2023-04-12 14:30:52 |
William Desportes |
bug |
|
|
added bug |
2023-04-12 20:08:21 |
Athos Ribeiro |
tags |
patch sru-release verification-needed-jammy |
|
|
2023-04-12 23:46:07 |
Athos Ribeiro |
bug |
|
|
added subscriber Athos Ribeiro |
2023-05-02 07:28:04 |
William Desportes |
bug task added |
|
phpmyadmin (Debian) |
|
2023-05-02 07:28:21 |
William Desportes |
phpmyadmin (Debian): status |
New |
Fix Released |
|
2023-05-02 07:28:21 |
William Desportes |
phpmyadmin (Debian): assignee |
|
William Desportes (williamdes) |
|
2023-05-12 13:09:13 |
Athos Ribeiro |
nominated for series |
|
Ubuntu Jammy |
|
2023-05-12 13:09:13 |
Athos Ribeiro |
bug task added |
|
phpmyadmin (Ubuntu Jammy) |
|
2023-05-12 13:09:13 |
Athos Ribeiro |
nominated for series |
|
Ubuntu Kinetic |
|
2023-05-12 13:09:13 |
Athos Ribeiro |
bug task added |
|
phpmyadmin (Ubuntu Kinetic) |
|
2023-05-12 13:09:25 |
Athos Ribeiro |
phpmyadmin (Ubuntu): status |
New |
Fix Released |
|
2023-05-13 16:28:25 |
Athos Ribeiro |
summary |
[SRU] add PHP 8 on Apache2 conf |
Add PHP 8 support on Apache2 conf |
|
2023-05-13 18:10:09 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/phpmyadmin/+git/phpmyadmin/+merge/442796 |
|
2023-05-13 18:10:10 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/phpmyadmin/+git/phpmyadmin/+merge/442797 |
|
2023-05-13 23:54:15 |
Athos Ribeiro |
description |
[ Impact ]
* The PHP 8 support in Apache2 conf will allow users to have a correct PHP `include_path`
and prevent issues like (https://github.com/phpmyadmin/phpmyadmin/issues/18299).
This fix is already upstream Debian and released.
[ Test Plan ]
* To reproduce the `include_path` bug
- install phpmyadmin and `libapache2-mod-php`
- browse http://localhost/phpmyadmin
- See the working UI
- set `php_admin_value open_basedir .` in an Apache2 conf file
of your choice in `/etc/apache2/conf-enabled/`.
- restart Apache2
- refresh the page, error 500 reported at phpMyAdmin issue #18299
- add the config block from my patch
- restart Apache2
- See the working UI
[ Where problems could occur ]
* If the Apache2 config was in a wrong syntax the server would not start
If it did not work, the reproduction steps would not lead to no more 500 error.
[ Other Info ]
See: https://bugs.launchpad.net/ubuntu/+source/phpmyadmin/+bug/2013402 |
[ Impact ]
* The PHP 8 support in Apache2 conf will allow users to have a correct PHP `include_path`
and prevent issues like (https://github.com/phpmyadmin/phpmyadmin/issues/18299).
[ Test Plan ]
* From a fresh ubuntu installation:
- install phpmyadmin and libapache2-mod-php
- browse to http://localhost/phpmyadmin and verify that the UI is working as expected (i.e., you see a login page).
- append "php_admin_value open_basedir ." to /etc/apache2/conf-enabled/phpmyadmin.conf
- restart Apache2
- browse to http://localhost/phpmyadmin again and verify that the UI is no longer working as expected. You now see a blank page and /var/log/apache2/error.log has an error like
PHP Fatal error: Uncaught Error: Failed opening required 'PhpMyAdmin/MoTranslator/autoload.php' (include_path='.:/usr/share/php')
- Perform all the steps above, now with a phpmyadmin package with the proposed fix
- verify that the error no longer occurs.
[ Where problems could occur ]
* If the Apache2 config was in a wrong syntax the server would not start
If it did not work, the reproduction steps would not lead to no more 500 error.
[ Other Info ]
This issue has been fixed from lunar and on.
See: (https://github.com/phpmyadmin/phpmyadmin/issues/18299
See: https://bugs.launchpad.net/ubuntu/+source/phpmyadmin/+bug/2013402 |
|
2023-05-14 01:59:37 |
Athos Ribeiro |
description |
[ Impact ]
* The PHP 8 support in Apache2 conf will allow users to have a correct PHP `include_path`
and prevent issues like (https://github.com/phpmyadmin/phpmyadmin/issues/18299).
[ Test Plan ]
* From a fresh ubuntu installation:
- install phpmyadmin and libapache2-mod-php
- browse to http://localhost/phpmyadmin and verify that the UI is working as expected (i.e., you see a login page).
- append "php_admin_value open_basedir ." to /etc/apache2/conf-enabled/phpmyadmin.conf
- restart Apache2
- browse to http://localhost/phpmyadmin again and verify that the UI is no longer working as expected. You now see a blank page and /var/log/apache2/error.log has an error like
PHP Fatal error: Uncaught Error: Failed opening required 'PhpMyAdmin/MoTranslator/autoload.php' (include_path='.:/usr/share/php')
- Perform all the steps above, now with a phpmyadmin package with the proposed fix
- verify that the error no longer occurs.
