Hi > The target distribution should be 'stretch' for the stretch-pu upload.
Done > It would also be worth adding "found" versions to the bugs for the 2020 CVEs, to make it clearer that the also apply to the stretch packge. Done, thank you for the suggestion > Other than that, please go ahead. Thank you I uploaded the file to https://mentors.debian.net/debian/pool/main/p/phpmyadmin/phpmyadmin_4.6.6-4+deb9u1.dsc I also attached the debdiff to this email. Regards, William Desportes
diff -Nru phpmyadmin-4.6.6/debian/changelog phpmyadmin-4.6.6/debian/changelog --- phpmyadmin-4.6.6/debian/changelog 2017-04-07 16:54:26.000000000 +0200 +++ phpmyadmin-4.6.6/debian/changelog 2020-03-22 17:07:57.000000000 +0100 @@ -1,3 +1,32 @@ +phpmyadmin (4:4.6.6-4+deb9u1) stretch; urgency=high + + * Team upload + * Several security fixes + - Cross-site scripting (XSS) vulnerability in db_central_columns.php + (PMASA-2018-1, CVE-2018-7260, Closes: #893539) + - Remove transformation plugin includes + (PMASA-2018-6, CVE-2018-19968) + - Fix Stored Cross-Site Scripting (XSS) in navigation tree + (PMASA-2018-8, CVE-2018-19970) + - Fix information leak (arbitrary file read) using SQL queries + (PMASA-2019-1, CVE-2019-6799, Closes: #920823) + - a specially crafted username can be used to trigger a SQL injection attack + (PMASA-2019-2, CVE-2019-6798, Closes: #920822) + - SQL injection in Designer feature + (PMASA-2019-3, CVE-2019-11768, Closes: #930048) + - CSRF vulnerability in login form + (PMASA-2019-4, CVE-2019-12616, Closes: #930017) + - SQL injection, escape username in the query + (PMASA-2020-1, CVE-2020-5504, Closes: #948718) + - Add a patch to escape some parameters when changing passwords + (PMASA-2020-2, CVE-2020-10804, Closes: #954667) + - Add a patch to escape database and table name + (PMASA-2020-3, CVE-2020-10802, Closes: #954665) + - Add a patch to secure sql_query parameter + (PMASA-2020-4, CVE-2020-10803, Closes: #954666) + + -- William Desportes <[email protected]> Sun, 22 Mar 2020 17:07:57 +0100 + phpmyadmin (4:4.6.6-4) unstable; urgency=medium * Build depend on locales-all to ensure en_US.UTF-8 is available (see diff -Nru phpmyadmin-4.6.6/debian/patches/add-functions-for-CVE-2020-10803.patch phpmyadmin-4.6.6/debian/patches/add-functions-for-CVE-2020-10803.patch --- phpmyadmin-4.6.6/debian/patches/add-functions-for-CVE-2020-10803.patch 1970-01-01 01:00:00.000000000 +0100 +++ phpmyadmin-4.6.6/debian/patches/add-functions-for-CVE-2020-10803.patch 2020-03-22 17:07:57.000000000 +0100 @@ -0,0 +1,58 @@ +From: William Desportes <[email protected]> +Date: Sun, 22 Mar 2020 17:46:13 +0100 +Subject: Implement signSqlQuery and checkSqlQuerySignature for PMASA-2020-4 + +Bug-Upstream: https://www.phpmyadmin.net/security/PMASA-2020-4/ + +I imported both functions and kept the diff minimal + +Author: William Desportes <[email protected]> + +Origin: https://github.com/phpmyadmin/phpmyadmin/commit/4bf8bfcaa16dd90d7b36c2c3f5e2d36c7b249bd2 +Origin: https://github.com/phpmyadmin/phpmyadmin/pull/15325 +Origin: https://github.com/phpmyadmin/phpmyadmin/commit/80a7f0a75c72ec2b92216647ac66890ff58002f8 +Origin: https://github.com/phpmyadmin/phpmyadmin/commit/0da6ad6ff47eef5449a25eea7cc09a14bd3dfce5 +--- + libraries/Util.php | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +diff --git a/libraries/Util.php b/libraries/Util.php +index 9b6eba4..b0ae104 100644 +--- a/libraries/Util.php ++++ b/libraries/Util.php +@@ -4980,5 +4980,35 @@ class Util + } + return trim((string)$value); + } ++ ++ /** ++ * Sign the sql query using hmac using the session token ++ * ++ * @param string $sqlQuery The sql query ++ * @return void ++ */ ++ public static function signSqlQuery($sqlQuery) ++ { ++ /** @var array $cfg */ ++ global $cfg; ++ $secret = isset($_SESSION[' HMAC_secret ']) ? $_SESSION[' HMAC_secret '] : ''; ++ return hash_hmac('sha256', $sqlQuery, $secret . $cfg['blowfish_secret']); ++ } ++ ++ /** ++ * Check that the sql query has a valid hmac signature ++ * ++ * @param string $sqlQuery The sql query ++ * @return void ++ */ ++ public static function checkSqlQuerySignature($sqlQuery, $signature) ++ { ++ /** @var array $cfg */ ++ global $cfg; ++ $secret = isset($_SESSION[' HMAC_secret ']) ? $_SESSION[' HMAC_secret '] : ''; ++ $hmac = hash_hmac('sha256', $sqlQuery, $secret . $cfg['blowfish_secret']); ++ return hash_equals($hmac, $signature); ++ } ++ + } + diff -Nru phpmyadmin-4.6.6/debian/patches/CVE-2018-19968.patch phpmyadmin-4.6.6/debian/patches/CVE-2018-19968.patch --- phpmyadmin-4.6.6/debian/patches/CVE-2018-19968.patch 1970-01-01 01:00:00.000000000 +0100 +++ phpmyadmin-4.6.6/debian/patches/CVE-2018-19968.patch 2020-03-22 17:07:57.000000000 +0100 @@ -0,0 +1,239 @@ +Description: Remove transformation plugin includes + Tranformation plugins should be loaded by the autoloader. + Fixes CVE-2018-19968. This patch is based on upstream patch: + https://github.com/phpmyadmin/phpmyadmin/commit/6a1ba61e29002f0305a9322a8af4eaaeb11c0732 +Author: Lucas Kanashiro <[email protected]>, Matthias Blümel <[email protected]> +Last-Updated: 2019-05-31 + +--- a/libraries/insert_edit.lib.php ++++ b/libraries/insert_edit.lib.php +@@ -2188,20 +2188,22 @@ + $transform_options['wrapper_link'] + = PMA_URL_getCommon($_url_params); + $class_name = PMA_getTransformationClassName($include_file); +- /** @var TransformationsPlugin $transformation_plugin */ +- $transformation_plugin = new $class_name(); ++ if (class_exists($class_name)) { ++ /** @var TransformationsPlugin $transformation_plugin */ ++ $transformation_plugin = new $class_name(); + +- foreach ($edited_values as $cell_index => $curr_cell_edited_values) { +- if (isset($curr_cell_edited_values[$column_name])) { +- $edited_values[$cell_index][$column_name] +- = $extra_data['transformations'][$cell_index] ++ foreach ($edited_values as $cell_index => $curr_cell_edited_values) { ++ if (isset($curr_cell_edited_values[$column_name])) { ++ $edited_values[$cell_index][$column_name] ++ = $extra_data['transformations'][$cell_index] + = $transformation_plugin->applyTransformation( +- $curr_cell_edited_values[$column_name], +- $transform_options, +- '' +- ); +- } +- } // end of loop for each transformation cell ++ $curr_cell_edited_values[$column_name], ++ $transform_options, ++ '' ++ ); ++ } ++ } // end of loop for each transformation cell ++ } + } + return $extra_data; + } +@@ -2888,35 +2890,36 @@ + $file = $column_mime['input_transformation']; + $include_file = 'libraries/plugins/transformations/' . $file; + if (is_file($include_file)) { +- include_once $include_file; + $class_name = PMA_getTransformationClassName($include_file); +- $transformation_plugin = new $class_name(); +- $transformation_options = PMA_Transformation_getOptions( +- $column_mime['input_transformation_options'] +- ); +- $_url_params = array( +- 'db' => $db, +- 'table' => $table, +- 'transform_key' => $column['Field'], +- 'where_clause' => $where_clause +- ); +- $transformation_options['wrapper_link'] +- = PMA_URL_getCommon($_url_params); +- $current_value = ''; +- if (isset($current_row[$column['Field']])) { +- $current_value = $current_row[$column['Field']]; +- } +- if (method_exists($transformation_plugin, 'getInputHtml')) { +- $transformed_html = $transformation_plugin->getInputHtml( +- $column, $row_id, $column_name_appendix, +- $transformation_options, $current_value, $text_dir, +- $tabindex, $tabindex_for_value, $idindex ++ if (class_exists($class_name)) { ++ $transformation_plugin = new $class_name(); ++ $transformation_options = PMA_Transformation_getOptions( ++ $column_mime['input_transformation_options'] + ); +- } +- if (method_exists($transformation_plugin, 'getScripts')) { +- $GLOBALS['plugin_scripts'] = array_merge( +- $GLOBALS['plugin_scripts'], $transformation_plugin->getScripts() ++ $_url_params = array( ++ 'db' => $db, ++ 'table' => $table, ++ 'transform_key' => $column['Field'], ++ 'where_clause' => $where_clause + ); ++ $transformation_options['wrapper_link'] ++ = PMA_URL_getCommon($_url_params); ++ $current_value = ''; ++ if (isset($current_row[$column['Field']])) { ++ $current_value = $current_row[$column['Field']]; ++ } ++ if (method_exists($transformation_plugin, 'getInputHtml')) { ++ $transformed_html = $transformation_plugin->getInputHtml( ++ $column, $row_id, $column_name_appendix, ++ $transformation_options, $current_value, $text_dir, ++ $tabindex, $tabindex_for_value, $idindex ++ ); ++ } ++ if (method_exists($transformation_plugin, 'getScripts')) { ++ $GLOBALS['plugin_scripts'] = array_merge( ++ $GLOBALS['plugin_scripts'], $transformation_plugin->getScripts() ++ ); ++ } + } + } + } +--- a/libraries/transformations.lib.php ++++ b/libraries/transformations.lib.php +@@ -179,9 +179,10 @@ + $include_file = 'libraries/plugins/transformations/' . $file; + /* @var $class_name PMA\libraries\plugins\TransformationsInterface */ + $class_name = PMA_getTransformationClassName($include_file); +- // include and instantiate the class +- include_once $include_file; +- return $class_name::getInfo(); ++ if (class_exists($class_name)) { ++ return $class_name::getInfo(); ++ } ++ return ''; + } + + /** +@@ -196,9 +197,10 @@ + $include_file = 'libraries/plugins/transformations/' . $file; + /* @var $class_name PMA\libraries\plugins\TransformationsInterface */ + $class_name = PMA_getTransformationClassName($include_file); +- // include and instantiate the class +- include_once $include_file; +- return $class_name::getName(); ++ if (class_exists($class_name)) { ++ return $class_name::getInfo(); ++ } ++ return ''; + } + + /** +--- a/libraries/DisplayResults.php ++++ b/libraries/DisplayResults.php +@@ -3049,28 +3049,29 @@ + + if (file_exists($include_file)) { + +- include_once $include_file; + $class_name = PMA_getTransformationClassName($include_file); +- // todo