[oe] [meta-oe][PATCH] phpmyadmin: Security Advisory-phpmyadmin-CVE-2016-2561
Zhixiong Chi
zhixiong.chi at windriver.com
Thu May 5 08:14:38 UTC 2016
Ignore it. I will resend for this issue.
On 2016年05月05日 16:05, Zhixiong Chi wrote:
> Backport patches from phpmyadmin upstream
> <https://github.com/phpmyadmin/phpmyadmin> to fix CVE-2016-2561
> <commit 37c34d089aa19f30d11203bb0c7f85b486424372>
> <commit f33a42f1da9db943a67bda7d29f7dd91957a8e7e>
> <commit 746240bd13b62b5956fc34389cfbdc09e1e67775>
> <commit 983faa94f161df3623ecd371d3696a1b3f91c15f>
> <commit bcd4ce8cba1272fca52f2331c08f2e3ac19cbbef>
> <commit cc55f44a4a90147a007dee1aefa1cb529e23798b>
>
> avoid remote authenticated users to inject arbitrary web script or
> HTML via (1) normalization.php or (2) js/normalization.js in the database
> normalization page, (3) templates/database/structure/sortable_header.phtml
> in the database structure page, or (4) the pos parameter to
> db_central_columns.php in the central columns page.
>
> Signed-off-by: Zhixiong Chi <Zhixiong.Chi at windriver.com>
> ---
> .../phpmyadmin/phpmyadmin-CVE-2016-2561-2.patch | 49 ++++++++++++++++++++++
> .../phpmyadmin/phpmyadmin-CVE-2016-2561-3.patch | 20 +++++++++
> .../phpmyadmin/phpmyadmin-CVE-2016-2561-4.patch | 40 ++++++++++++++++++
> .../phpmyadmin/phpmyadmin-CVE-2016-2561-5.patch | 20 +++++++++
> .../phpmyadmin/phpmyadmin-CVE-2016-2561-6.patch | 20 +++++++++
> .../phpmyadmin/phpmyadmin-CVE-2016-2561.patch | 29 +++++++++++++
> .../recipes-php/phpmyadmin/phpmyadmin_4.5.0.2.bb | 6 +++
> 7 files changed, 184 insertions(+)
> create mode 100644 meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-2.patch
> create mode 100644 meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-3.patch
> create mode 100644 meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-4.patch
> create mode 100644 meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-5.patch
> create mode 100644 meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-6.patch
> create mode 100644 meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561.patch
>
> diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-2.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-2.patch
> new file mode 100644
> index 0000000..8be4fba
> --- /dev/null
> +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-2.patch
> @@ -0,0 +1,49 @@
> +Subject: [PATCH] Fix XSS in normalization.js
> +
> +Signed-off-by: Madhura Jayaratne <madhura.cj at gmail.com>
> +
> +Upstream-Status: Backport
> +
> +Signed-off-by: Zhixiong Chi <zhixiong.chi at windriver.com>
> +Index: phpMyAdmin-4.5.0.2-all-languages/js/functions.js
> +===================================================================
> +--- phpMyAdmin-4.5.0.2-all-languages.orig/js/functions.js 2016-05-04 11:02:08.167888778 +0800
> ++++ phpMyAdmin-4.5.0.2-all-languages/js/functions.js 2016-05-04 14:08:57.427966930 +0800
> +@@ -220,6 +220,24 @@
> + }
> + }
> +
> ++function escapeJsString(unsafe) {
> ++ if (typeof(unsafe) != 'undefined') {
> ++ return unsafe
> ++ .toString()
> ++ .replace("\000", '')
> ++ .replace('\\', '\\\\')
> ++ .replace('\'', '\\\'')
> ++ .replace("'", "\\\'")
> ++ .replace('"', '\"')
> ++ .replace(""", "\"")
> ++ .replace("\n", '\n')
> ++ .replace("\r", '\r')
> ++ .replace(/<\/script/gi, '</\' + \'script')
> ++ } else {
> ++ return false;
> ++ }
> ++}
> ++
> + function PMA_sprintf() {
> + return sprintf.apply(this, arguments);
> + }
> +Index: phpMyAdmin-4.5.0.2-all-languages/js/normalization.js
> +===================================================================
> +--- phpMyAdmin-4.5.0.2-all-languages.orig/js/normalization.js 2016-05-04 11:30:15.767900544 +0800
> ++++ phpMyAdmin-4.5.0.2-all-languages/js/normalization.js 2016-05-04 14:20:40.943971835 +0800
> +@@ -638,7 +638,7 @@
> + '</ol>';
> + $("#newCols").html(confirmStr);
> + $('.tblFooters').html('<input type="submit" value="' + PMA_messages.strCancel + '" onclick="$(\'#newCols\').html(\'\');$(\'#extra input[type=checkbox]\').removeAttr(\'checked\')"/>' +
> +- '<input type="submit" value="' + PMA_messages.strGo + '" onclick="moveRepeatingGroup(\'' + repeatingCols + '\')"/>');
