Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: phpMyAdmin Packaging Team <team+phpmyad...@tracker.debian.org>,
secur...@debian.org
* CVE-2025-24529: XSS on Insert page
* CVE-2025-24530: XSS when checking tables
diffstat for phpmyadmin-5.2.1+dfsg phpmyadmin-5.2.1+dfsg
changelog | 8 +
patches/0001-Fix-XSS-vulnerability-on-Insert-page.patch | 79
++++++++++
patches/0002-Fix-unescaped-table-name-when-checking-tables.patch | 37 ++++
patches/series | 2
4 files changed, 126 insertions(+)
diff -Nru phpmyadmin-5.2.1+dfsg/debian/changelog
phpmyadmin-5.2.1+dfsg/debian/changelog
--- phpmyadmin-5.2.1+dfsg/debian/changelog 2023-02-08 14:57:42.000000000
+0200
+++ phpmyadmin-5.2.1+dfsg/debian/changelog 2025-04-08 18:25:51.000000000
+0300
@@ -1,3 +1,11 @@
+phpmyadmin (4:5.2.1+dfsg-1+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2025-24529: XSS on Insert page
+ * CVE-2025-24530: XSS when checking tables
+
+ -- Adrian Bunk <b...@debian.org> Tue, 08 Apr 2025 18:25:51 +0300
+
phpmyadmin (4:5.2.1+dfsg-1) unstable; urgency=medium
* Add a d/pkg-php-tools-overrides to force the PHP 8.0 polyfill dep
diff -Nru
phpmyadmin-5.2.1+dfsg/debian/patches/0001-Fix-XSS-vulnerability-on-Insert-page.patch
phpmyadmin-5.2.1+dfsg/debian/patches/0001-Fix-XSS-vulnerability-on-Insert-page.patch
---
phpmyadmin-5.2.1+dfsg/debian/patches/0001-Fix-XSS-vulnerability-on-Insert-page.patch
1970-01-01 02:00:00.000000000 +0200
+++
phpmyadmin-5.2.1+dfsg/debian/patches/0001-Fix-XSS-vulnerability-on-Insert-page.patch
2025-04-08 16:15:24.000000000 +0300
@@ -0,0 +1,79 @@
+From 8ee84b67eca8a8178fec498188d968d95212e932 Mon Sep 17 00:00:00 2001
+From: Maurício Meneghini Fauth <mauri...@mfauth.net>
+Date: Sun, 12 Jan 2025 22:39:06 -0300
+Subject: Fix XSS vulnerability on Insert page
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Maurício Meneghini Fauth <mauri...@mfauth.net>
+---
+ libraries/classes/InsertEdit.php | 4 ++--
+ psalm-baseline.xml | 2 +-
+ test/classes/InsertEditTest.php | 14 ++++++++++++--
+ 3 files changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/libraries/classes/InsertEdit.php
b/libraries/classes/InsertEdit.php
+index 3e6ab3e411..72971c0b88 100644
+--- a/libraries/classes/InsertEdit.php
++++ b/libraries/classes/InsertEdit.php
+@@ -1124,8 +1124,8 @@ private function
getSpecialCharsAndBackupFieldForInsertingMode(
+ } elseif ($trueType === 'binary' || $trueType === 'varbinary') {
+ $specialChars = bin2hex($column['Default']);
+ } elseif (substr($trueType, -4) === 'text') {
+- $textDefault = substr($column['Default'], 1, -1);
+- $specialChars = stripcslashes($textDefault !== false ?
