Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Please unblock package phpmyadmin It fixes security bugs, see https://bugs.debian.org/774194 debdiff is attached. unblock phpmyadmin/4:4.2.12-2 - -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=cs_CZ.utf8, LC_CTYPE=cs_CZ.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJUonfeAAoJEJwnsxNCt1EdsI8P/jBTOTNLzrcR18+qG2t/5Kn1 AgDXjjD2c90NTMEdWH74SjsCqoTA7yjZJQa46DeIk5pzgFDR49/LGyPBYsdxGkAH D06/ykK1myCSGmjVOCMA4SyvDSU0quJFdYh8QoBXM/sg2DaDlL2VxWL8C6ulwDvZ k02kzHdCE1VntTw7zHYMTGUKanTEyEhuFj7MiKfvrGPLcOkZ12KrAWYwPCoVDz2i hwV0IEve0ptAH/+hXuYnPzQ6qgScOFK2/f7DdXAWApmuHD0SLr7LqEeGZ+v8zJoH 5XonWhHeDBDCajWva+ADD8jxDd046EGaA5gxqlcOQn5Rdzm5LptKkPp/9pxKYbUI jIqOitySfST/e3A6hs5eSaaE3nTV3uFW+1aC3ShDof0BeMA1cU1bxMmuSfq+eO+s kEtV+xou7xZnRra2HvTrD4LI+DYQNcYGp1ezan+b6ls3i8RVvtZW4qnonw2bgGda /kux9xK94NFZVwqIsKufPFnwA3dmzTsTd1XUs3tvRWzdxmwlO5wid2Y1/UY++vfQ 7poFqR3hCmMXuuQZXSpybn4fL3PK3pGuD6UsRWY1zcHtnLMvDLe0bwUh/tGkF4Km 32RPnqB8mQwvKPsXonrzFaKWahZYQ4pJTf80nFmqm3ey4XjIxbSo643IetluGfqH KW8zz8VPhbW8iCgvFs4H =j4qh -----END PGP SIGNATURE-----
diff -Nru phpmyadmin-4.2.12/debian/changelog phpmyadmin-4.2.12/debian/changelog --- phpmyadmin-4.2.12/debian/changelog 2014-11-22 10:34:32.000000000 +0100 +++ phpmyadmin-4.2.12/debian/changelog 2014-12-30 10:54:34.000000000 +0100 @@ -1,3 +1,11 @@ +phpmyadmin (4:4.2.12-2) unstable; urgency=high + + * Fix security issues (Closes: #774194). + - CVE-2014-9219 / PMASA-2014-18 - XSS vulnerability in redirection. + - CVE-2014-9218 / PMASA-2014-17 - DoS vulnerability with long passwords. + + -- Michal Čihař <ni...@debian.org> Tue, 30 Dec 2014 10:54:32 +0100 + phpmyadmin (4:4.2.12-1) unstable; urgency=medium * New upstrem release. diff -Nru phpmyadmin-4.2.12/debian/patches/bug-4611-security-DOS-attack-with-long-passwords.patch phpmyadmin-4.2.12/debian/patches/bug-4611-security-DOS-attack-with-long-passwords.patch --- phpmyadmin-4.2.12/debian/patches/bug-4611-security-DOS-attack-with-long-passwords.patch 1970-01-01 01:00:00.000000000 +0100 +++ phpmyadmin-4.2.12/debian/patches/bug-4611-security-DOS-attack-with-long-passwords.patch 2014-12-30 10:52:09.000000000 +0100 @@ -0,0 +1,80 @@ +From 1ac863c7573d12012374d5d41e5c7dc5505ea6e1 Mon Sep 17 00:00:00 2001 +From: Madhura Jayaratne <madhura...@gmail.com> +Date: Tue, 2 Dec 2014 21:20:59 +0530 +Subject: [PATCH 1/1] bug #4611 [security] DOS attack with long passwords + +Signed-off-by: Madhura Jayaratne <madhura...@gmail.com> +--- + ChangeLog | 1 + + libraries/common.inc.php | 5 +++++ + libraries/plugins/AuthenticationPlugin.class.php | 9 +++++++++ + libraries/plugins/auth/AuthenticationCookie.class.php | 10 ++++++++++ + 4 files changed, 25 insertions(+) + +diff --git a/libraries/common.inc.php b/libraries/common.inc.php +index 2227c1e..5cea823 100644 +--- a/libraries/common.inc.php ++++ b/libraries/common.inc.php +@@ -859,6 +859,9 @@ if (! defined('PMA_MINIMUM_COMMON')) { + . ' ' . $cfg['Server']['auth_type'] + ); + } ++ if (isset($_REQUEST['pma_password'])) { ++ $_REQUEST['pma_password'] = substr($_REQUEST['pma_password'], 0, 256); ++ } + include_once './libraries/plugins/auth/' . $auth_class . '.class.php'; + // todo: add plugin manager + $plugin_manager = null; +@@ -988,6 +991,8 @@ if (! defined('PMA_MINIMUM_COMMON')) { + $controllink = $userlink; + } + ++ $auth_plugin->storeUserCredentials(); ++ + /* Log success */ + PMA_logUser($cfg['Server']['user']); + +diff --git a/libraries/plugins/AuthenticationPlugin.class.php b/libraries/plugins/AuthenticationPlugin.class.php +index 3ddf55e..7943d2c 100644 +--- a/libraries/plugins/AuthenticationPlugin.class.php ++++ b/libraries/plugins/AuthenticationPlugin.class.php +@@ -42,6 +42,15 @@ abstract class AuthenticationPlugin extends PluginObserver + abstract public function authSetUser(); + + /** ++ * Stores user credentials after successful login. ++ * ++ * @return void ++ */ ++ public function storeUserCredentials() ++ { ++ } ++ ++ /** + * User is not allowed to login to MySQL -> authentication failed + * + * @return boolean +diff --git a/libraries/plugins/auth/AuthenticationCookie.class.php b/libraries/plugins/auth/AuthenticationCookie.class.php +index e21471c..68cb5d4 100644 +--- a/libraries/plugins/auth/AuthenticationCookie.class.php ++++ b/libraries/plugins/auth/AuthenticationCookie.class.php +@@ -557,6 +557,16 @@ class AuthenticationCookie extends AuthenticationPlugin + unset($_SERVER['PHP_AUTH_PW']); + + $_SESSION['last_access_time'] = time(); ++ } ++ ++ /** ++ * Stores user credentials after successful login. ++ * ++ * @return void ++ */ ++ public function storeUserCredentials() ++ { ++ global $cfg; + + $this->createBlowfishIV(); + +-- +2.1.4 + diff -Nru phpmyadmin-4.2.12/debian/patches/bug-4612-security-XSS-vulnerability-in-redirection-m.patch phpmyadmin-4.2.12/debian/patches/bug-4612-security-XSS-vulnerability-in-redirection-m.patch --- phpmyadmin-4.2.12/debian/patches/bug-4612-security-XSS-vulnerability-in-redirection-m.patch 1970-01-01 01:00:00.000000000 +0100 +++ phpmyadmin-4.2.12/debian/patches/bug-4612-security-XSS-vulnerability-in-redirection-m.patch 2014-12-30 10:52:13.000000000 +0100 @@ -0,0 +1,39 @@ +From 9b2479b7216dd91a6cc2f231c0fd6b85d457f6e2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <mic...@cihar.com> +Date: Mon, 1 Dec 2014 21:51:59 +0530 +Subject: [PATCH 1/1] bug #4612 [security] XSS vulnerability in redirection + mechanism + +Signed-off-by: Madhura Jayaratne <madhura...@gmail.com> +--- + ChangeLog | 3 +++ + url.php | 6 +++++- + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/url.php b/url.php +index 71efc9f..82b2243 100644 +--- a/url.php ++++ b/url.php +@@ -11,6 +11,10 @@ + */ + define('PMA_MINIMUM_COMMON', true); + require_once './libraries/common.inc.php'; ++/** ++ * JavaScript escaping. ++ */ ++require_once './libraries/js_escape.lib.php'; + + if (! PMA_isValid($_GET['url']) + || ! preg_match('/^https?:\/\/[^\n\r]*$/', $_GET['url']) +@@ -24,7 +28,7 @@ if (! PMA_isValid($_GET['url']) + // external site. + echo "<script type='text/javascript'> + window.onload=function(){ +- window.location='" . htmlspecialchars($_GET['url']) . "'; ++ window.location='" . PMA_escapeJsString($_GET['url']) . "'; + } + </script>"; + // Display redirecting msg on screen. +-- +2.1.4 + diff -Nru phpmyadmin-4.2.12/debian/patches/series phpmyadmin-4.2.12/debian/patches/series --- phpmyadmin-4.2.12/debian/patches/series 2014-11-22 10:34:32.000000000 +0100 +++ phpmyadmin-4.2.12/debian/patches/series 2014-12-30 10:51:50.000000000 +0100 @@ -1,3 +1,5 @@ debian.patch doc.patch setup-message.patch +bug-4611-security-DOS-attack-with-long-passwords.patch +bug-4612-security-XSS-vulnerability-in-redirection-m.patch