[oe] [PATCH 1/3][meta-webserver] phpmyadmin: fix for Security Advisory CVE-2014-5273

[Rongqing Li]

Sorry, please drop it, the third patch and the second patch have
the same commit header


-Roy

On 10/30/2014 10:50 AM, rongqing.li at windriver.com wrote:
> From: Roy Li <rongqing.li at windriver.com>
>
> Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x
> before 4.0.10.2, 4.1.x before 4.1.14.3, and 4.2.x before 4.2.7.1 allow
> remote authenticated users to inject arbitrary web script or HTML via the
> (1) browse table page, related to js/sql.js; (2) ENUM editor page, related
> to js/functions.js; (3) monitor page, related to js/server_status_monitor.js;
> (4) query charts page, related to js/tbl_chart.js; or (5) table relations
> page, related to libraries/tbl_relation.lib.php.
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5273
>
> Signed-off-by: Roy Li <rongqing.li at windriver.com>
> ---
>   ...ug-4504-security-Self-XSS-in-query-charts.patch |   29 ++++++++++++++++++++
>   .../recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb     |    1 +
>   2 files changed, 30 insertions(+)
>   create mode 100644 meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-bug-4504-security-Self-XSS-in-query-charts.patch
>
> diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-bug-4504-security-Self-XSS-in-query-charts.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-bug-4504-security-Self-XSS-in-query-charts.patch
> new file mode 100644
> index 0000000..27eac77
> --- /dev/null
> +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-bug-4504-security-Self-XSS-in-query-charts.patch
> @@ -0,0 +1,29 @@
> +From 90ddeecf60fc029608b972e490b735f3a65ed0cb Mon Sep 17 00:00:00 2001
> +From: Madhura Jayaratne <madhura.cj at gmail.com>
> +Date: Sun, 17 Aug 2014 08:52:05 -0400
> +Subject: [PATCH] bug #4504 [security] Self-XSS in query charts
> +
> +Upstream-status: Backport
> +
> +Signed-off-by: Marc Delisle <marc at infomarc.info>
> +---
> + js/tbl_chart.js |    2 +-
> + 2 files changed, 2 insertions(+), 1 deletion(-)
> +
> + 4.2.7.0 (2014-07-31)
> +diff --git a/js/tbl_chart.js b/js/tbl_chart.js
> +index 943d4ae..04c9c40 100644
> +--- a/js/tbl_chart.js
> ++++ b/js/tbl_chart.js
> +@@ -47,7 +47,7 @@ function PMA_queryChart(data, columnNames, settings) {
> +         },
> +         axes : {
> +             xaxis : {
> +-                label : settings.xaxisLabel
> ++                label : escapeHtml(settings.xaxisLabel)
> +             },
> +             yaxis : {
> +                 label : settings.yaxisLabel
> +--
> +1.7.10.4
> +
> diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb
> index 0de3f6d..c267d89 100644
> --- a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb
> +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb
> @@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=eb723b61539feef013de476e68b5c50a \
>                       file://libraries/tcpdf/LICENSE.TXT;md5=5c87b66a5358ebcc495b03e0afcd342c"
>
>   SRC_URI = "${SOURCEFORGE_MIRROR}/phpmyadmin/phpMyAdmin/${PV}/phpMyAdmin-${PV}-all-languages.tar.xz \
> +           file://0001-bug-4504-security-Self-XSS-in-query-charts.patch \
>              file://apache.conf"
>
>   SRC_URI[md5sum] = "0dcd755450dac819f33502590c88ad29"
>

-- 
Best Reagrds,
Roy | RongQing Li