CVE affecting phpMyAdmin 4.x

Affects Ubuntu 18 and Ubuntu 16.

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

I think there is no fix to do since https://www.phpmyadmin.net/security/PMASA-2019-5/ clearly shows that before 4.7.7 there is no affected version

I can see here that no distribution has 4.7.x
https://launchpad.net/ubuntu/+source/phpmyadmin

Do you agree ?

I could not find deb packages to run debdiff on.

For Ubuntu 18.04.3 LTS, last available version is 4.6.6, clearly affected by the bug.

For Ubuntu 18.04.3 LTS, last available version is 4.6.6, clearly affected by the bug.

How ?

I tested while creating the patch for the issue, and 4.6 versions are not affected.

Please explain how you can reproduce the issue on 4.6 ?

But if you can import 4.9.2 the users will be happy to have a new version of phpMyAdmin ^^

Hello it0001,

PMASA-2019-5 points to commit 4ba7d2fac6f384. Both afected files (move.js and database_tables.twig) are only present in focal and the last release (4:4.9.2+dfsg1-1) fixed the issue.

Can you clarify why the releases are affected?

Please have a look at https://people.canonical.com/~ubuntu-security/cve/pkg/phpmyadmin.html, looking for CVE-2019-18622. To me, it does not look solved.

Hello Paulo,

phpmyadmin version 4.9.2 fixes the issues according to the following sources:

https://www.phpmyadmin.net/security/PMASA-2019-5
https://github.com/phpmyadmin/phpmyadmin/commit/ff541af95d7155d8dd326f331b5e248fea8e7111

Hi everybody,

I am a phpMyAdmin team member and I wrote the patch and found the security vulnerability.

So please chose between:
- Consider uploading the 4.9.2 version and make happy users by new features and bug fixes
- Trust me and set the CVE as unaffected

versions before 4.7.7 are not affected because the code does not support the special characters you need to trigger the injection.

I do not want to be misunderstood this is why my message is straightforward.

Have a nice day,
William

Hello it0001, I did the triage and updated the link you referred to in comment #7. This page is updated daily so you're only going to see the new status, not-affected, tomorrow. As I said, only focal was affected but it's already fixed. Trusty, xenial, bionic, and disco are not affected, the code is not present. All of them uses a version before 4.7.7 (as William said in the comment #9).

I really appreciate your concern. Please let me know if I missed some point in our discussion.

Thanks!