Your message dated Sat, 10 Jan 2026 11:59:45 +0000
with message-id <[email protected]>
and subject line Released with 12.13
has caused the Debian Bug report #1116015,
regarding bookworm-pu: package libphp-adodb/5.21.4-1+deb12u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1116015: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116015
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:libphp-adodb
please approve the upload of package libphp-adodb to bookworm
to fix security issue. CVE-2025-54119
[ Reason ]
There is a SQL injection vulnerability in the sqlite3 driver.
[ Impact ]
Impacts the use of sqlite3 driver where SQL injection possible in
metaColumns(), metaForeignKeys() or metaIndexes() methods.
[ Tests ]
No tests in package. But The patch is backported from upstream without
any fuzzs.
[ Risks ]
Unlikely. Since backported from upstream with zero fuzz.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
--abhijith
diff -Nru libphp-adodb-5.21.4/debian/changelog
libphp-adodb-5.21.4/debian/changelog
--- libphp-adodb-5.21.4/debian/changelog 2025-05-07 03:09:03.000000000
+0530
+++ libphp-adodb-5.21.4/debian/changelog 2025-09-17 13:32:21.000000000
+0530
@@ -1,3 +1,10 @@
+libphp-adodb (5.21.4-1+deb12u2) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix CVE-2025-54119: SQL injection in sqlite3 driver (Closes: #1110464)
+
+ -- Abhijith PA <[email protected]> Wed, 17 Sep 2025 13:32:21 +0530
+
libphp-adodb (5.21.4-1+deb12u1) bookworm; urgency=high
* Non-maintainer upload.
diff -Nru libphp-adodb-5.21.4/debian/patches/CVE-2025-54119.patch
libphp-adodb-5.21.4/debian/patches/CVE-2025-54119.patch
--- libphp-adodb-5.21.4/debian/patches/CVE-2025-54119.patch 1970-01-01
05:30:00.000000000 +0530
+++ libphp-adodb-5.21.4/debian/patches/CVE-2025-54119.patch 2025-09-17
13:28:24.000000000 +0530
@@ -0,0 +1,87 @@
+From 5b8bd52cdcffefb4ecded1b399c98cfa516afe03 Mon Sep 17 00:00:00 2001
+From: Damien Regad <[email protected]>
+Date: Sat, 19 Jul 2025 18:37:59 +0200
+Subject: [PATCH] Prevent SQL injection in sqlite3 driver
+
+Use query parameters instead of injecting the table name in the SQL, in
+the following methods:
+- metaColumns()
+- metaForeignKeys()
+- metaIndexes()
+
+Thanks to Marco Nappi (@mrcnpp) for reporting this vulnerability.
+
+Fixes #1083, CVE-2025-54119, GHSA-vf2r-cxg9-p7rf
+---
+ drivers/adodb-sqlite3.inc.php | 37 ++++++++++++++---------------------
+ 1 file changed, 15 insertions(+), 22 deletions(-)
+
+--- a/drivers/adodb-sqlite3.inc.php
++++ b/drivers/adodb-sqlite3.inc.php
+@@ -160,7 +160,9 @@ class ADODB_sqlite3 extends ADOConnectio
+ if ($this->fetchMode !== false) {
+ $savem = $this->SetFetchMode(false);
+ }
+- $rs = $this->Execute("PRAGMA table_info('$table')");
++
++ $rs = $this->execute("PRAGMA table_info(?)", array($table));
++
+ if (isset($savem)) {
+ $this->SetFetchMode($savem);
+ }
+@@ -214,9 +216,8 @@ class ADODB_sqlite3 extends ADOConnectio
+ )
+ WHERE type != 'meta'
+ AND sql NOTNULL
+- AND LOWER(name) ='" . strtolower($table) . "'";
+-
+- $tableSql = $this->getOne($sql);
++ AND LOWER(name) = ?";
++ $tableSql = $this->getOne($sql, [strtolower($table)]);
+
+ $fkeyList = array();
+ $ylist = preg_split("/,+/",$tableSql);
+@@ -433,6 +434,7 @@ class ADODB_sqlite3 extends ADOConnectio
+ $savem = $this->SetFetchMode(FALSE);
+ }
+
++ $table = strtolower($table);
+ $pragmaData = array();
+
+ /*
+@@ -441,26 +443,17 @@ class ADODB_sqlite3 extends ADOConnectio
+ */
+ if ($primary)
+ {
+- $sql = sprintf('PRAGMA table_info([%s]);',
+- strtolower($table)
+- );
+- $pragmaData = $this->getAll($sql);
++ $sql = 'PRAGMA table_info(?)';
++ $pragmaData = $this->getAll($sql, [$table]);
+ }
+
+- /*
+- * Exclude the empty entry for the primary index
+- */
+- $sqlite = "SELECT name,sql
+- FROM sqlite_master
+- WHERE type='index'
+- AND sql IS NOT NULL
+- AND LOWER(tbl_name)='%s'";
+-
+- $SQL = sprintf($sqlite,
+- strtolower($table)
+- );
+-
+- $rs = $this->execute($SQL);
++ // Exclude the empty entry for the primary index
++ $sql = "SELECT name,sql
++ FROM sqlite_master
++ WHERE type='index'
++ AND sql IS NOT NULL
++ AND LOWER(tbl_name)=?";
++ $rs = $this->execute($sql, [$table]);
+
+ if (!is_object($rs)) {
+ if (isset($savem)) {
diff -Nru libphp-adodb-5.21.4/debian/patches/series
libphp-adodb-5.21.4/debian/patches/series
--- libphp-adodb-5.21.4/debian/patches/series 2025-05-07 03:09:03.000000000
+0530
+++ libphp-adodb-5.21.4/debian/patches/series 2025-09-17 11:56:11.000000000
+0530
@@ -1 +1,2 @@
00-fix-sec-pgsql-sql-injection.patch
+CVE-2025-54119.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org\nVersion: 12.13\n\nThis update has been released as
part of Debian 12.13.
--- End Message ---
