From: Roy Li <[email protected]> Cross-site scripting (XSS) vulnerability in the view operations page in phpMyAdmin 4.1.x before 4.1.14.3 and 4.2.x before 4.2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted view name, related to js/functions.js.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5274 Signed-off-by: Roy Li <[email protected]> --- .../0001-Bug-4544-additional-fix-for-4.2.x.patch | 29 ++++++++++++++++++++ .../recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb | 1 + 2 files changed, 30 insertions(+) create mode 100644 meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-Bug-4544-additional-fix-for-4.2.x.patch diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-Bug-4544-additional-fix-for-4.2.x.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-Bug-4544-additional-fix-for-4.2.x.patch new file mode 100644 index 0000000..e23f94b --- /dev/null +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-Bug-4544-additional-fix-for-4.2.x.patch @@ -0,0 +1,29 @@ +From 304fb2b645b36a39e03b954fdbd567173ebe6448 Mon Sep 17 00:00:00 2001 +From: Marc Delisle <[email protected]> +Date: Wed, 1 Oct 2014 08:09:12 -0400 +Subject: [PATCH] Bug 4544: additional fix for 4.2.x + +Upstream-Status: Backport + +Signed-off-by: Marc Delisle <[email protected]> +--- + libraries/TableSearch.class.php | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libraries/TableSearch.class.php b/libraries/TableSearch.class.php +index a0b3fa4..b7eb42f 100644 +--- a/libraries/TableSearch.class.php ++++ b/libraries/TableSearch.class.php +@@ -992,7 +992,8 @@ EOT; + $html_output .= '<td>' . $properties['collation'] . '</td>'; + $html_output .= '<td>' . $properties['func'] . '</td>'; + // here, the data-type attribute is needed for a date/time picker +- $html_output .= '<td data-type="' . $properties['type'] . '"' ++ $html_output .= '<td data-type="' ++ . htmlspecialchars($properties['type']) . '"' + . '>' . $properties['value'] . '</td>'; + $html_output .= '</tr>'; + //Displays hidden fields +-- +1.7.10.4 + diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb index 447b778..49ca7da 100644 --- a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb @@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=eb723b61539feef013de476e68b5c50a \ SRC_URI = "${SOURCEFORGE_MIRROR}/phpmyadmin/phpMyAdmin/${PV}/phpMyAdmin-${PV}-all-languages.tar.xz \ file://0001-bug-4504-security-Self-XSS-in-query-charts.patch \ file://0001-bug-4505-security-XSS-in-view-operations-page.patch \ + file://0001-Bug-4544-additional-fix-for-4.2.x.patch \ file://apache.conf" SRC_URI[md5sum] = "0dcd755450dac819f33502590c88ad29" -- 1.7.10.4 -- _______________________________________________ Openembedded-devel mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-devel
