Your message dated Sat, 10 Jan 2026 11:52:34 +0000
with message-id <[email protected]>
and subject line Released with 13.3
has caused the Debian Bug report #1116017,
regarding trixie-pu: package libphp-adodb/5.22.9-0.1+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1116017: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116017
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:libphp-adodb
please approve the upload of package libphp-adodb to trixie
to fix security issue. CVE-2025-54119
[ Reason ]
There is a SQL injection vulnerability in the sqlite3 driver.
[ Impact ]
Impacts the use of sqlite3 driver where SQL injection possible in
metaColumns(), metaForeignKeys() or metaIndexes() methods.
[ Tests ]
No tests in package. But The patch is backported from upstream without
any fuzzs.
[ Risks ]
Unlikely. patch backported from v5.22.10. Just a point version above.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
--abhijith
diff -Nru libphp-adodb-5.22.9/debian/changelog
libphp-adodb-5.22.9/debian/changelog
--- libphp-adodb-5.22.9/debian/changelog 2025-05-02 19:18:03.000000000
+0530
+++ libphp-adodb-5.22.9/debian/changelog 2025-09-23 12:44:45.000000000
+0530
@@ -1,3 +1,10 @@
+libphp-adodb (5.22.9-0.1+deb13u1) trixie; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix CVE-2025-54119: SQL injection in sqlite3 driver (Closes: #1110464)
+
+ -- Abhijith PA <[email protected]> Tue, 23 Sep 2025 12:44:45 +0530
+
libphp-adodb (5.22.9-0.1) unstable; urgency=high
* Non-maintainer upload.
diff -Nru libphp-adodb-5.22.9/debian/patches/CVE-2025-54119.patch
libphp-adodb-5.22.9/debian/patches/CVE-2025-54119.patch
--- libphp-adodb-5.22.9/debian/patches/CVE-2025-54119.patch 1970-01-01
05:30:00.000000000 +0530
+++ libphp-adodb-5.22.9/debian/patches/CVE-2025-54119.patch 2025-09-23
12:44:45.000000000 +0530
@@ -0,0 +1,89 @@
+From 5b8bd52cdcffefb4ecded1b399c98cfa516afe03 Mon Sep 17 00:00:00 2001
+From: Damien Regad <[email protected]>
+Date: Sat, 19 Jul 2025 18:37:59 +0200
+Subject: [PATCH] Prevent SQL injection in sqlite3 driver
+
+Use query parameters instead of injecting the table name in the SQL, in
+the following methods:
+- metaColumns()
+- metaForeignKeys()
+- metaIndexes()
+
+Thanks to Marco Nappi (@mrcnpp) for reporting this vulnerability.
+
+Fixes #1083, CVE-2025-54119, GHSA-vf2r-cxg9-p7rf
+---
+ drivers/adodb-sqlite3.inc.php | 37 ++++++++++++++---------------------
+ 1 file changed, 15 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/adodb-sqlite3.inc.php b/drivers/adodb-sqlite3.inc.php
+index 7e5f5ffdc..564eec958 100644
+--- a/drivers/adodb-sqlite3.inc.php
++++ b/drivers/adodb-sqlite3.inc.php
+@@ -168,7 +168,9 @@ function MetaColumns($table, $normalize=true)
+ if ($this->fetchMode !== false) {
+ $savem = $this->SetFetchMode(false);
+ }
+- $rs = $this->Execute("PRAGMA table_info('$table')");
++
++ $rs = $this->execute("PRAGMA table_info(?)", array($table));
++
+ if (isset($savem)) {
+ $this->SetFetchMode($savem);
+ }
+@@ -222,9 +224,8 @@ public function metaForeignKeys($table, $owner = '',
$upper = false, $associati
+ )
+ WHERE type != 'meta'
+ AND sql NOTNULL
+- AND LOWER(name) ='" . strtolower($table) .
"'";
+-
+- $tableSql = $this->getOne($sql);
++ AND LOWER(name) = ?";
++ $tableSql = $this->getOne($sql, [strtolower($table)]);
+
+ $fkeyList = array();
+ $ylist = preg_split("/,+/",$tableSql);
+@@ -441,6 +442,7 @@ function metaIndexes($table, $primary = FALSE, $owner =
false)
+ $savem = $this->SetFetchMode(FALSE);
+ }
+
++ $table = strtolower($table);
+ $pragmaData = array();
+
+ /*
+@@ -449,26 +451,17 @@ function metaIndexes($table, $primary = FALSE, $owner =
false)
+ */
+ if ($primary)
+ {
+- $sql = sprintf('PRAGMA table_info([%s]);',
+- strtolower($table)
+- );
+- $pragmaData = $this->getAll($sql);
++ $sql = 'PRAGMA table_info(?)';
++ $pragmaData = $this->getAll($sql, [$table]);
+ }
+
+- /*
+- * Exclude the empty entry for the primary index
+- */
+- $sqlite = "SELECT name,sql
+- FROM sqlite_master
+- WHERE type='index'
+- AND sql IS NOT NULL
+- AND LOWER(tbl_name)='%s'";
+-
+- $SQL = sprintf($sqlite,
+- strtolower($table)
+- );
+-
+- $rs = $this->execute($SQL);
++ // Exclude the empty entry for the primary index
++ $sql = "SELECT name,sql
++ FROM sqlite_master
++ WHERE type='index'
++ AND sql IS NOT NULL
++ AND LOWER(tbl_name)=?";
++ $rs = $this->execute($sql, [$table]);
+
+ if (!is_object($rs)) {
+ if (isset($savem)) {
diff -Nru libphp-adodb-5.22.9/debian/patches/series
libphp-adodb-5.22.9/debian/patches/series
--- libphp-adodb-5.22.9/debian/patches/series 1970-01-01 05:30:00.000000000
+0530
+++ libphp-adodb-5.22.9/debian/patches/series 2025-09-23 12:44:45.000000000
+0530
@@ -0,0 +1 @@
+CVE-2025-54119.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org\nVersion: 13.3\n\nThis update has been released as
part of Debian 13.3.
--- End Message ---
