Re: [PATCH 1/3][meta-webserver] phpmyadmin: fix for Security Advisory CVE-2014-5273

Openembedded Devel Discussions
 help / color / mirror / Atom feed

From: Rongqing Li <rongqing.li@windriver.com>
To: <openembedded-devel@lists.openembedded.org>
Subject: Re: [PATCH 1/3][meta-webserver] phpmyadmin: fix for Security Advisory CVE-2014-5273
Date: Thu, 30 Oct 2014 11:01:52 +0800	[thread overview]
Message-ID: <5451AA20.9030009@windriver.com> (raw)
In-Reply-To: <1414637431-19689-1-git-send-email-rongqing.li@windriver.com>

Sorry, please drop it, the third patch and the second patch have
the same commit header


-Roy

On 10/30/2014 10:50 AM, rongqing.li@windriver.com wrote:
> From: Roy Li <rongqing.li@windriver.com>
>
> Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x
> before 4.0.10.2, 4.1.x before 4.1.14.3, and 4.2.x before 4.2.7.1 allow
> remote authenticated users to inject arbitrary web script or HTML via the
> (1) browse table page, related to js/sql.js; (2) ENUM editor page, related
> to js/functions.js; (3) monitor page, related to js/server_status_monitor.js;
> (4) query charts page, related to js/tbl_chart.js; or (5) table relations
> page, related to libraries/tbl_relation.lib.php.
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5273
>
> Signed-off-by: Roy Li <rongqing.li@windriver.com>
> ---
>   ...ug-4504-security-Self-XSS-in-query-charts.patch |   29 ++++++++++++++++++++
>   .../recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb     |    1 +
>   2 files changed, 30 insertions(+)
>   create mode 100644 meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-bug-4504-security-Self-XSS-in-query-charts.patch
>
> diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-bug-4504-security-Self-XSS-in-query-charts.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-bug-4504-security-Self-XSS-in-query-charts.patch
> new file mode 100644
> index 0000000..27eac77
> --- /dev/null
> +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-bug-4504-security-Self-XSS-in-query-charts.patch
> @@ -0,0 +1,29 @@
> +From 90ddeecf60fc029608b972e490b735f3a65ed0cb Mon Sep 17 00:00:00 2001
> +From: Madhura Jayaratne <madhura.cj@gmail.com>
> +Date: Sun, 17 Aug 2014 08:52:05 -0400
> +Subject: [PATCH] bug #4504 [security] Self-XSS in query charts
> +
> +Upstream-status: Backport
> +
> +Signed-off-by: Marc Delisle <marc@infomarc.info>
> +---
> + js/tbl_chart.js |    2 +-
> + 2 files changed, 2 insertions(+), 1 deletion(-)
> +
> + 4.2.7.0 (2014-07-31)
> +diff --git a/js/tbl_chart.js b/js/tbl_chart.js
> +index 943d4ae..04c9c40 100644
> +--- a/js/tbl_chart.js
> ++++ b/js/tbl_chart.js
> +@@ -47,7 +47,7 @@ function PMA_queryChart(data, columnNames, settings) {
> +         },
> +         axes : {
> +             xaxis : {
> +-                label : settings.xaxisLabel
> ++                label : escapeHtml(settings.xaxisLabel)
> +             },
> +             yaxis : {
> +                 label : settings.yaxisLabel
> +--
> +1.7.10.4
> +
> diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb
> index 0de3f6d..c267d89 100644
> --- a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb
> +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb
> @@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=eb723b61539feef013de476e68b5c50a \
>                       file://libraries/tcpdf/LICENSE.TXT;md5=5c87b66a5358ebcc495b03e0afcd342c"
>
>   SRC_URI = "${SOURCEFORGE_MIRROR}/phpmyadmin/phpMyAdmin/${PV}/phpMyAdmin-${PV}-all-languages.tar.xz \
> +           file://0001-bug-4504-security-Self-XSS-in-query-charts.patch \
>              file://apache.conf"
>
>   SRC_URI[md5sum] = "0dcd755450dac819f33502590c88ad29"
>

-- 
Best Reagrds,
Roy | RongQing Li

     prev parent reply	other threads:[~2014-10-30  3:01 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-10-30  2:50 [PATCH 1/3][meta-webserver] phpmyadmin: fix for Security Advisory CVE-2014-5273 rongqing.li
2014-10-30  2:50 ` [PATCH 2/3][meta-webserver] phpmyadmin: fix for Security Advisory CVE-2014-5274 rongqing.li
2014-10-30  2:50 ` [PATCH 3/3][meta-webserver] " rongqing.li
2014-10-30  3:01 ` Rongqing Li [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5451AA20.9030009@windriver.com \
    --to=rongqing.li@windriver.com \
    --cc=openembedded-devel@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox