From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.windriver.com (mail.windriver.com [147.11.1.11]) by mail.openembedded.org (Postfix) with ESMTP id 8D627700FD for ; Thu, 5 May 2016 08:14:25 +0000 (UTC) Received: from ALA-HCA.corp.ad.wrs.com (ala-hca.corp.ad.wrs.com [147.11.189.40]) by mail.windriver.com (8.15.2/8.15.1) with ESMTPS id u458EPUR008633 (version=TLSv1 cipher=AES128-SHA bits=128 verify=FAIL) for ; Thu, 5 May 2016 01:14:25 -0700 (PDT) Received: from [128.224.162.233] (128.224.162.233) by ALA-HCA.corp.ad.wrs.com (147.11.189.50) with Microsoft SMTP Server id 14.3.248.2; Thu, 5 May 2016 01:14:24 -0700 To: References: <1462435531-5587-1-git-send-email-Zhixiong.Chi@windriver.com> From: Zhixiong Chi Message-ID: <572B00EE.3070402@windriver.com> Date: Thu, 5 May 2016 16:14:38 +0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 In-Reply-To: <1462435531-5587-1-git-send-email-Zhixiong.Chi@windriver.com> Subject: Re: [meta-oe][PATCH] phpmyadmin: Security Advisory-phpmyadmin-CVE-2016-2561 X-BeenThere: openembedded-devel@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Using the OpenEmbedded metadata to build Distributions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 May 2016 08:14:28 -0000 Content-Type: text/plain; charset="utf-8"; format=flowed Content-Transfer-Encoding: 8bit Ignore it. I will resend for this issue. On 2016年05月05日 16:05, Zhixiong Chi wrote: > Backport patches from phpmyadmin upstream > to fix CVE-2016-2561 > > > > > > > > avoid remote authenticated users to inject arbitrary web script or > HTML via (1) normalization.php or (2) js/normalization.js in the database > normalization page, (3) templates/database/structure/sortable_header.phtml > in the database structure page, or (4) the pos parameter to > db_central_columns.php in the central columns page. > > Signed-off-by: Zhixiong Chi > --- > .../phpmyadmin/phpmyadmin-CVE-2016-2561-2.patch | 49 ++++++++++++++++++++++ > .../phpmyadmin/phpmyadmin-CVE-2016-2561-3.patch | 20 +++++++++ > .../phpmyadmin/phpmyadmin-CVE-2016-2561-4.patch | 40 ++++++++++++++++++ > .../phpmyadmin/phpmyadmin-CVE-2016-2561-5.patch | 20 +++++++++ > .../phpmyadmin/phpmyadmin-CVE-2016-2561-6.patch | 20 +++++++++ > .../phpmyadmin/phpmyadmin-CVE-2016-2561.patch | 29 +++++++++++++ > .../recipes-php/phpmyadmin/phpmyadmin_4.5.0.2.bb | 6 +++ > 7 files changed, 184 insertions(+) > create mode 100644 meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-2.patch > create mode 100644 meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-3.patch > create mode 100644 meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-4.patch > create mode 100644 meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-5.patch > create mode 100644 meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-6.patch > create mode 100644 meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561.patch > > diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-2.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-2.patch > new file mode 100644 > index 0000000..8be4fba > --- /dev/null > +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-2.patch > @@ -0,0 +1,49 @@ > +Subject: [PATCH] Fix XSS in normalization.js > + > +Signed-off-by: Madhura Jayaratne > + > +Upstream-Status: Backport > + > +Signed-off-by: Zhixiong Chi > +Index: phpMyAdmin-4.5.0.2-all-languages/js/functions.js > +=================================================================== > +--- phpMyAdmin-4.5.0.2-all-languages.orig/js/functions.js 2016-05-04 11:02:08.167888778 +0800 > ++++ phpMyAdmin-4.5.0.2-all-languages/js/functions.js 2016-05-04 14:08:57.427966930 +0800 > +@@ -220,6 +220,24 @@ > + } > + } > + > ++function escapeJsString(unsafe) { > ++ if (typeof(unsafe) != 'undefined') { > ++ return unsafe > ++ .toString() > ++ .replace("\000", '') > ++ .replace('\\', '\\\\') > ++ .replace('\'', '\\\'') > ++ .replace("'", "\\\'") > ++ .replace('"', '\"') > ++ .replace(""", "\"") > ++ .replace("\n", '\n') > ++ .replace("\r", '\r') > ++ .replace(/<\/script/gi, ' ++ } else { > ++ return false; > ++ } > ++} > ++ > + function PMA_sprintf() { > + return sprintf.apply(this, arguments); > + } > +Index: phpMyAdmin-4.5.0.2-all-languages/js/normalization.js > +=================================================================== > +--- phpMyAdmin-4.5.0.2-all-languages.orig/js/normalization.js 2016-05-04 11:30:15.767900544 +0800 > ++++ phpMyAdmin-4.5.0.2-all-languages/js/normalization.js 2016-05-04 14:20:40.943971835 +0800 > +@@ -638,7 +638,7 @@ > + ''; > + $("#newCols").html(confirmStr); > + $('.tblFooters').html('' + > +- ''); > ++ ''); > + } > + }); > + $("#mainContent p").on("click", "#createPrimaryKey", function(event) { > diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-3.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-3.patch > new file mode 100644 > index 0000000..149eba3 > --- /dev/null > +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-3.patch > @@ -0,0 +1,20 @@ > +Subject: [PATCH] Fix XSS in normalization > + > +Signed-off-by: Madhura Jayaratne > + > +Upstream-Status: Backport > + > +Signed-off-by: Zhixiong Chi > +Index: phpMyAdmin-4.5.0.2-all-languages/normalization.php > +=================================================================== > +--- phpMyAdmin-4.5.0.2-all-languages.orig/normalization.php 2016-05-04 11:02:07.139888770 +0800 > ++++ phpMyAdmin-4.5.0.2-all-languages/normalization.php 2016-05-04 14:29:25.031975489 +0800 > +@@ -72,7 +72,7 @@ > + $scripts->addFile('normalization.js'); > + $scripts->addFile('jquery/jquery.uitablefilter.js'); > + $normalForm = '1nf'; > +-if (isset($_REQUEST['normalizeTo'])) { > ++if (PMA_isValid($_REQUEST['normalizeTo'],array('1nf','2nf','3nf'))) { > + $normalForm = $_REQUEST['normalizeTo']; > + } > + if (isset($_REQUEST['createNewTables2NF'])) { > diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-4.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-4.patch > new file mode 100644 > index 0000000..6b699f6 > --- /dev/null > +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-4.patch > @@ -0,0 +1,40 @@ > +Subject: [PATCH] Fix XSS in database structure page > + > +Signed-off-by: Michal Čihař > + > +Upstream-Status: Backport > + > +Signed-off-by: Zhixiong Chi > +Index: phpMyAdmin-4.5.0.2-all-languages/templates/database/structure/sortable_header.phtml > +=================================================================== > +--- phpMyAdmin-4.5.0.2-all-languages.orig/templates/database/structure/sortable_header.phtml 2015-09-25 19:55:50.000000000 +0800 > ++++ phpMyAdmin-4.5.0.2-all-languages/templates/database/structure/sortable_header.phtml 2016-05-04 14:39:57.703979900 +0800 > +@@ -51,16 +51,20 @@ > + } > + $_url_params = array( > + 'db' => $_REQUEST['db'], > ++ 'pos' => 0, // We set the position back to 0 every time they sort. > ++ 'sort' => $sort, > ++ 'sort_order' => $future_sort_order, > + ); > +-$url = 'db_structure.php' . PMA_URL_getCommon($_url_params); > +-// We set the position back to 0 every time they sort. > +-$url .= "&pos=0&sort=$sort&sort_order=$future_sort_order"; > +-if (! empty($_REQUEST['tbl_type'])) { > +- $url .= "&tbl_type=" . $_REQUEST['tbl_type']; > ++ > ++if (PMA_isValid($_REQUEST['tbl_type'], array('view', 'table'))) { > ++ $_url_params['tbl_type'] = $_REQUEST['tbl_type']; > + } > + if (! empty($_REQUEST['tbl_group'])) { > +- $url .= "&tbl_group=" . $_REQUEST['tbl_group']; > ++ $_url_params['tbl_group']= $_REQUEST['tbl_group']; > + } > ++ > ++$url = 'db_structure.php' . PMA_URL_getCommon($_url_params); > ++ > + echo PMA_Util::linkOrButton( > + $url, $title . $order_img, $order_link_params > +-); > +\ No newline at end of file > ++); > diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-5.