Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 169376

Summary: dev-db/phpmyadmin: PHP Executor Deep Recursion Stack Overflow [MOPB]
Product: Gentoo Security Reporter: Renat Lumpau (RETIRED) <rl03>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: enhancement    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-3
Whiteboard: B3? [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 169372    
Bug Blocks:    

Description Renat Lumpau (RETIRED) gentoo-dev 2007-03-04 22:45:49 UTC 
Announcement-ID: PMASA-2007-3
Date: 2007-03-02

Summary:
PHP Executor Deep Recursion Stack Overflow 

Description:
Stefan Esser from the Hardened-PHP Project is publishing the Month of PHP Bugs. One of these PHP bugs can be triggered by phpMyAdmin which uses a recursive function in its normal operation.


Severity:
We consider this vulnerability to be serious. 

Affected versions:
All versions prior to 2.10.0.2. 

Solution:
Upgrade to phpMyAdmin 2.10.0.2 or newer. Note that upgrading phpMyAdmin does not protect a server against an attacker that targets other vulnerable PHP applications. 

Patches:
Patches are available in this tracker:http://sourceforge.net/tracker/index.php?func=detail&aid=1671813&group_id=23067&atid=377408 

Reference:
http://www.php-security.org/MOPB/MOPB-02-2007.html 

For further information and in case of questions, please contact the phpMyAdmin team. Our website is http://www.phpmyadmin.net/.
Comment 1 Renat Lumpau (RETIRED) gentoo-dev 2007-03-04 22:46:11 UTC 
2.10.0.2 is in the tree
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2007-03-05 20:27:32 UTC 
Thanks Renat

arches please test phpMyAdmin 2.10.0.2 and mark stable if possible
Comment 3 Christoph Mende (RETIRED) gentoo-dev 2007-03-05 20:38:57 UTC 
After creating a database:
Warning: require_once(./db_details_structure.php) [function.require-once]: failed to open stream: No such file or directory in /var/www/localhost/htdocs/phpmyadmin/db_create.php on line 42
Selecting a database results in a 404, same with tables, access.log:
127.0.0.1 localhost - [05/Mar/2007:21:38:32 +0100] "GET /phpmyadmin/db_details_structure.php?server=1&db=angelos&table=&lang=de-utf-8&collation_connection=utf8_unicode_ci HTTP/1.1" 404 345 "http://localhost/phpmyadmin/navigation.php?token=f9addbcfe4fc8145f643f8aefd391b97" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.2) Gecko/20070303 Firefox/2.0.0.2"
127.0.0.1 localhost - [05/Mar/2007:21:38:33 +0100] "GET /phpmyadmin/tbl_properties_structure.php?db=angelos&token=f9addbcfe4fc8145f643f8aefd391b97&table=users HTTP/1.1" 404 345 "http://localhost/phpmyadmin/navigation.php?server=1&db=angelos&table=&lang=de-utf-8&collation_connection=utf8_unicode_ci" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.2) Gecko/20070303 Firefox/2.0.0.2"
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2007-03-06 15:46:55 UTC 
Works for me...

x86 stable.
Comment 5 Markus Rothe (RETIRED) gentoo-dev 2007-03-06 18:42:43 UTC 
works here, too. ppc64 stable
Comment 6 Christoph Mende (RETIRED) gentoo-dev 2007-03-06 22:52:17 UTC 
Hmm, works after unmerging, removing the old phpmyadmin directory and emerging a new, clean version - simply upgrading didn't work
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2007-03-07 03:26:05 UTC 
Stable for HPPA (killerfox).
Comment 8 Steve Dibb (RETIRED) gentoo-dev 2007-03-08 14:06:39 UTC 
amd64 stable
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2007-03-08 17:32:58 UTC 
ppc stable
Comment 10 Gustavo Zacarias (RETIRED) gentoo-dev 2007-03-08 17:41:54 UTC 
sparc stable.
Comment 11 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-03-12 09:29:47 UTC 
Stable on alpha
Comment 12 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-14 00:34:05 UTC 
i don't know how to handle that kind of bugs that seem to belong to PHP rather that to the applications using PHP. Personnally i tend to think that's a PHP vulnerability.
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-14 07:51:46 UTC 
This seems like a PHP vuln to me. Upgrading phpmyadmin is only a workaround for phpmyadmin users.
Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-15 22:07:17 UTC 
i fully agree but i don't know in which PHP version this is fixed.


BTW i vote NOGLSA since it's a PHP bug
Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-16 07:51:33 UTC 
I agree on the NO GLSA part if we'll have a PHP GLSA.
Comment 16 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-26 22:18:11 UTC 
then let's close it as soon as the dependent bug 169372 is glsa-sent
Comment 17 Matthias Geerdsen (RETIRED) gentoo-dev 2007-04-12 15:11:43 UTC 
agreed on no glsa and updating status accordingly
Comment 18 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-02 12:03:37 UTC 
Pushing it to enhancement until it can be closed.
Comment 19 Renat Lumpau (RETIRED) gentoo-dev 2007-05-28 00:43:23 UTC 
so what's the deal here?
Comment 20 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-28 06:11:26 UTC 
Waiting for PHP GLSA to be sent, nothing else I think.
Comment 21 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-05-30 19:46:13 UTC 
GLSA 200705-19 was issued a few days ago, closing then.