> ++ '<input type="submit" value="' + PMA_messages.strGo + '" onclick="moveRepeatingGroup(\'' + escapeJsString(escapeHtml(repeatingCols)) + '\')"/>');
> + }
> + });
> + $("#mainContent p").on("click", "#createPrimaryKey", function(event) {
> diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-3.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-3.patch
> new file mode 100644
> index 0000000..149eba3
> --- /dev/null
> +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-3.patch
> @@ -0,0 +1,20 @@
> +Subject: [PATCH] Fix XSS in normalization
> +
> +Signed-off-by: Madhura Jayaratne <madhura.cj at gmail.com>
> +
> +Upstream-Status: Backport
> +
> +Signed-off-by: Zhixiong Chi <zhixiong.chi at windriver.com>
> +Index: phpMyAdmin-4.5.0.2-all-languages/normalization.php
> +===================================================================
> +--- phpMyAdmin-4.5.0.2-all-languages.orig/normalization.php 2016-05-04 11:02:07.139888770 +0800
> ++++ phpMyAdmin-4.5.0.2-all-languages/normalization.php 2016-05-04 14:29:25.031975489 +0800
> +@@ -72,7 +72,7 @@
> + $scripts->addFile('normalization.js');
> + $scripts->addFile('jquery/jquery.uitablefilter.js');
> + $normalForm = '1nf';
> +-if (isset($_REQUEST['normalizeTo'])) {
> ++if (PMA_isValid($_REQUEST['normalizeTo'],array('1nf','2nf','3nf'))) {
> + $normalForm = $_REQUEST['normalizeTo'];
> + }
> + if (isset($_REQUEST['createNewTables2NF'])) {
> diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-4.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-4.patch
> new file mode 100644
> index 0000000..6b699f6
> --- /dev/null
> +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-4.patch
> @@ -0,0 +1,40 @@
> +Subject: [PATCH] Fix XSS in database structure page
> +
> +Signed-off-by: Michal Čihař <michal at cihar.com>
> +
> +Upstream-Status: Backport
> +
> +Signed-off-by: Zhixiong Chi <zhixiong.chi at windriver.com>
> +Index: phpMyAdmin-4.5.0.2-all-languages/templates/database/structure/sortable_header.phtml
> +===================================================================
> +--- phpMyAdmin-4.5.0.2-all-languages.orig/templates/database/structure/sortable_header.phtml 2015-09-25 19:55:50.000000000 +0800
> ++++ phpMyAdmin-4.5.0.2-all-languages/templates/database/structure/sortable_header.phtml 2016-05-04 14:39:57.703979900 +0800
> +@@ -51,16 +51,20 @@
> + }
> + $_url_params = array(
> + 'db' => $_REQUEST['db'],
> ++ 'pos' => 0, // We set the position back to 0 every time they sort.
> ++ 'sort' => $sort,
> ++ 'sort_order' => $future_sort_order,
> + );
> +-$url = 'db_structure.php' . PMA_URL_getCommon($_url_params);
> +-// We set the position back to 0 every time they sort.
> +-$url .= "&pos=0&sort=$sort&sort_order=$future_sort_order";
> +-if (! empty($_REQUEST['tbl_type'])) {
> +- $url .= "&tbl_type=" . $_REQUEST['tbl_type'];
> ++
> ++if (PMA_isValid($_REQUEST['tbl_type'], array('view', 'table'))) {
> ++ $_url_params['tbl_type'] = $_REQUEST['tbl_type'];
> + }
> + if (! empty($_REQUEST['tbl_group'])) {
> +- $url .= "&tbl_group=" . $_REQUEST['tbl_group'];
> ++ $_url_params['tbl_group']= $_REQUEST['tbl_group'];
> + }
> ++
> ++$url = 'db_structure.php' . PMA_URL_getCommon($_url_params);
> ++
> + echo PMA_Util::linkOrButton(
> + $url, $title . $order_img, $order_link_params
> +-);
> +\ No newline at end of file
> ++);
> diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-5.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-5.patch
> new file mode 100644
> index 0000000..27ff9ff
> --- /dev/null
> +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-5.patch
> @@ -0,0 +1,20 @@
> +Subject: [PATCH] Fix XSS in normalization.js
> +
> +Signed-off-by: Madhura Jayaratne <madhura.cj at gmail.com>
> +
> +Upstream-Status: Backport
> +
> +Signed-off-by: Zhixiong Chi <zhixiong.chi at windriver.com>
> +Index: phpMyAdmin-4.5.0.2-all-languages/js/normalization.js
> +===================================================================
> +--- phpMyAdmin-4.5.0.2-all-languages.orig/js/normalization.js 2016-05-04 14:20:40.943971835 +0800
