From: Zhixiong Chi <zhixiong.chi@windriver.com>
To: <openembedded-devel@lists.openembedded.org>
Subject: Re: [meta-oe][PATCH] phpmyadmin: Security Advisory-phpmyadmin-CVE-2016-2561
Date: Thu, 5 May 2016 16:14:38 +0800 [thread overview]
Message-ID: <572B00EE.3070402@windriver.com> (raw)
In-Reply-To: <1462435531-5587-1-git-send-email-Zhixiong.Chi@windriver.com>
Ignore it. I will resend for this issue.
On 2016年05月05日 16:05, Zhixiong Chi wrote:
> Backport patches from phpmyadmin upstream
> <https://github.com/phpmyadmin/phpmyadmin> to fix CVE-2016-2561
> <commit 37c34d089aa19f30d11203bb0c7f85b486424372>
> <commit f33a42f1da9db943a67bda7d29f7dd91957a8e7e>
> <commit 746240bd13b62b5956fc34389cfbdc09e1e67775>
> <commit 983faa94f161df3623ecd371d3696a1b3f91c15f>
> <commit bcd4ce8cba1272fca52f2331c08f2e3ac19cbbef>
> <commit cc55f44a4a90147a007dee1aefa1cb529e23798b>
>
> avoid remote authenticated users to inject arbitrary web script or
> HTML via (1) normalization.php or (2) js/normalization.js in the database
> normalization page, (3) templates/database/structure/sortable_header.phtml
> in the database structure page, or (4) the pos parameter to
> db_central_columns.php in the central columns page.
>
> Signed-off-by: Zhixiong Chi <Zhixiong.Chi@windriver.com>
> ---
> .../phpmyadmin/phpmyadmin-CVE-2016-2561-2.patch | 49 ++++++++++++++++++++++
> .../phpmyadmin/phpmyadmin-CVE-2016-2561-3.patch | 20 +++++++++
> .../phpmyadmin/phpmyadmin-CVE-2016-2561-4.patch | 40 ++++++++++++++++++
> .../phpmyadmin/phpmyadmin-CVE-2016-2561-5.patch | 20 +++++++++
> .../phpmyadmin/phpmyadmin-CVE-2016-2561-6.patch | 20 +++++++++
> .../phpmyadmin/phpmyadmin-CVE-2016-2561.patch | 29 +++++++++++++
> .../recipes-php/phpmyadmin/phpmyadmin_4.5.0.2.bb | 6 +++
> 7 files changed, 184 insertions(+)
> create mode 100644 meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-2.patch
> create mode 100644 meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-3.patch
> create mode 100644 meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-4.patch
> create mode 100644 meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-5.patch
> create mode 100644 meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-6.patch
> create mode 100644 meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561.patch
>
> diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-2.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-2.patch
> new file mode 100644
> index 0000000..8be4fba
> --- /dev/null
> +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-2.patch
> @@ -0,0 +1,49 @@
> +Subject: [PATCH] Fix XSS in normalization.js
> +
> +Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com>
> +
> +Upstream-Status: Backport
> +
> +Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
> +Index: phpMyAdmin-4.5.0.2-all-languages/js/functions.js
> +===================================================================
> +--- phpMyAdmin-4.5.0.2-all-languages.orig/js/functions.js 2016-05-04 11:02:08.167888778 +0800
> ++++ phpMyAdmin-4.5.0.2-all-languages/js/functions.js 2016-05-04 14:08:57.427966930 +0800
> +@@ -220,6 +220,24 @@
> + }
> + }
> +
> ++function escapeJsString(unsafe) {
> ++ if (typeof(unsafe) != 'undefined') {
> ++ return unsafe
> ++ .toString()
> ++ .replace("\000", '')
> ++ .replace('\\', '\\\\')
> ++ .replace('\'', '\\\'')
> ++ .replace("'", "\\\'")
> ++ .replace('"', '\"')
> ++ .replace(""", "\"")
> ++ .replace("\n", '\n')
> ++ .replace("\r", '\r')
> ++ .replace(/<\/script/gi, '</\' + \'script')
> ++ } else {
> ++ return false;
> ++ }
> ++}
> ++
> + function PMA_sprintf() {
> + return sprintf.apply(this, arguments);
> + }
> +Index: phpMyAdmin-4.5.0.2-all-languages/js/normalization.js
> +===================================================================
> +--- phpMyAdmin-4.5.0.2-all-languages.orig/js/normalization.js 2016-05-04 11:30:15.767900544 +0800
> ++++ phpMyAdmin-4.5.0.2-all-languages/js/normalization.js 2016-05-04 14:20:40.943971835 +0800
> +@@ -638,7 +638,7 @@
> + '</ol>';
> + $("#newCols").html(confirmStr);
> + $('.tblFooters').html('<input type="submit" value="' + PMA_messages.strCancel + '" onclick="$(\'#newCols\').html(\'\');$(\'#extra input[type=checkbox]\').removeAttr(\'checked\')"/>' +
