Hi,

I uploaded version 4.2.12-2+deb8u4 of phpmyadmin to:

https://people.debian.org/~kanashiro/jessie_lts/phpmyadmin/

It has patches fixing CVE-2018-19968 and CVE-2018-19970. I did not have
the time to determine whether jessie is affected by CVE-2018-19969
(requested by sunweaver), I did some superficial investigation with no
confirmation yet. This month I'll not have enough time to continue the
investigation.

I'd appreciate some review and testing, specially related to
CVE-2018-19968, the debdiff is attached if it helps.

Thanks in advance!

-- 
Lucas Kanashiro

diff -Nru phpmyadmin-4.2.12/debian/changelog phpmyadmin-4.2.12/debian/changelog
--- phpmyadmin-4.2.12/debian/changelog  2018-03-04 02:27:49.000000000 -0300
+++ phpmyadmin-4.2.12/debian/changelog  2019-01-23 11:47:22.000000000 -0200
@@ -1,3 +1,11 @@
+phpmyadmin (4:4.2.12-2+deb8u4) jessie-security; urgency=high
+
+  * Non-maintainer upload by the Debian LTS team.
+  * Fix CVE-2018-19968: Local file inclusion through transformation feature.
+  * Fix CVE-2018-19970: XSS vulnerability in the navigation tree.
+
+ -- Lucas Kanashiro <kanash...@debian.org>  Wed, 23 Jan 2019 11:14:59 -0200
+
 phpmyadmin (4:4.2.12-2+deb8u3) jessie-security; urgency=high
 