[ Where problems could occur ]
* If the Apache2 config was in a wrong syntax the server would not start
If it did not work, the reproduction steps would not lead to no more 500 error.
[ Other Info ]
This issue has been fixed from lunar and on.
See: (https://github.com/phpmyadmin/phpmyadmin/issues/18299
See: https://bugs.launchpad.net/ubuntu/+source/phpmyadmin/+bug/2013402 |
[ Impact ]
In Focal, the apache2 configuration file shipped with phpmyadmin sets 2 php.ini directives through "php_admin_value": upload_tmp_dir and open_basedir.
After the PHP 8 transition an unintentional regression was introduced and these directives are no longer being set. As a consequence, the temporary phpmyadmin directory at /var/lib/phpmyadmin/tmp is no longer being used as the temporary path for uploads. Instead, the system temp path is used.
Moreover (and more relevant), open_basedir is set to NULL, meaning that the php process running phpmyadmin can easily read files outside of the phpmyadmin package scope.
However, due to the notes in https://www.php.net/manual/en/ini.core.php#ini.open-basedir, it is arguable whether this should be treated as a security threat [1,2,3,4].
[1] https://externals.io/message/105606
[2] https://externals.io/message/115406
[3] https://wiki.php.net/security#not_a_security_issue
[4] https://www.php.net/manual/en/ini.core.php#ini.open-basedir
Finally, this regression could also cause crashes when users set open_basedir globally for apache2 somehow, as discussed in https://github.com/phpmyadmin/phpmyadmin/issues/18299.
[ Test Plan ]
* From a fresh ubuntu installation:
- install phpmyadmin and libapache2-mod-php
- browse to http://localhost/phpmyadmin and verify that the UI is working as expected (i.e., you see a login page).
- append "php_admin_value open_basedir ." to /etc/apache2/conf-enabled/phpmyadmin.conf
- restart Apache2
- browse to http://localhost/phpmyadmin again and verify that the UI is no longer working as expected. You now see a blank page and /var/log/apache2/error.log has an error like
PHP Fatal error: Uncaught Error: Failed opening required 'PhpMyAdmin/MoTranslator/autoload.php' (include_path='.:/usr/share/php')
- Perform all the steps above, now with a phpmyadmin package with the proposed fix
- verify that the error no longer occurs.
ALTERNATIVELY:
Append the following code snippet to the beginning of /usr/share/phpmyadmin/index.php, right after the imports (i.e., "use ...")
$secret_file = '/etc/hosts';
$secret = file_get_contents($secret_file);
if ($secret) {
error_log($secret);
}
Restart apache2 and browse to http://localhost/phpmyadmin.
Now, check /var/log/apache2/error.log.
Affected systems will contain en entry with the contents of /etc/hosts, while patched systems will contain
file_get_contents(): open_basedir restriction in effect....
file_get_contents(/etc/hosts): Failed to open stream: Operation not permitted ...
[ Where problems could occur ]
Some users may be relying on the upload_tmp_dir being set to /tmp to perform additional verification or collect metrics during phpmyadmin runtime. This would create a regression for those users.
Moreover, users could be extending phpmyadmin in unusual ways by relying on the fact that open_basedir is not set (being able to access the whole filesystem through its php process). This would also create a regression for those users.
[ Other Info ]
This issue has been fixed from lunar and on.
See: (https://github.com/phpmyadmin/phpmyadmin/issues/18299
See: https://bugs.launchpad.net/ubuntu/+source/phpmyadmin/+bug/2013402 |
|
2023-08-07 15:34:53 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/phpmyadmin/+git/phpmyadmin/+merge/448616 |
|
2023-08-07 16:37:55 |
Athos Ribeiro |
phpmyadmin (Ubuntu Kinetic): status |
New |
Won't Fix |
|
2023-08-07 16:37:59 |
Athos Ribeiro |
phpmyadmin (Ubuntu Jammy): status |
New |
In Progress |
|
2023-08-07 16:38:37 |
Athos Ribeiro |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2023-08-23 03:20:00 |
Chris Halse Rogers |
phpmyadmin (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
2023-08-23 03:20:04 |
Chris Halse Rogers |
bug |
|
|
added subscriber SRU Verification |
2023-08-23 03:20:07 |
Chris Halse Rogers |
tags |
|
verification-needed verification-needed-jammy |
|
2023-08-31 19:21:33 |
Athos Ribeiro |
tags |
verification-needed verification-needed-jammy |
verification-done verification-done-jammy |
|
2023-12-13 04:56:47 |
Chris Halse Rogers |
phpmyadmin (Ubuntu Jammy): status |
Fix Committed |
Confirmed |
|
2023-12-13 04:56:51 |
Chris Halse Rogers |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2023-12-13 04:56:59 |
Chris Halse Rogers |
removed subscriber SRU Verification |
|
|
|