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-5.patch > new file mode 100644 > index 0000000..27ff9ff > --- /dev/null > +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-5.patch > @@ -0,0 +1,20 @@ > +Subject: [PATCH] Fix XSS in normalization.js > + > +Signed-off-by: Madhura Jayaratne > + > +Upstream-Status: Backport > + > +Signed-off-by: Zhixiong Chi > +Index: phpMyAdmin-4.5.0.2-all-languages/js/normalization.js > +=================================================================== > +--- phpMyAdmin-4.5.0.2-all-languages.orig/js/normalization.js 2016-05-04 14:20:40.943971835 +0800 > ++++ phpMyAdmin-4.5.0.2-all-languages/js/normalization.js 2016-05-04 14:45:22.223982162 +0800 > +@@ -82,7 +82,7 @@ > + $("#mainContent #extra").html(data.extra); > + $("#mainContent #newCols").html(''); > + if (data.subText !== '') { > +- $('.tblFooters').html(''); > ++ $('.tblFooters').html(''); > + } else { > + if (normalizeto === '3nf') { > + $("#mainContent #newCols").html(PMA_messages.strToNextStep); > diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-6.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-6.patch > new file mode 100644 > index 0000000..4a58b4c > --- /dev/null > +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561-6.patch > @@ -0,0 +1,20 @@ > +ubject: [PATCH] Escape selectors > + > +Signed-off-by: Madhura Jayaratne > + > +Upstream-Status: Backport > + > +Signed-off-by: Zhixiong Chi > +Index: phpMyAdmin-4.5.0.2-all-languages/db_central_columns.php > +=================================================================== > +--- phpMyAdmin-4.5.0.2-all-languages.orig/db_central_columns.php 2015-09-25 19:55:50.000000000 +0800 > ++++ phpMyAdmin-4.5.0.2-all-languages/db_central_columns.php 2016-05-04 14:47:45.003983158 +0800 > +@@ -92,7 +92,7 @@ > + } else { > + $total_rows = PMA_getCentralColumnsCount($db); > + } > +-if (isset($_REQUEST['pos'])) { > ++if (PMA_isValid($_REQUEST['pos'], 'integer')) { > + $pos = $_REQUEST['pos']; > + } else { > + $pos = 0; > diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561.patch > new file mode 100644 > index 0000000..48e1aac > --- /dev/null > +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2016-2561.patch > @@ -0,0 +1,29 @@ > +Subject: [PATCH] Escape selectors > + > +Signed-off-by: Madhura Jayaratne > + > +Upstream-Status: Backport > + > +Signed-off-by: Zhixiong Chi > +Index: phpMyAdmin-4.5.0.2-all-languages/js/normalization.js > +=================================================================== > +--- phpMyAdmin-4.5.0.2-all-languages.orig/js/normalization.js 2016-05-04 11:02:07.295888771 +0800 > ++++ phpMyAdmin-4.5.0.2-all-languages/js/normalization.js 2016-05-04 11:30:15.767900544 +0800 > +@@ -128,7 +128,7 @@ > + $("#mainContent #newCols").html(''); > + $('.tblFooters').html(''); > + for(var pk in primary_key) { > +- $("#extra input[value='" + primary_key[pk] + "']").attr("disabled","disabled"); > ++ $("#extra input[value='" + escapeJsString(primary_key[pk]) + "']").attr("disabled","disabled"); > + } > + } > + ); > +@@ -153,7 +153,7 @@ > + $('.tblFooters').html(''); > + primary_key = $.parseJSON(data.primary_key); > + for(var pk in primary_key) { > +- $("#extra input[value='" + primary_key[pk] + "']").attr("disabled","disabled"); > ++ $("#extra input[value='" + escapeJsString(primary_key[pk]) + "']").attr("disabled","disabled"); > + } > + } > + ); > diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.5.0.2.bb b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.5.0.2.bb > index ac32185..3be90ba 100644 > --- a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.5.0.2.bb > +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.5.0.2.bb > @@ -9,6 +9,12 @@ SRC_URI = "https://files.phpmyadmin.net/phpMyAdmin/4.5.0.2/phpMyAdmin-4.5.0.2-al > file://Port-content-spoofing-fix-CVE-2015-7873.patch \ > file://apache.conf \ > file://phpmyadmin-CVE-2015-8669.patch \ > + file://phpmyadmin-CVE-2016-2561.patch \ > + file://phpmyadmin-CVE-2016-2561-2.patch \ > + file://phpmyadmin-CVE-2016-2561-3.patch \ > + file://phpmyadmin-CVE-2016-2561-4.patch \ > + file://phpmyadmin-CVE-2016-2561-5.patch \ > + file://phpmyadmin-CVE-2016-2561-6.patch \ > " > > SRC_URI[md5sum] = "2d08d2fcc8f70f88a11a14723e3ca275" -- --------------------- Thanks, Zhixiong Chi Tel: +86-10-8477-7036