Re: Review and testing phpmyadmin for Jessie LTS
Hi Antoine, Thank you for the feedback! I've also performed some tests (I sent an email about that almost at the same time as you :) and came up to the same result. After your report I'll upload the package now. Cheers. On 2/1/19 5:31 PM, Antoine Beaupré wrote: > Hi, > > I've reviewed both patches and they look sane. I did some smoke tests on > the package (installed it and mariadb in a VM) and it seems to run > okay. I also did an naive attempt at exploiting CVE-2018-19970 but > couldn't succeed, which can either mean I failed or the flaw is > fixed. :) > > Good job, > > A. > > On 2019-01-29 15:27:59, Lucas Kanashiro wrote: >> Hugo, >> >> I just uploaded a new package fixing the issue that you pointed out here >> again: https://people.debian.org/~kanashiro/jessie_lts/phpmyadmin/ >> >> I didn't perform any new testing yet, I want to do it soon. But if you >> could have a try again it would be great. >> >> Cheers. >> >> On 1/29/19 11:37 AM, Hugo Lefeuvre wrote: >>> Hi Lucas, >>> Great, sorry for being a victim of my lack of attention... I've never used phpmyadmin (that's why I requested some testing) and my local tests were so basic that they didn't catch this issue. Shame on me. >>> That's >>> fine, main thing is issues have been found before upload :) >>> I'll fix it and perform some tests. Thanks for the review and the time that you spent on this. >>> I am available for testing the updated package if needed. >>> >>> cheers, >>> Hugo >>> >> -- >> Lucas Kanashiro -- Lucas Kanashiro signature.asc Description: OpenPGP digital signature
Re: Review and testing phpmyadmin for Jessie LTS
Hi, I've reviewed both patches and they look sane. I did some smoke tests on the package (installed it and mariadb in a VM) and it seems to run okay. I also did an naive attempt at exploiting CVE-2018-19970 but couldn't succeed, which can either mean I failed or the flaw is fixed. :) Good job, A. On 2019-01-29 15:27:59, Lucas Kanashiro wrote: > Hugo, > > I just uploaded a new package fixing the issue that you pointed out here > again: https://people.debian.org/~kanashiro/jessie_lts/phpmyadmin/ > > I didn't perform any new testing yet, I want to do it soon. But if you > could have a try again it would be great. > > Cheers. > > On 1/29/19 11:37 AM, Hugo Lefeuvre wrote: >> Hi Lucas, >> >>> Great, sorry for being a victim of my lack of attention... I've never >>> used phpmyadmin (that's why I requested some testing) and my local tests >>> were so basic that they didn't catch this issue. Shame on me. >> That's > >> fine, main thing is issues have been found before upload :) >> >>> I'll fix it and perform some tests. Thanks for the review and the time >>> that you spent on this. >> I am available for testing the updated package if needed. >> >> cheers, >> Hugo >> > -- > Lucas Kanashiro -- Drowning people Sometimes die Fighting their rescuers. - Octavia Butler
Re: Review and testing phpmyadmin for Jessie LTS
Hugo, I just uploaded a new package fixing the issue that you pointed out here again: https://people.debian.org/~kanashiro/jessie_lts/phpmyadmin/ I didn't perform any new testing yet, I want to do it soon. But if you could have a try again it would be great. Cheers. On 1/29/19 11:37 AM, Hugo Lefeuvre wrote: > Hi Lucas, > >> Great, sorry for being a victim of my lack of attention... I've never >> used phpmyadmin (that's why I requested some testing) and my local tests >> were so basic that they didn't catch this issue. Shame on me. > That's > fine, main thing is issues have been found before upload :) > >> I'll fix it and perform some tests. Thanks for the review and the time >> that you spent on this. > I am available for testing the updated package if needed. > > cheers, > Hugo > -- Lucas Kanashiro
Re: Review and testing phpmyadmin for Jessie LTS
Hi Lucas, > Great, sorry for being a victim of my lack of attention... I've never > used phpmyadmin (that's why I requested some testing) and my local tests > were so basic that they didn't catch this issue. Shame on me. That's fine, main thing is issues have been found before upload :) > I'll fix it and perform some tests. Thanks for the review and the time > that you spent on this. I am available for testing the updated package if needed. cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Re: Review and testing phpmyadmin for Jessie LTS
Hi Hugo,
On 1/28/19 6:40 AM, Hugo Lefeuvre wrote:
> Hi Lucas,
>
> Sorry for the late answer.
Do not worry.
> I had an issue with your patch and took a while to find out what was going
> wrong.
>
> This update broke table creation...
>
>> +--- a/libraries/transformations.lib.php
>> b/libraries/transformations.lib.php
>> +@@ -145,9 +145,10 @@ function PMA_getTransformationDescriptio
>> + $class_name = explode(".class.php", $file);
>> + $class_name = $class_name[0];
>> +
>> +-// include and instantiate the class
>> +-include_once 'libraries/plugins/transformations/' . $file;
>> +-return $class_name::getInfo();
>> ++if (class_exists($class_name)) {
>> ++return $class_name::getInfo();
>> ++}
>> ++return ''
> I guess a ; is missing here :)
Great, sorry for being a victim of my lack of attention... I've never
used phpmyadmin (that's why I requested some testing) and my local tests
were so basic that they didn't catch this issue. Shame on me.
I'll fix it and perform some tests. Thanks for the review and the time
that you spent on this.
Cheers!
--
Lucas Kanashiro
Re: Review and testing phpmyadmin for Jessie LTS
Hi Lucas,
Sorry for the late answer.
I had an issue with your patch and took a while to find out what was going
wrong.
This update broke table creation...
> +--- a/libraries/transformations.lib.php
> b/libraries/transformations.lib.php
> +@@ -145,9 +145,10 @@ function PMA_getTransformationDescriptio
> + $class_name = explode(".class.php", $file);
> + $class_name = $class_name[0];
> +
> +-// include and instantiate the class
> +-include_once 'libraries/plugins/transformations/' . $file;
> +-return $class_name::getInfo();
> ++if (class_exists($class_name)) {
> ++return $class_name::getInfo();
> ++}
> ++return ''
I guess a ; is missing here :)
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Re: Review and testing phpmyadmin for Jessie LTS
Hi Lucas, > I uploaded version 4.2.12-2+deb8u4 of phpmyadmin to: > > https://people.debian.org/~kanashiro/jessie_lts/phpmyadmin/ > > It has patches fixing CVE-2018-19968 and CVE-2018-19970. I did not have > the time to determine whether jessie is affected by CVE-2018-19969 > (requested by sunweaver), I did some superficial investigation with no > confirmation yet. This month I'll not have enough time to continue the > investigation. > > I'd appreciate some review and testing, specially related to > CVE-2018-19968, the debdiff is attached if it helps. will have a look later today, thanks ! cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