> +- '<input type="submit" value="' + PMA_messages.strGo + '" onclick="moveRepeatingGroup(\'' + repeatingCols + '\')"/>');
> ++ '<input type="submit" value="' + PMA_messages.strGo + '" onclick="moveRepeatingGroup(\'' + escapeJsString(escapeHtml(repeatingCols)) + '\')"/>');
> + }
> + });
> + $("#mainContent p").on("click", "#createPrimaryKey", function(event) {
> diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-3.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-3.patch
> new file mode 100644
> index 0000000..149eba3
> --- /dev/null
> +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-3.patch
> @@ -0,0 +1,20 @@
> +Subject: [PATCH] Fix XSS in normalization
> +
> +Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com>
> +
> +Upstream-Status: Backport
> +
> +Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
> +Index: phpMyAdmin-4.5.0.2-all-languages/normalization.php
> +===================================================================
> +--- phpMyAdmin-4.5.0.2-all-languages.orig/normalization.php 2016-05-04 11:02:07.139888770 +0800
> ++++ phpMyAdmin-4.5.0.2-all-languages/normalization.php 2016-05-04 14:29:25.031975489 +0800
> +@@ -72,7 +72,7 @@
> + $scripts->addFile('normalization.js');
> + $scripts->addFile('jquery/jquery.uitablefilter.js');
> + $normalForm = '1nf';
> +-if (isset($_REQUEST['normalizeTo'])) {
> ++if (PMA_isValid($_REQUEST['normalizeTo'],array('1nf','2nf','3nf'))) {
> + $normalForm = $_REQUEST['normalizeTo'];
> + }
> + if (isset($_REQUEST['createNewTables2NF'])) {
> diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-4.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-4.patch
> new file mode 100644
> index 0000000..6b699f6
> --- /dev/null
> +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-4.patch
> @@ -0,0 +1,40 @@
> +Subject: [PATCH] Fix XSS in database structure page
> +
> +Signed-off-by: Michal Čihař <michal@cihar.com>
> +
> +Upstream-Status: Backport
> +
> +Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
> +Index: phpMyAdmin-4.5.0.2-all-languages/templates/database/structure/sortable_header.phtml
> +===================================================================
> +--- phpMyAdmin-4.5.0.2-all-languages.orig/templates/database/structure/sortable_header.phtml 2015-09-25 19:55:50.000000000 +0800
> ++++ phpMyAdmin-4.5.0.2-all-languages/templates/database/structure/sortable_header.phtml 2016-05-04 14:39:57.703979900 +0800
> +@@ -51,16 +51,20 @@
> + }
> + $_url_params = array(
> + 'db' => $_REQUEST['db'],
> ++ 'pos' => 0, // We set the position back to 0 every time they sort.
> ++ 'sort' => $sort,
> ++ 'sort_order' => $future_sort_order,
> + );
> +-$url = 'db_structure.php' . PMA_URL_getCommon($_url_params);
> +-// We set the position back to 0 every time they sort.
> +-$url .= "&pos=0&sort=$sort&sort_order=$future_sort_order";
> +-if (! empty($_REQUEST['tbl_type'])) {
> +- $url .= "&tbl_type=" . $_REQUEST['tbl_type'];
> ++
> ++if (PMA_isValid($_REQUEST['tbl_type'], array('view', 'table'))) {
> ++ $_url_params['tbl_type'] = $_REQUEST['tbl_type'];
> + }
> + if (! empty($_REQUEST['tbl_group'])) {
> +- $url .= "&tbl_group=" . $_REQUEST['tbl_group'];
> ++ $_url_params['tbl_group']= $_REQUEST['tbl_group'];
> + }
> ++
> ++$url = 'db_structure.php' . PMA_URL_getCommon($_url_params);
> ++
> + echo PMA_Util::linkOrButton(
> + $url, $title . $order_img, $order_link_params
> +-);
> +\ No newline at end of file
> ++);
> diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-5.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-5.patch
> new file mode 100644
> index 0000000..27ff9ff
> --- /dev/null
> +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-5.patch
> @@ -0,0 +1,20 @@
> +Subject: [PATCH] Fix XSS in normalization.js
> +
> +Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com>
> +
> +Upstream-Status: Backport
> +
> +Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
> +Index: phpMyAdmin-4.5.0.2-all-languages/js/normalization.js
> +===================================================================
> +--- phpMyAdmin-4.5.0.2-all-languages.orig/js/normalization.js 2016-05-04 14:20:40.943971835 +0800
> ++++ phpMyAdmin-4.5.0.2-all-languages/js/normalization.js 2016-05-04 14:45:22.223982162 +0800
> +@@ -82,7 +82,7 @@
> + $("#mainContent #extra").html(data.extra);
> + $("#mainContent #newCols").html('');
