diff -u phpmyadmin-2.9.1.1/debian/changelog phpmyadmin-2.9.1.1/debian/changelog --- phpmyadmin-2.9.1.1/debian/changelog +++ phpmyadmin-2.9.1.1/debian/changelog @@ -1,3 +1,29 @@ +phpmyadmin (4:2.9.1.1-2ubuntu1.1) feisty-security; urgency=low + + * SECURITY UPDATE: Cross-site scripting via multiple vectors. (LP: #162599) + * debian/patches/030_CVE-2007-1395.patch: Match end tag case + insensitively. Patch from Debian. + * debian/patches/030_CVE-2007-2245.patch: Correctly sanitise input to + browse_foreigners.php and PMA_sanitize. Patch from Debian. + * debian/patches/031_CVE-2007-5386.patch: Sanitise non-URL-encoded query + strings in scripts/setup.php. Patch from Debian. + * debian/patches/031_CVE-2007-5589.patch: Sanitise PHP_SELF and PATH_INFO + inputs in a number of places. Patch from Debian. + * debian/patches/033_CVE-2007-6100.patch: Sanitise convcharset as displayed + on authentication form. + * References + CVE-2007-1395 + CVE-2007-2245 + CVE-2007-5386 + CVE-2007-5589 + CVE-2007-6100 + PMASA-2007-4 + PMASA-2007-5 + PMASA-2007-6 + PMASA-2007-8 + + -- William Grant Wed, 28 Nov 2007 00:32:58 +1100 + phpmyadmin (4:2.9.1.1-2ubuntu1) feisty; urgency=low * SECURITY: Fix PHP Executor Deep Recursion Stack Overflow only in patch2: unchanged: --- phpmyadmin-2.9.1.1.orig/debian/patches/031_CVE-2007-5589.patch +++ phpmyadmin-2.9.1.1/debian/patches/031_CVE-2007-5589.patch @@ -0,0 +1,141 @@ +diff -Nur phpmyadmin-2.9.1.1.orig/libraries/common.lib.php phpmyadmin-2.9.1.1/libraries/common.lib.php +--- phpmyadmin-2.9.1.1.orig/libraries/common.lib.php 2007-11-07 13:32:06.000000000 +0100 ++++ phpmyadmin-2.9.1.1/libraries/common.lib.php 2007-11-07 13:40:44.000000000 +0100 +@@ -2010,7 +2010,7 @@ + } elseif (!empty($tab['active']) + || (isset($GLOBALS['active_page']) + && $GLOBALS['active_page'] == $tab['link']) +- || basename(PMA_getenv('PHP_SELF')) == $tab['link']) ++ || basename($GLOBALS['PMA_PHP_SELF']) == $tab['link']) + { + $tab['class'] = 'active'; + } +@@ -2305,7 +2305,7 @@ + $checked_special = false; + } + +- $reported_script_name = basename($PHP_SELF); ++ $reported_script_name = basename($GLOBALS['PMA_PHP_SELF']); + $found_error = false; + $error_message = ''; + +@@ -2710,6 +2710,20 @@ + } + + /** ++ * PATH_INFO could be compromised if set, so remove it from PHP_SELF ++ * and provide a clean PHP_SELF here ++ */ ++$PMA_PHP_SELF = PMA_getenv('PHP_SELF'); ++$_PATH_INFO = PMA_getenv('PATH_INFO'); ++if (! empty($_PATH_INFO) && ! empty($PMA_PHP_SELF)) { ++ $path_info_pos = strrpos($PMA_PHP_SELF, $_PATH_INFO); ++ if ($path_info_pos + strlen($_PATH_INFO) === strlen($PMA_PHP_SELF)) { ++ $PMA_PHP_SELF = substr($PMA_PHP_SELF, 0, $path_info_pos); ++ } ++} ++$PMA_PHP_SELF = htmlspecialchars($PMA_PHP_SELF); ++ ++/** + * just to be sure there was no import (registering) before here + * we empty the global space + */ +@@ -2723,6 +2737,7 @@ + '_ENV', + '_COOKIE', + '_SESSION', ++ 'PMA_PHP_SELF' + ); + + foreach (get_defined_vars() as $key => $value) { +@@ -2745,7 +2760,7 @@ + $_POST = $subform; + $_REQUEST = $subform; + if (isset($_POST['redirect']) +- && $_POST['redirect'] != basename(PMA_getenv('PHP_SELF'))) { ++ && $_POST['redirect'] != basename($PMA_PHP_SELF)) { + $__redirect = $_POST['redirect']; + unset($_POST['redirect']); + } // end if (isset($_POST['redirect'])) +diff -Nur phpmyadmin-2.9.1.1.orig/libraries/grab_globals.lib.php phpmyadmin-2.9.1.1/libraries/grab_globals.lib.php +--- phpmyadmin-2.9.1.1.orig/libraries/grab_globals.lib.php 2006-11-19 01:28:45.000000000 +0100 ++++ phpmyadmin-2.9.1.1/libraries/grab_globals.lib.php 2007-11-07 13:36:52.000000000 +0100 +@@ -104,7 +104,7 @@ + /** + * globalize some environment variables + */ +-$server_vars = array('PHP_SELF', 'HTTP_ACCEPT_LANGUAGE', 'HTTP_AUTHORIZATION'); ++$server_vars = array('HTTP_ACCEPT_LANGUAGE', 'HTTP_AUTHORIZATION'); + foreach ($server_vars as $current) { + // its not important HOW we detect html tags + // its more important to prevent XSS +diff -Nur phpmyadmin-2.9.1.1.orig/server_privileges.php phpmyadmin-2.9.1.1/server_privileges.php +--- phpmyadmin-2.9.1.1.orig/server_privileges.php 2006-11-19 01:28:45.000000000 +0100 ++++ phpmyadmin-2.9.1.1/server_privileges.php 2007-11-07 13:38:17.000000000 +0100 +@@ -1413,12 +1413,12 @@ + echo ''; + foreach ($array_initials as $tmp_initial => $initial_was_found) { + if ($initial_was_found) { +- echo '' . "\n"; ++ echo '' . "\n"; + } else { + echo ''; + } + } +- echo '' . "\n"; ++ echo '' . "\n"; + echo '
' . $tmp_initial . '' . $tmp_initial . '' . $tmp_initial . '[' . $GLOBALS['strShowAll'] . '][' . $GLOBALS['strShowAll'] . ']
'; + + /** +diff -Nur phpmyadmin-2.9.1.1.orig/server_status.php phpmyadmin-2.9.1.1/server_status.php +--- phpmyadmin-2.9.1.1.orig/server_status.php 2006-11-19 01:28:45.000000000 +0100 ++++ phpmyadmin-2.9.1.1/server_status.php 2007-11-07 13:37:42.000000000 +0100 +@@ -250,7 +250,7 @@ + $links = array(); + + $links['table'][$strFlushTables] +- = $PHP_SELF . '?flush=TABLES&' . PMA_generate_common_url(); ++ = $PMA_PHP_SELF . '?flush=TABLES&' . PMA_generate_common_url(); + $links['table'][$strShowOpenTables] + = 'sql.php?sql_query=' . urlencode('SHOW OPEN TABLES') . + '&goto=server_status.php&' . PMA_generate_common_url(); +@@ -265,7 +265,7 @@ + = $cfg['MySQLManualBase'] . '/replication.html'; + + $links['qcache'][$strFlushQueryCache] +- = $PHP_SELF . '?flush=' . urlencode('QUERY CACHE') . '&' . ++ = $PMA_PHP_SELF . '?flush=' . urlencode('QUERY CACHE') . '&' . + PMA_generate_common_url(); + $links['qcache']['MySQL - ' . $strDocu] + = $cfg['MySQLManualBase'] . '/query-cache.html'; +@@ -324,10 +324,10 @@ + ?> +