add $plugin_manager +- $plugin_manager = null; +- $transformation_plugin = new $class_name( +- $plugin_manager +- ); ++ if (class_exists($class_name)) { ++ // todo add $plugin_manager ++ $plugin_manager = null; ++ $transformation_plugin = new $class_name( ++ $plugin_manager ++ ); + +- $transform_options = PMA_Transformation_getOptions( +- isset( +- $mime_map[$orgFullColName] ++ $transform_options = PMA_Transformation_getOptions( ++ isset( ++ $mime_map[$orgFullColName] ++ ['transformation_options'] ++ ) ++ ? $mime_map[$orgFullColName] + ['transformation_options'] +- ) +- ? $mime_map[$orgFullColName] +- ['transformation_options'] +- : '' +- ); ++ : '' ++ ); + +- $meta->mimetype = str_replace( +- '_', '/', +- $mime_map[$orgFullColName]['mimetype'] +- ); ++ $meta->mimetype = str_replace( ++ '_', '/', ++ $mime_map[$orgFullColName]['mimetype'] ++ ); ++ } + + } // end if file_exists + } // end if transformation is set +--- a/tbl_replace.php ++++ b/tbl_replace.php +@@ -217,28 +217,29 @@ + $filename = 'libraries/plugins/transformations/' + . $mime_map[$column_name]['input_transformation']; + if (is_file($filename)) { +- include_once $filename; + $classname = PMA_getTransformationClassName($filename); +- /** @var IOTransformationsPlugin $transformation_plugin */ +- $transformation_plugin = new $classname(); +- $transformation_options = PMA_Transformation_getOptions( +- $mime_map[$column_name]['input_transformation_options'] +- ); +- $current_value = $transformation_plugin->applyTransformation( +- $current_value, $transformation_options +- ); +- // check if transformation was successful or not +- // and accordingly set error messages & insert_fail +- if (method_exists($transformation_plugin, 'isSuccess') +- && !$transformation_plugin->isSuccess() +- ) { +- $insert_fail = true; +- $row_skipped = true; +- $insert_errors[] = sprintf( +- __('Row: %1$s, Column: %2$s, Error: %3$s'), +- $rownumber, $column_name, +- $transformation_plugin->getError() ++ if (class_exists($classname)) { ++ /** @var IOTransformationsPlugin $transformation_plugin */ ++ $transformation_plugin = new $classname(); ++ $transformation_options = PMA_Transformation_getOptions( ++ $mime_map[$column_name]['input_transformation_options'] + ); ++ $current_value = $transformation_plugin->applyTransformation( ++ $current_value, $transformation_options ++ ); ++ // check if transformation was successful or not ++ // and accordingly set error messages & insert_fail ++ if (method_exists($transformation_plugin, 'isSuccess') ++ && !$transformation_plugin->isSuccess() ++ ) { ++ $insert_fail = true; ++ $row_skipped = true; ++ $insert_errors[] = sprintf( ++ __('Row: %1$s, Column: %2$s, Error: %3$s'), ++ $rownumber, $column_name, ++ $transformation_plugin->getError() ++ ); ++ } + } + } + } diff -Nru phpmyadmin-4.6.6/debian/patches/CVE-2018-19970.patch phpmyadmin-4.6.6/debian/patches/CVE-2018-19970.patch --- phpmyadmin-4.6.6/debian/patches/CVE-2018-19970.patch 1970-01-01 01:00:00.000000000 +0100 +++ phpmyadmin-4.6.6/debian/patches/CVE-2018-19970.patch 2020-03-22 17:07:57.000000000 +0100 @@ -0,0 +1,17 @@ +Description: Fix Stored Cross-Site Scripting (XSS) in navigation tree + Fixes CVE-2018-19970. This patch is based on upstream patch: + https://github.com/phpmyadmin/phpmyadmin/commit/b293ff5f234ef493336ed8638f623a12164d359e +Author: Lucas Kanashiro <[email protected]>, Matthias Blümel <[email protected]> +Last-Updated: 2019-05-31 + +--- a/libraries/navigation/NavigationTree.php ++++ b/libraries/navigation/NavigationTree.php +@@ -761,7 +761,7 @@ + } + + $groups[$key] = new Node( +- $key, ++ htmlspecialchars($key), + Node::CONTAINER, + true + ); diff -Nru phpmyadmin-4.6.6/debian/patches/CVE-2018-7260.patch phpmyadmin-4.6.6/debian/patches/CVE-2018-7260.patch --- phpmyadmin-4.6.6/debian/patches/CVE-2018-7260.patch 1970-01-01 01:00:00.000000000 +0100 +++ phpmyadmin-4.6.6/debian/patches/CVE-2018-7260.patch 2020-03-22 17:07:57.000000000 +0100 @@ -0,0 +1,20 @@ +Description: Cross-site scripting (XSS) vulnerability in db_central_columns.php in phpMyAdmin before 4.7.8 allows + remote authenticated users to inject arbitrary web script or HTML via a crafted URL. + Fixes CVE-2019-7260. This patch is based on upstream patch: + https://github.com/phpmyadmin/phpmyadmin/commit/d2886a3e8745e8845633ae8a0054b5ee4d8babd5 +Author: Matthias Blümel <[email protected]> +Last-Updated: 2019-05-31 + +--- a/db_central_columns.php ++++ b/db_central_columns.php +@@ -87,7 +87,9 @@ + parse_str($_POST['col_name'], $col_name); + $tmp_msg = PMA_deleteColumnsFromList($col_name['selected_fld'], false); + } +-if (isset($_REQUEST['total_rows']) && $_REQUEST['total_rows']) { ++if (!empty($_REQUEST['total_rows']) ++ && PMA_isValid($_REQUEST['total_rows'], 'integer') ++) { + $total_rows = $_REQUEST['total_rows']; + } else { + $total_rows = PMA_getCentralColumnsCount($db); diff -Nru phpmyadmin-4.6.6/debian/patches/CVE-2019-11768.patch