diff -u phpmyadmin-2.10.3/debian/control phpmyadmin-2.10.3/debian/control --- phpmyadmin-2.10.3/debian/control +++ phpmyadmin-2.10.3/debian/control @@ -1,5 +1,6 @@ Source: phpmyadmin -Maintainer: Thijs Kinkhorst +Maintainer: Ubuntu MOTU Developers +XSBC-Original-Maintainer: Thijs Kinkhorst Uploaders: Michal Čihař Section: web Priority: extra diff -u phpmyadmin-2.10.3/debian/changelog phpmyadmin-2.10.3/debian/changelog --- phpmyadmin-2.10.3/debian/changelog +++ phpmyadmin-2.10.3/debian/changelog @@ -1,3 +1,27 @@ +phpmyadmin (4:2.10.3-1ubuntu0.1) gutsy-security; urgency=low + + * SECURITY UPDATE: Cross-site scripting via multiple vectors. (LP: #162599) + * debian/patches/031_CVE-2007-5386.patch: Sanitise non-URL-encoded query + strings in scripts/setup.php. Patch from Debian. + * debian/patches/031_CVE-2007-5589.patch: Sanitise PHP_SELF and PATH_INFO + inputs in a number of places. Patch from Debian. + * debian/patches/032_CVE-2007-5976.patch: Sanitise database names before + creating them (also covering CVE-2007-5977). Patch from upstream bug. + * debian/patches/033_CVE-2007-6100.patch: Sanitise convcharset as displayed + on authentication form. + * References + CVE-2007-5386 + CVE-2007-5589 + CVE-2007-5976 + CVE-2007-5977 + CVE-2007-6100 + PMASA-2007-5 + PMASA-2007-6 + PMASA-2007-7 + PMASA-2007-8 + + -- William Grant Wed, 28 Nov 2007 00:29:25 +1100 + phpmyadmin (4:2.10.3-1) unstable; urgency=low * New upstream bugfix release. diff -u phpmyadmin-2.10.3/debian/patches/00list phpmyadmin-2.10.3/debian/patches/00list --- phpmyadmin-2.10.3/debian/patches/00list +++ phpmyadmin-2.10.3/debian/patches/00list @@ -2,2 +2,6 @@ 022-setup.php_path +031_CVE-2007-5386 +031_CVE-2007-5589 +032_CVE-2007-5976 +033_CVE-2007-6100 040-fix-documentation-links only in patch2: unchanged: --- phpmyadmin-2.10.3.orig/debian/patches/031_CVE-2007-5386.dpatch +++ phpmyadmin-2.10.3/debian/patches/031_CVE-2007-5386.dpatch @@ -0,0 +1,19 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 031_CVE-2007-5386.dpatch by William Grant +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad phpmyadmin-2.10.3~/scripts/setup.php phpmyadmin-2.10.3/scripts/setup.php +--- phpmyadmin-2.10.3~/scripts/setup.php 2007-07-20 23:04:12.000000000 +1000 ++++ phpmyadmin-2.10.3/scripts/setup.php 2007-11-28 00:07:49.000000000 +1100 +@@ -1921,7 +1921,7 @@ + if (empty($_SERVER['REQUEST_URI']) || empty($_SERVER['HTTP_HOST'])) { + $redir = ''; + } else { +- $redir = ' If your server is also configured to accept HTTPS request follow this link to use secure connection.'; ++ $redir = ' If your server is also configured to accept HTTPS request follow this link to use secure connection.'; + } + message('warning', 'You are not using secure connection, all data (including sensitive, like passwords) are transfered unencrypted!' . $redir, 'Not secure connection'); + } only in patch2: unchanged: --- phpmyadmin-2.10.3.orig/debian/patches/032_CVE-2007-5976.dpatch +++ phpmyadmin-2.10.3/debian/patches/032_CVE-2007-5976.dpatch @@ -0,0 +1,30 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 032_CVE-2007-5976.dpatch by William Grant +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad phpmyadmin-2.10.3~/libraries/PMA_List_Database.class.php phpmyadmin-2.10.3/libraries/PMA_List_Database.class.php +--- phpmyadmin-2.10.3~/libraries/PMA_List_Database.class.php 2007-07-20 23:04:12.000000000 +1000 ++++ phpmyadmin-2.10.3/libraries/PMA_List_Database.class.php 2007-11-28 00:25:46.000000000 +1100 +@@ -368,7 +368,7 @@ + $return = '
    ' . "\n"; + foreach ($this->getGroupedDetails() as $group => $dbs) { + if (count($dbs) > 1) { +- $return .= '
  • ' . $group . '
      ' . "\n"; ++ $return .= '
    • ' . htmlspecialchars($group) . '
        ' . "\n"; + // wether display db_name cuted by the group part + $cut = true; + } else { +@@ -380,8 +380,8 @@ + if ($db['name'] == $selected) { + $return .= ' class="selected"'; + } +- $return .= '>'; +- $return .= ($cut ? $db['disp_name_cut'] : $db['disp_name']) ++ $return .= '>'; ++ $return .= ($cut ? htmlspecialchars($db['disp_name_cut']) : htmlspecialchars($db['disp_name'])) + .' (' . $db['num_tables'] . ')'; + $return .= '' . "\n"; + } only in patch2: unchanged: --- phpmyadmin-2.10.3.orig/debian/patches/033_CVE-2007-6100.dpatch +++ phpmyadmin-2.10.3/debian/patches/033_CVE-2007-6100.dpatch @@ -0,0 +1,19 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 033_CVE-2007-6100.dpatch by William Grant +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad phpmyadmin-2.10.3~/libraries/auth/cookie.auth.lib.php phpmyadmin-2.10.3/libraries/auth/cookie.auth.lib.php +--- phpmyadmin-2.10.3~/libraries/auth/cookie.auth.lib.php 2007-07-20 23:04:12.000000000 +1000 ++++ phpmyadmin-2.10.3/libraries/auth/cookie.auth.lib.php 2007-11-28 00:02:48.000000000 +1100 +@@ -210,7 +210,7 @@ +