   * Non-maintainer upload by the Debian LTS Team.
diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2018-19968.patch 
phpmyadmin-4.2.12/debian/patches/CVE-2018-19968.patch
--- phpmyadmin-4.2.12/debian/patches/CVE-2018-19968.patch       1969-12-31 
21:00:00.000000000 -0300
+++ phpmyadmin-4.2.12/debian/patches/CVE-2018-19968.patch       2019-01-23 
11:47:00.000000000 -0200
@@ -0,0 +1,108 @@
+Description: Remove transformation plugin includes
+ Tranformation plugins should be loaded by the autoloader.
+ Fixes CVE-2018-19968. This patch is based on upstream patch:
+ 
https://github.com/phpmyadmin/phpmyadmin/commit/6a1ba61e29002f0305a9322a8af4eaaeb11c0732
+Author: Lucas Kanashiro <kanash...@debian.org>
+Last-Updated: 2019-01-23
+
+--- a/libraries/DisplayResults.class.php
++++ b/libraries/DisplayResults.class.php
+@@ -2894,27 +2894,28 @@ class PMA_DisplayResults
+ 
+                     if (file_exists($include_file)) {
+ 
+-                        include_once $include_file;
+                         $class_name = str_replace('.class.php', '', $file);
+-                        // todo add $plugin_manager
+-                        $plugin_manager = null;
+-                        $transformation_plugin = new $class_name(
+-                            $plugin_manager
+-                        );
++                        if (class_exists($class_name)) {
++                            // todo add $plugin_manager
++                            $plugin_manager = null;
++                            $transformation_plugin = new $class_name(
++                                $plugin_manager
++                            );
+ 
+-                        $transform_options  = PMA_Transformation_getOptions(
+-                            isset($mime_map[$meta->name]
++                            $transform_options  = 
PMA_Transformation_getOptions(
++                                isset($mime_map[$meta->name]
++                                    ['transformation_options']
++                                )
++                                ? $mime_map[$meta->name]
+                                 ['transformation_options']
+-                            )
+-                            ? $mime_map[$meta->name]
+-                            ['transformation_options']
+-                            : ''
+-                        );
++                                : ''
++                            );
+ 
+-                        $meta->mimetype = str_replace(
+-                            '_', '/',
+-                            $mime_map[$meta->name]['mimetype']
+-                        );
++                            $meta->mimetype = str_replace(
++                                '_', '/',
++                                $mime_map[$meta->name]['mimetype']
++                            );
++                        }
+ 
+                     } // end if file_exists
+                 } // end if transformation is set
+--- a/libraries/insert_edit.lib.php
++++ b/libraries/insert_edit.lib.php
+@@ -2151,20 +2151,21 @@ function PMA_transformEditedValues($db,
+ 
+             $include_file = 'libraries/plugins/transformations/' . $file;
+             if (file_exists($include_file)) {
+-                include_once $include_file;
+-
+-                $transform_options  = PMA_Transformation_getOptions(
+-                    isset($transformation['transformation_options'])
+-                    ? $transformation['transformation_options']
+-                    : ''
+-                );
+-                $transform_options['wrapper_link']
+-                    = PMA_URL_getCommon($_url_params);
+                 $class_name = str_replace('.class.php', '', $file);
+-                $plugin_manager = null;
+-                $transformation_plugin = new $class_name(
+-                    $plugin_manager
+-                );
++                if (class_exists($class_name)) {
++
++                    $transform_options  = PMA_Transformation_getOptions(
++                        isset($transformation['transformation_options'])
++                        ? $transformation['transformation_options']
++                        : ''
++                    );
++                    $transform_options['wrapper_link']
++                        = PMA_URL_getCommon($_url_params);
++                    $plugin_manager = null;
++                    $transformation_plugin = new $class_name(
++                        $plugin_manager
++                    );
++                }
+             }
+ 
+             $extra_data['transformations'][$cell_index]
+--- a/libraries/transformations.lib.php
++++ b/libraries/transformations.lib.php
+@@ -145,9 +145,10 @@ function PMA_getTransformationDescriptio
+     $class_name = explode(".class.php", $file);
+     $class_name = $class_name[0];
+ 
+-    // include and instantiate the class
+-    include_once 'libraries/plugins/transformations/' . $file;
+-    return $class_name::getInfo();
++    if (class_exists($class_name)) {
++        return $class_name::getInfo();
++    }
++    return ''
+ }
+ 
+ /**
diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2018-19970.patch 
phpmyadmin-4.2.12/debian/patches/CVE-2018-19970.patch
--- phpmyadmin-4.2.12/debian/patches/CVE-2018-19970.patch       1969-12-31 
21:00:00.000000000 -0300
+++ phpmyadmin-4.2.12/debian/patches/CVE-2018-19970.patch       2019-01-23 
11:47:04.000000000 -0200
@@ -0,0 +1,17 @@
+Description: Fix Stored Cross-Site Scripting (XSS) in navigation tree
+ Fixes CVE-2018-19970. This patch is based on upstream patch:
+ 
https://github.com/phpmyadmin/phpmyadmin/commit/b293ff5f234ef493336ed8638f623a12164d359e
+Author: Lucas Kanashiro <kanash...@debian.org>
+Last-Updated: 2019-01-23
+
+--- a/libraries/navigation/NavigationTree.class.php
++++ b/libraries/navigation/NavigationTree.class.php
+@@ -612,7 +612,7 @@ class PMA_NavigationTree
+             $groups = array();
+             foreach ($prefixes as $key => $value) {
+                 $groups[$key] = new Node(
+-                    $key,
++                    htmlspecialchars($key),
+                     Node::CONTAINER,
+                     true
+                 );
diff -Nru phpmyadmin-4.2.12/debian/patches/series 
phpmyadmin-4.2.12/debian/patches/series
--- phpmyadmin-4.2.12/debian/patches/series     2018-03-04 02:27:49.000000000 
-0300
+++ phpmyadmin-4.2.12/debian/patches/series     2019-01-23 11:47:04.000000000 
-0200
@@ -32,3 +32,5 @@
 CVE-2016-6622.patch
 CVE-2016-9865.patch
 CVE-2017-18264.patch
+CVE-2018-19970.patch
+CVE-2018-19968.patch

Reply via email to