Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 520142 (CVE-2014-5273) - <dev-db/phpmyadmin-{4.0.10.2,4.1.14.3,4.2.7.1}: Multiple vulnerabilities (CVE-2014-{5273,5274})
Summary: <dev-db/phpmyadmin-{4.0.10.2,4.1.14.3,4.2.7.1}: Multiple vulnerabilities (CVE...
Status: RESOLVED FIXED
Alias: CVE-2014-5273
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.phpmyadmin.net/home_page/s...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks: CVE-2014-4348 CVE-2014-4986
  Show dependency tree
 
Reported: 2014-08-17 18:14 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2014-12-29 05:52 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-17 18:14:10 UTC
http://www.phpmyadmin.net/home_page/security/PMASA-2014-8.php

Description

With a crafted database, table or a primary/unique key column name it is possible to trigger an XSS when dropping a row from the table. With a crafted column name it is possible to trigger an XSS in the ENUM editor dialog. With a crafted variable name or a crafted value for unit field it is possible to trigger a self-XSS when adding a new chart in the monitor page. With a crafted value for x-axis label it is possible to trigger a self-XSS in the query chart page. With a crafted relation name it is possible to trigger an XSS in table relations page. 

Severity

We consider these vulnerabilities to be non critical. 

Solution

Upgrade to phpMyAdmin 4.0.10.2 or newer, or 4.1.14.3 or newer, or 4.2.7.1 or newer, or apply the patches listed below. 

http://www.phpmyadmin.net/home_page/security/PMASA-2014-9.php
Description

With a crafted view name it is possible to trigger an XSS when dropping the view in view operation page.
Severity

We consider this vulnerability to be non critical. 

Solution

Upgrade to phpMyAdmin 4.1.14.3 or newer, or 4.2.7.1 or newer, or apply the patch listed below.
Comment 1 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2014-08-21 17:54:48 UTC
17:54 < irker101> gentoo-x86: jmbsvicetto dev-db/phpmyadmin: Another security bump for phpmyadmin (CVE-2014-{5273,5274}) - bug 520142. Drop unstable affected versions.

Versions in the tree bumped.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-08-25 14:57:00 UTC
Maintainers, please advise when ebuilds have had enough testing, and are ready for stabilization.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-08-25 15:02:45 UTC
CVE-2014-5274 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5274):
  Cross-site scripting (XSS) vulnerability in the view operations page in
  phpMyAdmin 4.1.x before 4.1.14.3 and 4.2.x before 4.2.7.1 allows remote
  authenticated users to inject arbitrary web script or HTML via a crafted
  view name, related to js/functions.js.

CVE-2014-5273 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5273):
  Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x
  before 4.0.10.2, 4.1.x before 4.1.14.3, and 4.2.x before 4.2.7.1 allow
  remote authenticated users to inject arbitrary web script or HTML via the
  (1) browse table page, related to js/sql.js; (2) ENUM editor page, related
  to js/functions.js; (3) monitor page, related to
  js/server_status_monitor.js; (4) query charts page, related to
  js/tbl_chart.js; or (5) table relations page, related to
  libraries/tbl_relation.lib.php.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2014-08-27 02:15:37 UTC
Arches, please test and mark stable:

=dev-db/phpmyadmin-4.1.14.3

Target Keywords : "alpha amd64  hppa  ppc ppc64 spark x86"

Thank you!
Comment 5 Agostino Sarubbo gentoo-dev 2014-09-15 08:10:11 UTC
(In reply to Yury German from comment #4)
> Arches, please test and mark stable:
> 
> =dev-db/phpmyadmin-4.1.14.3
> 
> Target Keywords : "alpha amd64  hppa  ppc ppc64 spark x86"
> 
> Thank you!

it is hard to catch if arches are not in CC.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2014-09-16 07:22:34 UTC
Stable for HPPA.
Comment 7 Agostino Sarubbo gentoo-dev 2014-09-16 14:57:19 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-09-16 14:57:44 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-09-19 10:34:50 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-09-19 10:36:42 UTC
ppc64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-09-20 11:05:33 UTC
alpha stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-10-05 15:11:58 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 13 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-10-05 17:15:04 UTC
(In reply to Agostino Sarubbo from comment #12)
> ppc stable.
> 
> Maintainer(s), please cleanup.
> Security, please vote.

GLSA Vote: No
Comment 14 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-11-11 22:47:40 UTC
Old versions cleaned up, security please vote.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2014-12-29 05:52:32 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No