> + if (data.subText !== '') {
> +- $('.tblFooters').html('<input type="submit" value="' + PMA_messages.strDone + '" onclick="processDependencies(\'' + data.primary_key + '\');">');
> ++ $('.tblFooters').html('<input type="submit" value="' + PMA_messages.strDone + '" onclick="processDependencies(\'' + escapeJsString(escapeHtml(data.primary_key)) + '\');">');
> + } else {
> + if (normalizeto === '3nf') {
> + $("#mainContent #newCols").html(PMA_messages.strToNextStep);
> diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-6.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-6.patch
> new file mode 100644
> index 0000000..4a58b4c
> --- /dev/null
> +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-6.patch
> @@ -0,0 +1,20 @@
> +ubject: [PATCH] Escape selectors
> +
> +Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com>
> +
> +Upstream-Status: Backport
> +
> +Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
> +Index: phpMyAdmin-4.5.0.2-all-languages/db_central_columns.php
> +===================================================================
> +--- phpMyAdmin-4.5.0.2-all-languages.orig/db_central_columns.php 2015-09-25 19:55:50.000000000 +0800
> ++++ phpMyAdmin-4.5.0.2-all-languages/db_central_columns.php 2016-05-04 14:47:45.003983158 +0800
> +@@ -92,7 +92,7 @@
> + } else {
> + $total_rows = PMA_getCentralColumnsCount($db);
> + }
> +-if (isset($_REQUEST['pos'])) {
> ++if (PMA_isValid($_REQUEST['pos'], 'integer')) {
> + $pos = $_REQUEST['pos'];
> + } else {
> + $pos = 0;
> diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561.patch
> new file mode 100644
> index 0000000..48e1aac
> --- /dev/null
> +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561.patch
> @@ -0,0 +1,29 @@
> +Subject: [PATCH] Escape selectors
> +
> +Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com>
> +
> +Upstream-Status: Backport
> +
> +Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
> +Index: phpMyAdmin-4.5.0.2-all-languages/js/normalization.js
> +===================================================================
> +--- phpMyAdmin-4.5.0.2-all-languages.orig/js/normalization.js 2016-05-04 11:02:07.295888771 +0800
> ++++ phpMyAdmin-4.5.0.2-all-languages/js/normalization.js 2016-05-04 11:30:15.767900544 +0800
> +@@ -128,7 +128,7 @@
> + $("#mainContent #newCols").html('');
> + $('.tblFooters').html('');
> + for(var pk in primary_key) {
> +- $("#extra input[value='" + primary_key[pk] + "']").attr("disabled","disabled");
> ++ $("#extra input[value='" + escapeJsString(primary_key[pk]) + "']").attr("disabled","disabled");
> + }
> + }
> + );
> +@@ -153,7 +153,7 @@
> + $('.tblFooters').html('');
> + primary_key = $.parseJSON(data.primary_key);
> + for(var pk in primary_key) {
> +- $("#extra input[value='" + primary_key[pk] + "']").attr("disabled","disabled");
> ++ $("#extra input[value='" + escapeJsString(primary_key[pk]) + "']").attr("disabled","disabled");
> + }
> + }
> + );
> diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.5.0.2.bb b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.5.0.2.bb
> index ac32185..3be90ba 100644
> --- a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.5.0.2.bb
> +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.5.0.2.bb
> @@ -9,6 +9,12 @@ SRC_URI = "https://files.phpmyadmin.net/phpMyAdmin/4.5.0.2/phpMyAdmin-4.5.0.2-al
> file://Port-content-spoofing-fix-CVE-2015-7873.patch \
> file://apache.conf \
> file://phpmyadmin-CVE-2015-8669.patch \
> + file://phpmyadmin-CVE-2016-2561.patch \
> + file://phpmyadmin-CVE-2016-2561-2.patch \
> + file://phpmyadmin-CVE-2016-2561-3.patch \
> + file://phpmyadmin-CVE-2016-2561-4.patch \
> + file://phpmyadmin-CVE-2016-2561-5.patch \
> + file://phpmyadmin-CVE-2016-2561-6.patch \
> "
>
> SRC_URI[md5sum] = "2d08d2fcc8f70f88a11a14723e3ca275"
--
---------------------
Thanks,
Zhixiong Chi
Tel: +86-10-8477-7036
prev parent reply other threads:[~2016-05-05 8:14 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-05 8:05 [meta-oe][PATCH] phpmyadmin: Security Advisory-phpmyadmin-CVE-2016-2561 Zhixiong Chi
2016-05-05 8:14 ` Zhixiong Chi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=572B00EE.3070402@windriver.com \
--to=zhixiong.chi@windriver.com \
--cc=openembedded-devel@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.