        + + +- ++ + ' . "\n"; only in patch2: unchanged: --- phpmyadmin-2.10.3.orig/debian/patches/031_CVE-2007-5589.dpatch +++ phpmyadmin-2.10.3/debian/patches/031_CVE-2007-5589.dpatch @@ -0,0 +1,130 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 031_CVE-2007-5589.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad phpmyadmin-2.10.3~/libraries/common.lib.php phpmyadmin-2.10.3/libraries/common.lib.php +--- phpmyadmin-2.10.3~/libraries/common.lib.php 2007-07-20 23:04:12.000000000 +1000 ++++ phpmyadmin-2.10.3/libraries/common.lib.php 2007-11-28 00:17:00.000000000 +1100 +@@ -1853,7 +1853,7 @@ + } elseif (!empty($tab['active']) + || (isset($GLOBALS['active_page']) + && $GLOBALS['active_page'] == $tab['link']) +- || basename(PMA_getenv('PHP_SELF')) == $tab['link']) ++ || basename($GLOBALS['PMA_PHP_SELF']) == $tab['link']) + { + $tab['class'] = 'active'; + } +@@ -2153,7 +2153,7 @@ + $checked_special = false; + } + +- $reported_script_name = basename($PHP_SELF); ++ $reported_script_name = basename($GLOBALS['PMA_PHP_SELF']); + $found_error = false; + $error_message = ''; + +@@ -2546,6 +2546,20 @@ + } + + /** ++ * PATH_INFO could be compromised if set, so remove it from PHP_SELF ++ * and provide a clean PHP_SELF here ++ */ ++$PMA_PHP_SELF = PMA_getenv('PHP_SELF'); ++$_PATH_INFO = PMA_getenv('PATH_INFO'); ++if (! empty($_PATH_INFO) && ! empty($PMA_PHP_SELF)) { ++ $path_info_pos = strrpos($PMA_PHP_SELF, $_PATH_INFO); ++ if ($path_info_pos + strlen($_PATH_INFO) === strlen($PMA_PHP_SELF)) { ++ $PMA_PHP_SELF = substr($PMA_PHP_SELF, 0, $path_info_pos); ++ } ++} ++$PMA_PHP_SELF = htmlspecialchars($PMA_PHP_SELF); ++ ++/** + * just to be sure there was no import (registering) before here + * we empty the global space + */ +@@ -2559,6 +2573,7 @@ + '_ENV', + '_COOKIE', + '_SESSION', ++ 'PMA_PHP_SELF' + ); + + foreach (get_defined_vars() as $key => $value) { +@@ -2605,7 +2620,7 @@ + * track this + */ + if (isset($_POST['redirect']) +- && $_POST['redirect'] != basename(PMA_getenv('PHP_SELF'))) { ++ && $_POST['redirect'] != basename($PMA_PHP_SELF)) { + $__redirect = $_POST['redirect']; + unset($_POST['redirect']); + } +diff -urNad phpmyadmin-2.10.3~/libraries/grab_globals.lib.php phpmyadmin-2.10.3/libraries/grab_globals.lib.php +--- phpmyadmin-2.10.3~/libraries/grab_globals.lib.php 2007-07-20 23:04:12.000000000 +1000 ++++ phpmyadmin-2.10.3/libraries/grab_globals.lib.php 2007-11-28 00:17:00.000000000 +1100 +@@ -104,7 +104,7 @@ + /** + * globalize some environment variables + */ +-$server_vars = array('PHP_SELF', 'HTTP_ACCEPT_LANGUAGE', 'HTTP_AUTHORIZATION'); ++$server_vars = array('HTTP_ACCEPT_LANGUAGE', 'HTTP_AUTHORIZATION'); + foreach ($server_vars as $current) { + // its not important HOW we detect html tags + // its more important to prevent XSS +diff -urNad phpmyadmin-2.10.3~/server_status.php phpmyadmin-2.10.3/server_status.php +--- phpmyadmin-2.10.3~/server_status.php 2007-07-20 23:04:12.000000000 +1000 ++++ phpmyadmin-2.10.3/server_status.php 2007-11-28 00:18:45.000000000 +1100 +@@ -266,7 +266,7 @@ + // grab_globals is not available here when register_globals = Off + // and in some situations, $_SERVER['PHP_SELF'] is not defined + $links['table'][$strFlushTables] +- = PMA_getenv('PHP_SELF') . '?flush=TABLES&' . PMA_generate_common_url(); ++ = $GLOBALS['PMA_PHP_SELF'] . '?flush=TABLES&' . PMA_generate_common_url(); + $links['table'][$strShowOpenTables] + = 'sql.php?sql_query=' . urlencode('SHOW OPEN TABLES') . + '&goto=server_status.php&' . PMA_generate_common_url(); +@@ -281,7 +281,7 @@ + = $cfg['MySQLManualBase'] . '/replication.html'; + + $links['qcache'][$strFlushQueryCache] +- = PMA_getenv('PHP_SELF') . '?flush=' . urlencode('QUERY CACHE') . '&' . ++ = $GLOBALS['PMA_PHP_SELF'] . '?flush=' . urlencode('QUERY CACHE') . '&' . + PMA_generate_common_url(); + $links['qcache']['MySQL - ' . $strDocu] + = $cfg['MySQLManualBase'] . '/query-cache.html'; +@@ -340,10 +340,10 @@ + ?> +