phpmyadmin-4.6.6/debian/patches/CVE-2019-11768.patch --- phpmyadmin-4.6.6/debian/patches/CVE-2019-11768.patch 1970-01-01 01:00:00.000000000 +0100 +++ phpmyadmin-4.6.6/debian/patches/CVE-2019-11768.patch 2020-03-22 17:07:57.000000000 +0100 @@ -0,0 +1,21 @@ +Description: A vulnerability was reported where a specially crafted database name can be + used to trigger an SQL injection attack through the designer feature. + Fix CVE-2019-11768 + + This patch is based on upstream patches: + https://github.com/phpmyadmin/phpmyadmin/commit/c1ecafc38319e8f768c9259d4d580e42acd5ee86 + +Author: Matthias Blümel <[email protected]> +Last-Updated: 2019-06-05 + +--- a/js/pmd/move.js ++++ b/js/pmd/move.js +@@ -735,7 +735,7 @@ + + var $form = $('<form action="db_designer.php" method="post" name="save_page" id="save_page" class="ajax"></form>') + .append('<input type="hidden" name="server" value="' + server + '" />') +- .append('<input type="hidden" name="db" value="' + db + '" />') ++ .append($('<input type="hidden" name="db" />').val(db)) + .append('<input type="hidden" name="token" value="' + token + '" />') + .append('<input type="hidden" name="operation" value="savePage" />') + .append('<input type="hidden" name="save_page" value="new" />') diff -Nru phpmyadmin-4.6.6/debian/patches/CVE-2019-12616.patch phpmyadmin-4.6.6/debian/patches/CVE-2019-12616.patch --- phpmyadmin-4.6.6/debian/patches/CVE-2019-12616.patch 1970-01-01 01:00:00.000000000 +0100 +++ phpmyadmin-4.6.6/debian/patches/CVE-2019-12616.patch 2020-03-22 17:07:57.000000000 +0100 @@ -0,0 +1,46 @@ +Description: A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) through the victim. + + This patch is based on upstream patch: + https://github.com/phpmyadmin/phpmyadmin/commit/015c404038c44279d95b6430ee5a0dddc97691ec + +Author: Matthias Blümel <[email protected]> +Last-Updated: 2019-06-05 + +--- a/libraries/plugins/auth/AuthenticationCookie.php ++++ b/libraries/plugins/auth/AuthenticationCookie.php +@@ -295,7 +295,7 @@ + $GLOBALS['PHP_AUTH_USER'] = $GLOBALS['PHP_AUTH_PW'] = ''; + $GLOBALS['from_cookie'] = false; + +- if (! empty($_REQUEST['pma_username'])) { ++ if (! empty($_POST['pma_username'])) { + + // Verify Captcha if it is required. + if (! empty($GLOBALS['cfg']['CaptchaLoginPrivateKey']) +@@ -339,10 +339,10 @@ + } + + // The user just logged in +- $GLOBALS['PHP_AUTH_USER'] = PMA_sanitizeMySQLUser($_REQUEST['pma_username']); +- $GLOBALS['PHP_AUTH_PW'] = empty($_REQUEST['pma_password']) ++ $GLOBALS['PHP_AUTH_USER'] = PMA_sanitizeMySQLUser($_POST['pma_username']); ++ $GLOBALS['PHP_AUTH_PW'] = empty($_POST['pma_password']) + ? '' +- : $_REQUEST['pma_password']; ++ : $_POST['pma_password']; + if ($GLOBALS['cfg']['AllowArbitraryServer'] + && isset($_REQUEST['pma_servername']) + ) { +--- a/libraries/common.inc.php ++++ b/libraries/common.inc.php +@@ -739,8 +739,8 @@ + . ' ' . $cfg['Server']['auth_type'] + ); + } +- if (isset($_REQUEST['pma_password']) && strlen($_REQUEST['pma_password']) > 256) { +- $_REQUEST['pma_password'] = substr($_REQUEST['pma_password'], 0, 256); ++ if (isset($_POST['pma_password']) && strlen($_POST['pma_password']) > 256) { ++ $_POST['pma_password'] = substr($_POST['pma_password'], 0, 256); + } + $fqnAuthClass = 'PMA\libraries\plugins\auth\\' . $auth_class; + // todo: add plugin manager diff -Nru phpmyadmin-4.6.6/debian/patches/CVE-2019-6798.patch phpmyadmin-4.6.6/debian/patches/CVE-2019-6798.patch --- phpmyadmin-4.6.6/debian/patches/CVE-2019-6798.patch 1970-01-01 01:00:00.000000000 +0100 +++ phpmyadmin-4.6.6/debian/patches/CVE-2019-6798.patch 2020-03-22 17:07:57.000000000 +0100 @@ -0,0 +1,35 @@ +Description: An issue was discovered in phpMyAdmin before 4.8.5. A vulnerability was reported + where a specially crafted username can be used to trigger a SQL injection attack through the designer feature. + Fix CVE-2019-6798 + https://www.phpmyadmin.net/security/PMASA-2019-2/ + + This patch is based on upstream patch: + https://github.com/phpmyadmin/phpmyadmin/commit/469934cf7d3bd19a839eb78670590f7511399435 +Author: Matthias Blümel <[email protected]> +Last-Updated: 2019-05-31 + +--- a/libraries/db_designer.lib.php ++++ b/libraries/db_designer.lib.php +@@ -193,7 +193,8 @@ + . PMA\libraries\Util::backquote($cfgRelation['db']) . '.' + . PMA\libraries\Util::backquote($cfgRelation['designer_settings']) + . ' WHERE ' . PMA\libraries\Util::backquote('username') . ' = "' +- . $GLOBALS['cfg']['Server']['user'] . '";'; ++ . $GLOBALS['dbi']->escapeString($GLOBALS['cfg']['Server']['user']) ++ . '";'; + + $result = $GLOBALS['dbi']->fetchSingleRow($query); + +--- a/libraries/pmd_common.php ++++ b/libraries/pmd_common.php +@@ -766,8 +766,8 @@ + . PMA\libraries\Util::backquote($cfgDesigner['db']) + . "." . PMA\libraries\Util::backquote($cfgDesigner['table']) + . " (username, settings_data)" +- . " VALUES('" . $cfgDesigner['user'] . "'," +- . " '" . json_encode($save_data) . "');"; ++ . " VALUES('" . $GLOBALS['dbi']->escapeString($cfgDesigner['user']) ++ . "', '" . json_encode($save_data) . "');"; + + $success = PMA_queryAsControlUser($query); + } diff -Nru phpmyadmin-4.6.6/debian/patches/CVE-2019-6799.patch phpmyadmin-4.6.6/debian/patches/CVE-2019-6799.patch --- phpmyadmin-4.6.6/debian/patches/CVE-2019-6799.patch 1970-01-01 01:00:00.000000000 +0100 +++ phpmyadmin-4.6.6/debian/patches/CVE-2019-6799.patch 2020-03-22 17:07:57.000000000 +0100 @@ -0,0 +1,78 @@ +Description: Fix information leak (arbitrary file read) using SQL queries + Fix CVE-2019-6799 + https://www.phpmyadmin.net/security/PMASA-2019-1/ + + This patch is based on upstream patches: + https://github.com/phpmyadmin/phpmyadmin/commit/c5e01f84ad48c5c626001cb92d7a95500920a900 + https://github.com/phpmyadmin/phpmyadmin/commit/aeac90623e525057a7672ab3d98154b5c57c15ec + Avoid regression in 'Table > Import > Load CSV with LOAD DATA' by backporting: + https://github.com/phpmyadmin/phpmyadmin/commit/d02d61ada7c8e29753fd37440b511a1088efb060 + + Note: mitigated by /etc/phpmyadmin/apache.conf's open_basedir: + - php5-mysql: open_basedir fully disables LOAD DATA LOCAL INFILE; + - php5-mysqlnd: open_basedir is respected but some sensitive files + remain accessible, notably '/etc/phpmyadmin/config-db.php'. + + Note: nothing to do with AllowArbitraryServer, works on local MySQL server as well. + + Note: https://bugs.php.net/bug.php?id=77496 applies php5-mysqlnd but not php5-mysql. + Also phmymadmin 4.2.12 unconditionally enables LOCAL DATA LOCAL INFILE. + +Author: Sylvain Beucler <[email protected]>, Matthias Blümel <[email protected]> +Last-Updated: 2019-05-31 + +--- a/import.php ++++ b/import.php +@@ -12,6 +12,11 @@ + define('PMA_ENABLE_LDI', 1); + } + ++/* Enable LOAD DATA LOCAL INFILE for LDI plugin */ ++if (isset($_POST['format']) && $_POST['format'] == 'ldi') { ++ define('PMA_ENABLE_LDI', 1); ++} ++ + /** + * Get the variables sent or posted to this script and a core script + */ +--- a/libraries/dbi/DBIMysql.php ++++ b/libraries/dbi/DBIMysql.php +@@ -52,6 +52,10 @@ + ) { + global $cfg; + ++ if (ini_get('mysql.allow_local_infile')) { ++ PMA_fatalError(__('Please disable mysql.allow_local_infile in your PHP configuration or install the mysqli extension.')); ++ } ++ + if (empty($client_flags)) { + if ($cfg['PersistentConnections'] || $persistent) { + $link = @mysql_pconnect($server, $user, $password); +--- a/libraries/dbi/DBIMysqli.php ++++ b/libraries/dbi/DBIMysqli.php +@@ -137,12 +137,6 @@ + + $link = mysqli_init(); + +- if (defined('PMA_ENABLE_LDI')) { +- mysqli_options($link, MYSQLI_OPT_LOCAL_INFILE, true); +- } else { +- mysqli_options($link, MYSQLI_OPT_LOCAL_INFILE, false); +- } +- + $client_flags = 0; + + /* Optionally compress connection */ +@@ -224,6 +218,12 @@ + return false; + } + ++ if (defined('PMA_ENABLE_LDI')) { ++ mysqli_options($link, MYSQLI_OPT_LOCAL_INFILE, true); ++ } else { ++ mysqli_options($link, MYSQLI_OPT_LOCAL_INFILE, false); ++ } ++ + return $link; + } + diff -Nru phpmyadmin-4.6.6/debian/patches/CVE-2020-10802.patch phpmyadmin-4.6.6/debian/patches/CVE-2020-10802.patch --- phpmyadmin-4.6.6/debian/patches/CVE-2020-10802.patch 1970-01-01 01:00:00.000000000 +0100 +++ phpmyadmin-4.6.6/debian/patches/CVE-2020-10802.patch 2020-03-22 17:07:57.000000000 +0100 @@ -0,0 +1,32 @@ +From: William Desportes <[email protected]> +Date: Sun, 22 Mar 2020 16:57:32 +0100 +Subject: Patch for PMASA-2020-3, CVE-2020-10802 +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Fix CVE-2020-10802 +Bug-Upstream: https://www.phpmyadmin.net/security/PMASA-2020-3/ + +Author: Maurício Meneghini Fauth <[email protected]> +Origin: https://github.com/phpmyadmin/phpmyadmin/commit/a8acd7a42cf743186528b0453f90aaa32bfefabe +Last-Update: 2020-03-22 +--- + libraries/controllers/table/TableSearchController.php | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libraries/controllers/table/TableSearchController.php b/libraries/controllers/table/TableSearchController.php +index 2166585..46c35c5 100644 +--- a/libraries/controllers/table/TableSearchController.php ++++ b/libraries/controllers/table/TableSearchController.php +@@ -481,8 +481,8 @@ class TableSearchController extends TableController + public function getDataRowAction() + { + $extra_data = array(); +- $row_info_query = 'SELECT * FROM `' . $_REQUEST['db'] . '`.`' +- . $_REQUEST['table'] . '` WHERE ' . $_REQUEST['where_clause']; ++ $row_info_query = 'SELECT * FROM `' . Util::backquote($_REQUEST['db']) . '`.