Bug#893804: jessie-pu: package adminer/3.3.3-1+deb8u1

2018-05-13 Thread Adam D. Barratt 
Control: tags -1 + pending

On Mon, 2018-05-07 at 17:08 +0100, Chris Lamb wrote:
> Hi Adam,
> 
> > Please go ahead; sorry for the delay.
> 
> adminer_3.3.3-1+deb8u1_amd64.changes uploaded.
> 

and flagged for acceptance.

Regards,

Adam

Bug#893804: jessie-pu: package adminer/3.3.3-1+deb8u1

2018-05-07 Thread Chris Lamb 
Hi Adam,

> Please go ahead; sorry for the delay.

adminer_3.3.3-1+deb8u1_amd64.changes uploaded.

> (With the same "coul" typo as the stretch upload.)

Thanks ;)


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#893804: jessie-pu: package adminer/3.3.3-1+deb8u1

2018-05-07 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Thu, 2018-03-22 at 15:05 +, Chris Lamb wrote:
>   adminer (3.3.3-1+deb8u1) jessie; urgency=high
>   
> * CVE-2018-7667: Adminer allowed unauthenticated connections to
> be initiated
>   to arbitrary systems and ports which coul bypass external
> firewalls to
>   identify internal hosts and/or perform port scanning of other
> servers.
>   (Closes: #893668)
> 

Please go ahead; sorry for the delay.

(With the same "coul" typo as the stretch upload.)

Regards,

Adam

Bug#893804: jessie-pu: package adminer/3.3.3-1+deb8u1

2018-03-22 Thread Chris Lamb 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Dear stable release manager,

Please consider adminer (3.3.3-1+deb8u1) for jessie:
  
  adminer (3.3.3-1+deb8u1) jessie; urgency=high
  
* CVE-2018-7667: Adminer allowed unauthenticated connections to be initiated
  to arbitrary systems and ports which coul bypass external firewalls to
  identify internal hosts and/or perform port scanning of other servers.
  (Closes: #893668)


The full diff is attached.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-
commit 05a84a7afd8c8e059f9e08a9502417fa5f79e63d
Author: Chris Lamb 
Date:   Thu Mar 22 10:56:21 2018 -0400

CVE-2018-7667

diff --git a/debian/changelog b/debian/changelog
index 9e044c6..d878f1e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+adminer (3.3.3-1+deb8u1) jessie; urgency=high
+
+  * CVE-2018-7667: Adminer allowed unauthenticated connections to be initiated
+to arbitrary systems and ports which coul bypass external firewalls to
+identify internal hosts and/or perform port scanning of other servers.
+(Closes: #893668)
+
+ -- Chris Lamb   Tue, 20 Mar 2018 22:40:06 -0400
+
 adminer (3.3.3-1) unstable; urgency=low
 
   * Initial release (Closes: #658861)  
diff --git a/debian/patches/CVE-2018-7667.patch 
b/debian/patches/CVE-2018-7667.patch
new file mode 100644
index 000..1d445a2
--- /dev/null
+++ b/debian/patches/CVE-2018-7667.patch
@@ -0,0 +1,13 @@
+--- pkg-adminer.orig/adminer/include/auth.inc.php
 pkg-adminer/adminer/include/auth.inc.php
+@@ -90,6 +90,10 @@ if (isset($_GET["username"])) {
+   page_footer("auth");
+   exit;
+   }
++  list($host, $port) = explode(":", SERVER, 2);
++  if (is_numeric($port) && $port < 1024) {
++  auth_error('Connecting to privileged ports is not allowed.');
++  }
+   $connection = connect();
+ }
+ if (is_string($connection) || !$adminer->login($_GET["username"], 
get_session("pwds"))) {
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..e4d99c3
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2018-7667.patch