (file_exists($include_file)) { + +- include_once $include_file; + $class_name = str_replace('.class.php', '', $file); +- // todo add $plugin_manager +- $plugin_manager = null; +- $transformation_plugin = new $class_name( +- $plugin_manager +- ); ++ if (class_exists($class_name)) { ++ // todo add $plugin_manager ++ $plugin_manager = null; ++ $transformation_plugin = new $class_name( ++ $plugin_manager ++ ); + +- $transform_options = PMA_Transformation_getOptions( +- isset($mime_map[$meta->name] ++ $transform_options = PMA_Transformation_getOptions( ++ isset($mime_map[$meta->name] ++ ['transformation_options'] ++ ) ++ ? $mime_map[$meta->name] + ['transformation_options'] +- ) +- ? $mime_map[$meta->name] +- ['transformation_options'] +- : '' +- ); ++ : '' ++ ); + +- $meta->mimetype = str_replace( +- '_', '/', +- $mime_map[$meta->name]['mimetype'] +- ); ++ $meta->mimetype = str_replace( ++ '_', '/', ++ $mime_map[$meta->name]['mimetype'] ++ ); ++ } + + } // end if file_exists + } // end if transformation is set +--- a/libraries/insert_edit.lib.php ++++ b/libraries/insert_edit.lib.php +@@ -2151,20 +2151,21 @@ function PMA_transformEditedValues($db, + + $include_file = 'libraries/plugins/transformations/' . $file; + if (file_exists($include_file)) { +- include_once $include_file; +- +- $transform_options = PMA_Transformation_getOptions( +- isset($transformation['transformation_options']) +- ? $transformation['transformation_options'] +- : '' +- ); +- $transform_options['wrapper_link'] +- = PMA_URL_getCommon($_url_params); + $class_name = str_replace('.class.php', '', $file); +- $plugin_manager = null; +- $transformation_plugin = new $class_name( +- $plugin_manager +- ); ++ if (class_exists($class_name)) { ++ ++ $transform_options = PMA_Transformation_getOptions( ++ isset($transformation['transformation_options']) ++ ? $transformation['transformation_options'] ++ : '' ++ ); ++ $transform_options['wrapper_link'] ++ = PMA_URL_getCommon($_url_params); ++ $plugin_manager = null; ++ $transformation_plugin = new $class_name( ++ $plugin_manager ++ ); ++ } + } + + $extra_data['transformations'][$cell_index] +--- a/libraries/transformations.lib.php ++++ b/libraries/transformations.lib.php +@@ -145,9 +145,10 @@ function PMA_getTransformationDescriptio + $class_name = explode(".class.php", $file); + $class_name = $class_name[0]; + +- // include and instantiate the class +- include_once 'libraries/plugins/transformations/' . $file; +- return $class_name::getInfo(); ++ if (class_exists($class_name)) { ++ return $class_name::getInfo(); ++ } ++ return '' + } + + /** diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2018-19970.patch phpmyadmin-4.2.12/debian/patches/CVE-2018-19970.patch --- phpmyadmin-4.2.12/debian/patches/CVE-2018-19970.patch 1969-12-31 21:00:00.000000000 -0300 +++ phpmyadmin-4.2.12/debian/patches/CVE-2018-19970.patch 2019-01-23 11:47:04.000000000 -0200 @@ -0,0 +1,17 @@ +Description: Fix Stored Cross-Site Scripting (XSS) in navigation tree + Fixes CVE-2018-19970. This patch is based on upstream patch: + https://github.com/phpmyadmin/phpmyadmin/commit/b293ff5f234ef493336ed8638f623a12164d359e +Author: Lucas Kanashiro <[email protected]> +Last-Updated: 2019-01-23 + +--- a/libraries/navigation/NavigationTree.class.php ++++ b/libraries/navigation/NavigationTree.class.php +@@ -612,7 +612,7 @@ class PMA_NavigationTree + $groups = array(); + foreach ($prefixes as $key => $value) { + $groups[$key] = new Node( +- $key, ++ htmlspecialchars($key), + Node::CONTAINER, + true + ); diff -Nru phpmyadmin-4.2.12/debian/patches/series phpmyadmin-4.2.12/debian/patches/series --- phpmyadmin-4.2.12/debian/patches/series 2018-03-04 02:27:49.000000000 -0300 +++ phpmyadmin-4.2.12/debian/patches/series 2019-01-23 11:47:04.000000000 -0200 @@ -32,3 +32,5 @@ CVE-2016-6622.patch CVE-2016-9865.patch CVE-2017-18264.patch +CVE-2018-19970.patch +CVE-2018-19968.patch
