[oe] [PATCH 01/15] phpmyadmin: fix for Security Advisory CVE-2014-5274
Otavio Salvador
otavio at ossystems.com.br
Mon Dec 1 10:40:14 UTC 2014
Acked-by: Otavio Salvador <otavio at ossystems.com.br>
On Sun, Nov 30, 2014 at 11:04 PM, Armin Kuster <akuster808 at gmail.com> wrote:
> From: Roy Li <rongqing.li at windriver.com>
>
> Cross-site scripting (XSS) vulnerability in the view operations page in
> phpMyAdmin 4.1.x before 4.1.14.3 and 4.2.x before 4.2.7.1 allows remote
> authenticated users to inject arbitrary web script or HTML via a crafted
> view name, related to js/functions.js.
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5274
>
> Signed-off-by: Roy Li <rongqing.li at windriver.com>
> Signed-off-by: Armin Kuster <akuster808 at gmail.com>
> ---
> ...4505-security-XSS-in-view-operations-page.patch | 43 ++++++++++++++++++++++
> .../recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb | 1 +
> 2 files changed, 44 insertions(+)
> create mode 100644 meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-bug-4505-security-XSS-in-view-operations-page.patch
>
> diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-bug-4505-security-XSS-in-view-operations-page.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-bug-4505-security-XSS-in-view-operations-page.patch
> new file mode 100644
> index 0000000..164a072
> --- /dev/null
> +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-bug-4505-security-XSS-in-view-operations-page.patch
> @@ -0,0 +1,43 @@
> +From 0cd293f5e13aa245e4a57b8d373597cc0e421b6f Mon Sep 17 00:00:00 2001
> +From: Madhura Jayaratne <madhura.cj at gmail.com>
> +Date: Sun, 17 Aug 2014 08:41:57 -0400
> +Subject: [PATCH] bug #4505 [security] XSS in view operations page
> +
> +Upstream-Status: Backport
> +
> +Signed-off-by: Marc Delisle <marc at infomarc.info>
> +---
> + ChangeLog | 3 +++
> + js/functions.js | 2 +-
> + 2 files changed, 4 insertions(+), 1 deletion(-)
> +
> +diff --git a/ChangeLog b/ChangeLog
> +index 7afac1a..cec9d77 100644
> +--- a/ChangeLog
> ++++ b/ChangeLog
> +@@ -1,6 +1,9 @@
> + phpMyAdmin - ChangeLog
> + ======================
> +
> ++4.2.7.1 (2014-08-17)
> ++- bug #4505 [security] XSS in view operations page
> ++
> + 4.2.7.0 (2014-07-31)
> + - bug Broken links on home page
> + - bug #4494 Overlap in navigation panel
> +diff --git a/js/functions.js b/js/functions.js
> +index 09bfeda..a970a81 100644
> +--- a/js/functions.js
> ++++ b/js/functions.js
> +@@ -3585,7 +3585,7 @@ AJAX.registerOnload('functions.js', function () {
> + var question = PMA_messages.strDropTableStrongWarning + ' ';
> + question += $.sprintf(
> + PMA_messages.strDoYouReally,
> +- 'DROP VIEW ' + PMA_commonParams.get('table')
> ++ 'DROP VIEW ' + escapeHtml(PMA_commonParams.get('table'))
> + );
> +
> + $(this).PMA_confirm(question, $(this).attr('href'), function (url) {
> +--
> +1.7.10.4
> +
> diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb
> index c267d89..447b778 100644
> --- a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb
> +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb
> @@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=eb723b61539feef013de476e68b5c50a \
>
> SRC_URI = "${SOURCEFORGE_MIRROR}/phpmyadmin/phpMyAdmin/${PV}/phpMyAdmin-${PV}-all-languages.tar.xz \
> file://0001-bug-4504-security-Self-XSS-in-query-charts.patch \
> + file://0001-bug-4505-security-XSS-in-view-operations-page.patch \
> file://apache.conf"
>
> SRC_URI[md5sum] = "0dcd755450dac819f33502590c88ad29"
> --
> 1.9.1
>
--
Otavio Salvador O.S. Systems
http://www.ossystems.com.br http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854 Mobile: +1 (347) 903-9750
More information about the Openembedded-devel
mailing list