`' ++ . Util::backquote($_REQUEST['table']) . '` WHERE ' . $_REQUEST['where_clause']; + $result = $this->dbi->query( + $row_info_query . ";", null, DatabaseInterface::QUERY_STORE + ); diff -Nru phpmyadmin-4.6.6/debian/patches/CVE-2020-10803.patch phpmyadmin-4.6.6/debian/patches/CVE-2020-10803.patch --- phpmyadmin-4.6.6/debian/patches/CVE-2020-10803.patch 1970-01-01 01:00:00.000000000 +0100 +++ phpmyadmin-4.6.6/debian/patches/CVE-2020-10803.patch 2020-03-22 17:07:57.000000000 +0100 @@ -0,0 +1,50 @@ +From: William Desportes <[email protected]> +Date: Sun, 22 Mar 2020 17:41:53 +0100 +Subject: Patch for PMASA-2020-4, CVE-2020-10803 +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Fix CVE-2020-10803 +Bug-Upstream: https://www.phpmyadmin.net/security/PMASA-2020-4/ + +Author: Maurício Meneghini Fauth <[email protected]> +Origin: https://github.com/phpmyadmin/phpmyadmin/commit/6b9b2601d8af916659cde8aefd3a6eaadd10284a +Last-Update: 2020-03-22 +--- + libraries/DisplayResults.php | 2 ++ + tbl_get_field.php | 8 ++++++++ + 2 files changed, 10 insertions(+) + +diff --git a/libraries/DisplayResults.php b/libraries/DisplayResults.php +index 1b8f27f..298219c 100644 +--- a/libraries/DisplayResults.php ++++ b/libraries/DisplayResults.php +@@ -5316,6 +5316,8 @@ class DisplayResults + ) = $this->_getPartialText($result); + } + ++ $url_params['where_clause_sign'] = Util::signSqlQuery($url_params['where_clause']); ++ + /* Create link to download */ + + // in PHP < 5.5, empty() only checks variables +diff --git a/tbl_get_field.php b/tbl_get_field.php +index 95f8b67..9d3e918 100644 +--- a/tbl_get_field.php ++++ b/tbl_get_field.php +@@ -33,6 +33,14 @@ if (!$GLOBALS['dbi']->getColumns($db, $table)) { + PMA\libraries\Util::mysqlDie(__('Invalid table name')); + } + ++if (! isset($_GET['where_clause']) ++ || ! isset($_GET['where_clause_sign']) ++ || ! PMA\libraries\Util::checkSqlQuerySignature($_GET['where_clause'], $_GET['where_clause_sign']) ++) { ++ PMA_fatalError(__('There is an issue with your request.')); ++ exit; ++} ++ + /* Grab data */ + $sql = 'SELECT ' . PMA\libraries\Util::backquote($_GET['transform_key']) + . ' FROM ' . PMA\libraries\Util::backquote($table) diff -Nru phpmyadmin-4.6.6/debian/patches/CVE-2020-10804.patch phpmyadmin-4.6.6/debian/patches/CVE-2020-10804.patch --- phpmyadmin-4.6.6/debian/patches/CVE-2020-10804.patch 1970-01-01 01:00:00.000000000 +0100 +++ phpmyadmin-4.6.6/debian/patches/CVE-2020-10804.patch 2020-03-22 17:07:57.000000000 +0100 @@ -0,0 +1,109 @@ +From: William Desportes <[email protected]> +Date: Sun, 22 Mar 2020 18:16:43 +0100 +Subject: Patch for PMASA-2020-2, CVE-2020-10804 +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Fix CVE-2020-10804 +Bug-Upstream: https://www.phpmyadmin.net/security/PMASA-2020-2/ + +Author: Maurício Meneghini Fauth <[email protected]> +Origin: https://github.com/phpmyadmin/phpmyadmin/commit/89fbcd7c39e6b3979cdb2f64aa4cd5f4db27eaad +Origin: https://github.com/phpmyadmin/phpmyadmin/commit/3258978c38bee8cb4b99f249dffac9c8aaea2d80 + +Last-Update: 2020-03-22 +--- + libraries/server_privileges.lib.php | 22 ++++++++++++++-------- + user_password.php | 10 ++++++---- + 2 files changed, 20 insertions(+), 12 deletions(-) + +diff --git a/libraries/server_privileges.lib.php b/libraries/server_privileges.lib.php +index 5ea083b..314d11c 100644 +--- a/libraries/server_privileges.lib.php ++++ b/libraries/server_privileges.lib.php +@@ -1935,8 +1935,11 @@ function PMA_getCurrentAuthenticationPlugin( + && $mode == 'change' + ) { + $row = $GLOBALS['dbi']->fetchSingleRow( +- 'SELECT `plugin` FROM `mysql`.`user` WHERE ' +- . '`User` = "' . $username . '" AND `Host` = "' . $hostname . '" LIMIT 1' ++ 'SELECT `plugin` FROM `mysql`.`user` WHERE `User` = "' ++ . $GLOBALS['dbi']->escapeString($username) ++ . '" AND `Host` = "' ++ . $GLOBALS['dbi']->escapeString($hostname) ++ . '" LIMIT 1' + ); + // Table 'mysql'.'user' may not exist for some previous + // versions of MySQL - in that case consider fallback value +@@ -1952,8 +1955,11 @@ function PMA_getCurrentAuthenticationPlugin( + } + + $row = $GLOBALS['dbi']->fetchSingleRow( +- 'SELECT `plugin` FROM `mysql`.`user` WHERE ' +- . '`User` = "' . $username . '" AND `Host` = "' . $hostname . '"' ++ 'SELECT `plugin` FROM `mysql`.`user` WHERE `User` = "' ++ . $GLOBALS['dbi']->escapeString($username) ++ . '" AND `Host` = "' ++ . $GLOBALS['dbi']->escapeString($hostname) ++ . '"' + ); + if (isset($row) && $row && ! empty($row['plugin'])) { + $authentication_plugin = $row['plugin']; +@@ -2083,8 +2089,8 @@ function PMA_updatePassword($err_url, $username, $hostname) + . " `authentication_string` = '" . $hashedPassword + . "', `Password` = '', " + . " `plugin` = '" . $authentication_plugin . "'" +- . " WHERE `User` = '" . $username . "' AND Host = '" +- . $hostname . "';"; ++ . " WHERE `User` = '" . $GLOBALS['dbi']->escapeString($username) ++ . "' AND Host = '" . $GLOBALS['dbi']->escapeString($hostname) . "';"; + } else { + // USE 'SET PASSWORD ...' syntax for rest of the versions + // Backup the old value, to be reset later +@@ -2094,8 +2100,8 @@ function PMA_updatePassword($err_url, $username, $hostname) + $orig_value = $row['@@old_passwords']; + $update_plugin_query = "UPDATE `mysql`.