$textDefault : $column['Default']);
++ $textDefault = (string) substr($column['Default'], 1, -1);
++ $specialChars = htmlspecialchars(stripcslashes($textDefault !==
'' ? $textDefault : $column['Default']));
+ } else {
+ $specialChars = htmlspecialchars($column['Default']);
+ }
+diff --git a/psalm-baseline.xml b/psalm-baseline.xml
+index a07466f7bf..4f053c0a6a 100644
+--- a/psalm-baseline.xml
++++ b/psalm-baseline.xml
+@@ -8183,7 +8183,7 @@
+ <code>$specialChars</code>
+ <code>$specialChars</code>
+ <code>$specialCharsEncoded</code>
+- <code>$textDefault !== false ? $textDefault : $column['Default']</code>
++ <code>$textDefault !== '' ? $textDefault : $column['Default']</code>
+ <code>$transformationPlugin->getScripts()</code>
+ <code>$transformation[$type . '_options'] ?? ''</code>
+ <code>$trueType</code>
+diff --git a/test/classes/InsertEditTest.php b/test/classes/InsertEditTest.php
+index 6bbe885c12..c3f8234586 100644
+--- a/test/classes/InsertEditTest.php
++++ b/test/classes/InsertEditTest.php
+@@ -1714,9 +1714,9 @@ public function
providerForTestGetSpecialCharsAndBackupFieldForInsertingMode():
+ [
+ false,
+ '"lorem\"ipsem"',
+- 'lorem"ipsem',
++ 'lorem"ipsem',
+ '',
+- 'lorem"ipsem',
++ 'lorem"ipsem',
+ ],
+ ],
+ 'varchar with html special chars' => [
+@@ -1732,6 +1732,16 @@ public function
providerForTestGetSpecialCharsAndBackupFieldForInsertingMode():
+ 'hello world<br><b>lorem</b> ipsem',
+ ],
+ ],
++ 'text with html special chars' => [
++ ['True_Type' => 'text', 'Default' =>
'\'</textarea><script>alert(1)</script>\''],
++ [
++ false,
++ '\'</textarea><script>alert(1)</script>\'',
++ '</textarea><script>alert(1)</script>',
++ '',
++ '</textarea><script>alert(1)</script>',
++ ],
++ ],
+ ];
+ }
+
+--
+2.30.2
+
diff -Nru
phpmyadmin-5.2.1+dfsg/debian/patches/0002-Fix-unescaped-table-name-when-checking-tables.patch
phpmyadmin-5.2.1+dfsg/debian/patches/0002-Fix-unescaped-table-name-when-checking-tables.patch
---
phpmyadmin-5.2.1+dfsg/debian/patches/0002-Fix-unescaped-table-name-when-checking-tables.patch
1970-01-01 02:00:00.000000000 +0200
+++
phpmyadmin-5.2.1+dfsg/debian/patches/0002-Fix-unescaped-table-name-when-checking-tables.patch
2025-04-08 16:15:24.000000000 +0300
@@ -0,0 +1,37 @@
+From 198467709c031c52fb9143995e325bcbf67eed52 Mon Sep 17 00:00:00 2001
+From: Maurício Meneghini Fauth <mauri...@mfauth.net>
+Date: Tue, 15 Oct 2024 12:27:22 -0300
+Subject: Fix unescaped table name when checking tables
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Maurício Meneghini Fauth <mauri...@mfauth.net>
+---
+ libraries/classes/Table/Maintenance.php | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libraries/classes/Table/Maintenance.php
b/libraries/classes/Table/Maintenance.php
+index 97c3423e91..2a2596c2bd 100644
+--- a/libraries/classes/Table/Maintenance.php
++++ b/libraries/classes/Table/Maintenance.php
+@@ -13,6 +13,7 @@
+ use PhpMyAdmin\Util;
+
+ use function __;
++use function htmlspecialchars;
+ use function implode;
+ use function sprintf;
+
+@@ -119,7 +120,7 @@ public function getIndexesProblems(DatabaseName $db, array
$tables): string
+ continue;
+ }
+
+- $indexesProblems .= sprintf(__('Problems with indexes of table
`%s`'), $table->getName());
++ $indexesProblems .= htmlspecialchars(sprintf(__('Problems with
indexes of table `%s`'), $table->getName()));
+ $indexesProblems .= $check;
+ }
+
+--
+2.30.2
+
diff -Nru phpmyadmin-5.2.1+dfsg/debian/patches/series
phpmyadmin-5.2.1+dfsg/debian/patches/series
--- phpmyadmin-5.2.1+dfsg/debian/patches/series 2023-02-08 14:57:42.000000000
+0200
+++ phpmyadmin-5.2.1+dfsg/debian/patches/series 2025-04-08 18:25:51.000000000
+0300
@@ -9,3 +9,5 @@
Drop-depends-on-paragonie-sodium_compat-since-PHP-7.2-is-required.patch
Skip-part-of-RoutingTest-testGetDispatcher.patch
Adjust-path-for-source-files-in-tests.patch
+0001-Fix-XSS-vulnerability-on-Insert-page.patch
+0002-Fix-unescaped-table-name-when-checking-tables.patch
