Ubuntu
phpmyadmin package

few serious security issues for phpMyAdmin

Bug #162599 reported by Thomas Babut on 2007-11-14

258

Affects		Status	Importance	Assigned to	Milestone
	phpmyadmin (Ubuntu)	Fix Released	Undecided	Unassigned
	Dapper	Won't Fix	Undecided	Unassigned
	Edgy	Won't Fix	Undecided	Unassigned
	Feisty	Fix Released	Undecided	William Grant
	Gutsy	Fix Released	Undecided	William Grant
	Hardy	Fix Released	Undecided	Unassigned

Bug Description

Binary package hint: phpmyadmin

The following security issues aren't patched in the current phpMyAdmin package in Ubuntu 7.10. Earlier Ubuntu releases may be missing even more previous security patches in this package.

http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-5
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-6
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-7

In Hardy PMASA-2007-5 and PMASA-2007-6 are patched, but is missing PMASA-2007-7.

The phpMyAdmin team considers these vulnerabilities to be serious.

Related branches

lp:ubuntu/feisty-security/phpmyadmin

lp:ubuntu/gutsy-security/phpmyadmin

CVE References

Thomas Babut (thbabut) on 2007-11-15

Changed in phpmyadmin:
status:	New → Confirmed

Revision history for this message

William Grant (wgrant) wrote on 2007-11-16:

#1

Latest PMASAs fixed in each release:

- Hardy: all
- Gutsy: 2007-4
- Feisty: 2007-3
- Edgy: 2006-4
- Dapper: 2006-1

Revision history for this message

disabled.user (disabled.user-deactivatedaccount) wrote on 2007-11-21:

#2

Adding some CVE references mentioned in DSA 1370-1/DSA 1370-2, DSA 1403-1 and MDKSA-2007:229.

Revision history for this message

William Grant (wgrant) wrote on 2007-11-27:

#3

Meet PMASA-2007-8, aka. CVE-2007-6100. They're all fixed in Hardy.

Changed in phpmyadmin:
status:	Confirmed → Fix Released
status:	New → Confirmed
status:	New → Confirmed
status:	New → Confirmed
status:	New → Confirmed

Revision history for this message

William Grant (wgrant) wrote on 2007-11-27:

#4

gutsy debdiff Edit (12.1 KiB, text/plain)

Changed in phpmyadmin:
assignee:	nobody → fujitsu
status:	Confirmed → In Progress
assignee:	nobody → fujitsu
status:	Confirmed → In Progress

Revision history for this message

William Grant (wgrant) wrote on 2007-11-27:

#5

feisty debdiff Edit (13.5 KiB, text/plain)

Be warned, the feisty version uses yada, so has a habit of regenerating its control file.

Revision history for this message

Kees Cook (kees) wrote on 2007-12-03:

#6

Thanks for preparing this! I've uploaded it to the security queue; it should be published shortly.

Changed in phpmyadmin:
status:	In Progress → Fix Committed
status:	In Progress → Fix Committed

Revision history for this message

William Grant (wgrant) wrote on 2007-12-04:

#7

phpmyadmin (4:2.10.3-1ubuntu0.1) gutsy-security; urgency=low

  * SECURITY UPDATE: Cross-site scripting via multiple vectors. (LP: #162599)
  * debian/patches/031_CVE-2007-5386.patch: Sanitise non-URL-encoded query
    strings in scripts/setup.php. Patch from Debian.
  * debian/patches/031_CVE-2007-5589.patch: Sanitise PHP_SELF and PATH_INFO
    inputs in a number of places. Patch from Debian.
  * debian/patches/032_CVE-2007-5976.patch: Sanitise database names before
    creating them (also covering CVE-2007-5977). Patch from upstream bug.
  * debian/patches/033_CVE-2007-6100.patch: Sanitise convcharset as displayed
    on authentication form.
  * References
    CVE-2007-5386
    CVE-2007-5589
    CVE-2007-5976
    CVE-2007-5977
    CVE-2007-6100
    PMASA-2007-5
    PMASA-2007-6
    PMASA-2007-7
    PMASA-2007-8

-- William Grant <email address hidden> Wed, 28 Nov 2007 00:29:25 +1100

Revision history for this message

William Grant (wgrant) wrote on 2007-12-04:

#8

phpmyadmin (4:2.9.1.1-2ubuntu1.1) feisty-security; urgency=low

  * SECURITY UPDATE: Cross-site scripting via multiple vectors. (LP: #162599)
  * debian/patches/030_CVE-2007-1395.patch: Match </script> end tag case
    insensitively. Patch from Debian.
  * debian/patches/030_CVE-2007-2245.patch: Correctly sanitise input to
    browse_foreigners.php and PMA_sanitize. Patch from Debian.
  * debian/patches/031_CVE-2007-5386.patch: Sanitise non-URL-encoded query
    strings in scripts/setup.php. Patch from Debian.
  * debian/patches/031_CVE-2007-5589.patch: Sanitise PHP_SELF and PATH_INFO
    inputs in a number of places. Patch from Debian.
  * debian/patches/033_CVE-2007-6100.patch: Sanitise convcharset as displayed
    on authentication form.
  * References
    CVE-2007-1395
    CVE-2007-2245
    CVE-2007-5386
    CVE-2007-5589
    CVE-2007-6100
    PMASA-2007-4
    PMASA-2007-5
    PMASA-2007-6
    PMASA-2007-8

-- William Grant <email address hidden> Wed, 28 Nov 2007 00:32:58 +1100

Changed in phpmyadmin:
status:	Fix Committed → Fix Released
status:	Fix Committed → Fix Released

Revision history for this message

Hew (hew) wrote on 2008-07-24:

#9

Ubuntu Edgy Eft is no longer supported, so a SRU will not be issued for this release. Marking Edgy as Won't Fix.

Changed in phpmyadmin:
status:	Confirmed → Won't Fix

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-10-14:

#10

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in phpmyadmin (Ubuntu Dapper):
status:	Confirmed → Won't Fix

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.