`user` SET" + . " `plugin` = '" . $authentication_plugin . "'" +- . " WHERE `User` = '" . $username . "' AND Host = '" +- . $hostname . "';"; ++ . " WHERE `User` = '" . $GLOBALS['dbi']->escapeString($username) ++ . "' AND Host = '" . $GLOBALS['dbi']->escapeString($hostname) . "';"; + + // Update the plugin for the user + if (!($GLOBALS['dbi']->tryQuery($update_plugin_query))) { +diff --git a/user_password.php b/user_password.php +index d2063e5..b879b96 100644 +--- a/user_password.php ++++ b/user_password.php +@@ -165,7 +165,8 @@ function PMA_changePassword($password, $message, $change_password_message) + if ($serverType == 'MySQL' + && PMA_MYSQL_INT_VERSION >= 50706 + ) { +- $sql_query = 'ALTER USER \'' . $username . '\'@\'' . $hostname ++ $sql_query = 'ALTER USER \'' . $GLOBALS['dbi']->escapeString($username) ++ . '\'@\'' . $GLOBALS['dbi']->escapeString($hostname) + . '\' IDENTIFIED WITH ' . $orig_auth_plugin . ' BY ' + . (($password == '') ? '\'\'' : '\'***\''); + } else if (($serverType == 'MySQL' +@@ -232,7 +233,8 @@ function PMA_changePassUrlParamsAndSubmitQuery( + $serverType = PMA\libraries\Util::getServerType(); + + if ($serverType == 'MySQL' && PMA_MYSQL_INT_VERSION >= 50706) { +- $local_query = 'ALTER USER \'' . $username . '\'@\'' . $hostname . '\'' ++ $local_query = 'ALTER USER \'' . $GLOBALS['dbi']->escapeString($username) ++ . '\'@\'' . $GLOBALS['dbi']->escapeString($hostname) . '\'' + . ' IDENTIFIED with ' . $orig_auth_plugin . ' BY ' + . (($password == '') + ? '\'\'' +@@ -258,8 +260,8 @@ function PMA_changePassUrlParamsAndSubmitQuery( + . " `authentication_string` = '" . $hashedPassword + . "', `Password` = '', " + . " `plugin` = '" . $orig_auth_plugin . "'" +- . " WHERE `User` = '" . $username . "' AND Host = '" +- . $hostname . "';"; ++ . " WHERE `User` = '" . $GLOBALS['dbi']->escapeString($username) ++ . "' AND Host = '" . $GLOBALS['dbi']->escapeString($hostname) . "';"; + } else { + $local_query = 'SET password = ' . (($password == '') + ? '\'\'' diff -Nru phpmyadmin-4.6.6/debian/patches/CVE-2020-5504.patch phpmyadmin-4.6.6/debian/patches/CVE-2020-5504.patch --- phpmyadmin-4.6.6/debian/patches/CVE-2020-5504.patch 1970-01-01 01:00:00.000000000 +0100 +++ phpmyadmin-4.6.6/debian/patches/CVE-2020-5504.patch 2020-03-22 17:07:57.000000000 +0100 @@ -0,0 +1,25 @@ +From: William Desportes <[email protected]> +Date: Sat, 11 Jan 2020 23:27:29 +0100 +Subject: Patch for PMASA-2020-1, CVE-2020-5504 + +Fix CVE-2020-5504 + +Author: William Desportes <[email protected]> +Origin: https://gist.github.com/ibennetch/4c1b701f4b766e4dd5556e8e26200b6b +--- + libraries/server_privileges.lib.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libraries/server_privileges.lib.php b/libraries/server_privileges.lib.php +index 48acff0..5ea083b 100644 +--- a/libraries/server_privileges.lib.php ++++ b/libraries/server_privileges.lib.php +@@ -3144,7 +3144,7 @@ function PMA_getExtraDataForAjaxBehavior( + + if (isset($_REQUEST['validate_username'])) { + $sql_query = "SELECT * FROM `mysql`.`user` WHERE `User` = '" +- . $_REQUEST['username'] . "';"; ++ . $GLOBALS['dbi']->escapeString($_REQUEST['username']) . "';"; + $res = $GLOBALS['dbi']->query($sql_query); + $row = $GLOBALS['dbi']->fetchRow($res); + if (empty($row)) { diff -Nru phpmyadmin-4.6.6/debian/patches/fix-tests-for-CVE-2019-12616.patch phpmyadmin-4.6.6/debian/patches/fix-tests-for-CVE-2019-12616.patch --- phpmyadmin-4.6.6/debian/patches/fix-tests-for-CVE-2019-12616.patch 1970-01-01 01:00:00.000000000 +0100 +++ phpmyadmin-4.6.6/debian/patches/fix-tests-for-CVE-2019-12616.patch 2020-03-22 17:07:57.000000000 +0100 @@ -0,0 +1,33 @@ +From: William Desportes <[email protected]> +Date: Sun, 22 Mar 2020 17:27:35 +0100 +Subject: Fix tests for CVE-2019-12616 + +--- + test/classes/plugin/auth/AuthenticationCookieTest.php | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/test/classes/plugin/auth/AuthenticationCookieTest.php b/test/classes/plugin/auth/AuthenticationCookieTest.php +index b8f3fd4..b8af26b 100644 +--- a/test/classes/plugin/auth/AuthenticationCookieTest.php ++++ b/test/classes/plugin/auth/AuthenticationCookieTest.php +@@ -414,7 +414,7 @@ class AuthenticationCookieTest extends PMATestCase + $GLOBALS['cfg']['CaptchaLoginPrivateKey'] = 'testprivkey'; + $GLOBALS['cfg']['CaptchaLoginPublicKey'] = 'testpubkey'; + $_POST["g-recaptcha-response"] = ''; +- $_REQUEST['pma_username'] = 'testPMAUser'; ++ $_POST['pma_username'] = 'testPMAUser'; + + $this->assertFalse( + $this->object->authCheck() +@@ -522,9 +522,9 @@ class AuthenticationCookieTest extends PMATestCase + $GLOBALS['cfg']['CaptchaLoginPrivateKey'] = ''; + $GLOBALS['cfg']['CaptchaLoginPublicKey'] = ''; + $_REQUEST['old_usr'] = ''; +- $_REQUEST['pma_username'] = 'testPMAUser'; ++ $_POST['pma_username'] = 'testPMAUser'; + $_REQUEST['pma_servername'] = 'testPMAServer'; +- $_REQUEST['pma_password'] = 'testPMAPSWD'; ++ $_POST['pma_password'] = 'testPMAPSWD'; + $GLOBALS['cfg']['AllowArbitraryServer'] = true; + + $this->assertTrue( diff -Nru phpmyadmin-4.6.6/debian/patches/fix-tests-for-CVE-2020-10803.patch phpmyadmin-4.6.6/debian/patches/fix-tests-for-CVE-2020-10803.patch --- phpmyadmin-4.6.6/debian/patches/fix-tests-for-CVE-2020-10803.patch 1970-01-01 01:00:00.000000000 +0100 +++ phpmyadmin-4.6.6/debian/patches/fix-tests-for-CVE-2020-10803.patch 2020-03-22 17:07:57.000000000 +0100 @@ -0,0 +1,111 @@ +From: William Desportes <[email protected]> +Date: Sun, 22 Mar 2020 18:02:05 +0100 +Subject: Patch for PMASA-2020-4, CVE-2020-10803 +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Fix CVE-2020-10803 +Bug-Upstream: https://www.phpmyadmin.net/security/PMASA-2020-4/ + +Author: Maurício Meneghini Fauth <[email protected]> +Origin: https://github.com/phpmyadmin/phpmyadmin/commit/46a7aa7cd4ff2be0eeb23721fbf71567bebe69a5 +Last-Update: 2020-03-22 +--- + test/classes/DisplayResultsTest.php | 27 +++++++++------------------ + 1 file changed, 9 insertions(+), 18 deletions(-) + +diff --git a/test/classes/DisplayResultsTest.php b/test/classes/DisplayResultsTest.php +index 26a0184..3821826 100644 +--- a/test/classes/DisplayResultsTest.php ++++ b/test/classes/DisplayResultsTest.php +@@ -43,6 +43,7 @@ class DisplayResultsTest extends PMATestCase + $GLOBALS['PMA_Config']->enableBc(); + $GLOBALS['text_dir'] = 'ltr'; + $GLOBALS['collation_connection'] = 'utf-8'; ++ $_SESSION[' HMAC_secret '] = 'test'; + + $dbi = $this->getMockBuilder('PMA\libraries\DatabaseInterface') + ->disableOriginalConstructor() +@@ -1326,7 +1327,7 @@ class DisplayResultsTest extends PMATestCase + $meta = new StdClass(); + $meta->type = 'BLOB'; + $meta->orgtable = 'bar'; +- $url_params = array('db' => 'foo', 'table' => 'bar'); ++ $url_params = array('db' => 'foo', 'table' => 'bar', 'where_clause' => 'where_clause'); + + return array( + array( +@@ -1340,9 +1341,7 @@ class DisplayResultsTest extends PMATestCase + $meta, + $url_params, + null, +- '<a href="tbl_get_field.php?db=foo&table=bar&server=0' +- . '&lang=en&collation_connection=utf-8' +- . '&token=token" class="disableAjax">1001</a>' ++ 'class="disableAjax">1001</a>' + ), + array( + true, +@@ -1355,9 +1354,7 @@ class DisplayResultsTest extends PMATestCase + $meta, + $url_params, + null, +- '<a href="tbl_get_field.php?db=foo&table=bar&server=0' +- . '&lang=en&collation_connection=utf-8' +- . '&token=token" class="disableAjax">0x123456</a>' ++ 'class="disableAjax">0x123456</a>' + ), + array( + true, +@@ -1370,9 +1367,7 @@ class DisplayResultsTest extends PMATestCase + $meta, + $url_params, + null, +- '<a href="tbl_get_field.php?db=foo&table=bar&server=0' +- . '&lang=en&collation_connection=utf-8' +- . '&token=token" class="disableAjax">[BLOB - 4 B]</a>' ++ 'class="disableAjax">[BLOB - 4 B]</a>' + ), + array( + false, +@@ -1434,7 +1429,7 @@ class DisplayResultsTest extends PMATestCase + $_SESSION['tmpval']['display_binary'] = $display_binary; + $_SESSION['tmpval']['display_blob'] = $display_blob; + $GLOBALS['cfg']['LimitChars'] = 50; +- $this->assertEquals( ++ $this->assertContains( + $output, + $this->_callPrivateFunction( + '_handleNonPrintableContents', +@@ -1474,7 +1469,7 @@ class DisplayResultsTest extends PMATestCase + $meta2->decimals = 0; + $meta2->name = 'varchar'; + $meta2->orgname = 'varchar'; +- $url_params = array('db' => 'foo', 'table' => 'tbl'); ++ $url_params = array('db' => 'foo', 'table' => 'tbl', 'where_clause' => 'where_clause'); + + return array( + array( +@@ -1492,11 +1487,7 @@ class DisplayResultsTest extends PMATestCase + array(), + 0, + 'binary', +- '<td class="left hex"><a href="tbl_get_field.php?' +- . 'db=foo&table=tbl&server=0&lang=en' +- . '&collation_connection=utf-8' +- . '&token=token" ' +- . 'class="disableAjax">[BLOB - 4 B]</a></td>' ++ 'class="disableAjax">[BLOB - 4 B]</a>' + ), + array( + 'noblob', +@@ -1593,7 +1584,7 @@ class DisplayResultsTest extends PMATestCase + $_SESSION['tmpval']['relational_display'] = false; + $GLOBALS['cfg']['LimitChars'] = 50; + $GLOBALS['cfg']['ProtectBinary'] = $protectBinary; +- $this->assertEquals( ++ $this->assertContains( + $output, + $this->_callPrivateFunction( + '_getDataCellForNonNumericColumns', diff -Nru phpmyadmin-4.6.6/debian/patches/series phpmyadmin-4.6.6/debian/patches/series --- phpmyadmin-4.6.6/debian/patches/series 2017-04-07 16:33:36.000000000 +0200 +++ phpmyadmin-4.6.6/debian/patches/series 2020-03-22 17:07:57.000000000 +0100 @@ -1,2 +1,16 @@ Truncate-only-long-passwords.patch debian.patch +CVE-2018-7260.patch +CVE-2018-19968.patch +CVE-2018-19970.patch +CVE-2019-6798.patch +CVE-2019-6799.patch +CVE-2019-11768.patch +CVE-2019-12616.patch +CVE-2020-5504.patch +CVE-2020-10802.patch +fix-tests-for-CVE-2019-12616.patch +CVE-2020-10803.patch +add-functions-for-CVE-2020-10803.patch +fix-tests-for-CVE-2020-10803.patch +CVE-2020-10804.patch