> ++++ phpMyAdmin-4.5.0.2-all-languages/js/normalization.js 2016-05-04 14:45:22.223982162 +0800
> +@@ -82,7 +82,7 @@
> + $("#mainContent #extra").html(data.extra);
> + $("#mainContent #newCols").html('');
> + if (data.subText !== '') {
> +- $('.tblFooters').html('<input type="submit" value="' + PMA_messages.strDone + '" onclick="processDependencies(\'' + data.primary_key + '\');">');
> ++ $('.tblFooters').html('<input type="submit" value="' + PMA_messages.strDone + '" onclick="processDependencies(\'' + escapeJsString(escapeHtml(data.primary_key)) + '\');">');
> + } else {
> + if (normalizeto === '3nf') {
> + $("#mainContent #newCols").html(PMA_messages.strToNextStep);
> diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-6.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-6.patch
> new file mode 100644
> index 0000000..4a58b4c
> --- /dev/null
> +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-6.patch
> @@ -0,0 +1,20 @@
> +ubject: [PATCH] Escape selectors
> +
> +Signed-off-by: Madhura Jayaratne <madhura.cj at gmail.com>
> +
> +Upstream-Status: Backport
> +
> +Signed-off-by: Zhixiong Chi <zhixiong.chi at windriver.com>
> +Index: phpMyAdmin-4.5.0.2-all-languages/db_central_columns.php
> +===================================================================
> +--- phpMyAdmin-4.5.0.2-all-languages.orig/db_central_columns.php 2015-09-25 19:55:50.000000000 +0800
> ++++ phpMyAdmin-4.5.0.2-all-languages/db_central_columns.php 2016-05-04 14:47:45.003983158 +0800
> +@@ -92,7 +92,7 @@
> + } else {
> + $total_rows = PMA_getCentralColumnsCount($db);
> + }
> +-if (isset($_REQUEST['pos'])) {
> ++if (PMA_isValid($_REQUEST['pos'], 'integer')) {
> + $pos = $_REQUEST['pos'];
> + } else {
> + $pos = 0;
> diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561.patch
> new file mode 100644
> index 0000000..48e1aac
> --- /dev/null
> +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561.patch
> @@ -0,0 +1,29 @@
> +Subject: [PATCH] Escape selectors
> +
> +Signed-off-by: Madhura Jayaratne <madhura.cj at gmail.com>
> +
> +Upstream-Status: Backport
> +
> +Signed-off-by: Zhixiong Chi <zhixiong.chi at windriver.com>
> +Index: phpMyAdmin-4.5.0.2-all-languages/js/normalization.js
> +===================================================================
> +--- phpMyAdmin-4.5.0.2-all-languages.orig/js/normalization.js 2016-05-04 11:02:07.295888771 +0800
> ++++ phpMyAdmin-4.5.0.2-all-languages/js/normalization.js 2016-05-04 11:30:15.767900544 +0800
> +@@ -128,7 +128,7 @@
> + $("#mainContent #newCols").html('');
> + $('.tblFooters').html('');
> + for(var pk in primary_key) {
> +- $("#extra input[value='" + primary_key[pk] + "']").attr("disabled","disabled");
> ++ $("#extra input[value='" + escapeJsString(primary_key[pk]) + "']").attr("disabled","disabled");
> + }
> + }
> + );
> +@@ -153,7 +153,7 @@
> + $('.tblFooters').html('');
> + primary_key = $.parseJSON(data.primary_key);
> + for(var pk in primary_key) {
> +- $("#extra input[value='" + primary_key[pk] + "']").attr("disabled","disabled");
> ++ $("#extra input[value='" + escapeJsString(primary_key[pk]) + "']").attr("disabled","disabled");
> + }
> + }
> + );
> diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.5.0.2.bb b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.5.0.2.bb
> index ac32185..3be90ba 100644
> --- a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.5.0.2.bb
> +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.5.0.2.bb
> @@ -9,6 +9,12 @@ SRC_URI = "https://files.phpmyadmin.net/phpMyAdmin/4.5.0.2/phpMyAdmin-4.5.0.2-al
> file://Port-content-spoofing-fix-CVE-2015-7873.patch \
> file://apache.conf \
> file://phpmyadmin-CVE-2015-8669.patch \
> + file://phpmyadmin-CVE-2016-2561.patch \
> + file://phpmyadmin-CVE-2016-2561-2.patch \
> + file://phpmyadmin-CVE-2016-2561-3.patch \
> + file://phpmyadmin-CVE-2016-2561-4.patch \
> + file://phpmyadmin-CVE-2016-2561-5.patch \
> + file://phpmyadmin-CVE-2016-2561-6.patch \
> "
>
> SRC_URI[md5sum] = "2d08d2fcc8f70f88a11a14723e3ca275"
--
---------------------
Thanks,
Zhixiong Chi
Tel: +86-10-8477-7036
More information about the Openembedded-devel
mailing list