Bug 502002 (CVE-2014-1879)

Summary:	<dev-db/phpmyadmin-4.1.7: XSS in import.php (CVE-2014-1879)
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	a3li, jmbsvicetto, web-apps
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugzilla.redhat.com/show_bug.cgi?id=1067713
Whiteboard:	B4 [noglsa]
Package list:		Runtime testing required:	---

Description Agostino Sarubbo gentoo-dev

2014-02-21 15:16:28 UTC

From ${URL} :

Common Vulnerabilities and Exposures assigned an identifier CVE-2014-1879 to
the following vulnerability:

Name: CVE-2014-1879
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1879
Assigned: 20140207
Reference: http://www.phpmyadmin.net/home_page/security/PMASA-2014-1.php
Reference: https://github.com/phpmyadmin/phpmyadmin/commit/968d5d5f486820bfa30af046f063b9f23304e14a

Cross-site scripting (XSS) vulnerability in import.php in phpMyAdmin
before 4.1.7 allows remote authenticated users to inject arbitrary web
script or HTML via a crafted filename in an import action.


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.

Comment 1 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure

2014-02-23 20:56:51 UTC

@arches:

please test and mark stable phpmyadmin-4.1.7.

Comment 2 Jeroen Roovers (RETIRED) gentoo-dev

2014-02-24 00:50:19 UTC

(In reply to Jorge Manuel B. S. Vicetto from comment #1)
> @arches:
> 
> please test and mark stable phpmyadmin-4.1.7.

No, like this, please:

Arch teams, please test and mark stable:
=dev-db/phpmyadmin-4.1.7
Targeted stable KEYWORDS : alpha amd64 hppa ppc ppc64 sparc x86

Comment 3 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure

2014-02-24 05:42:09 UTC

(In reply to Jeroen Roovers from comment #2)
> (In reply to Jorge Manuel B. S. Vicetto from comment #1)
> > @arches:
> > 
> > please test and mark stable phpmyadmin-4.1.7.
> 
> No, like this, please:
> 
> Arch teams, please test and mark stable:
> =dev-db/phpmyadmin-4.1.7
> Targeted stable KEYWORDS : alpha amd64 hppa ppc ppc64 sparc x86

Sorry about that.

ia64:

I see you don't have any version stable. Are you interested in adding it to the stable tree?

Comment 4 Agostino Sarubbo gentoo-dev

2014-02-24 05:57:56 UTC

(In reply to Jorge Manuel B. S. Vicetto from comment #3)
> ia64:
> 
> I see you don't have any version stable. Are you interested in adding it to
> the stable tree?

no

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev

2014-02-24 13:48:19 UTC

Stable for HPPA.

Comment 6 Sergey Popov gentoo-dev

2014-02-28 12:35:27 UTC

amd64/x86 stable

Comment 7 GLSAMaker/CVETool Bot gentoo-dev

2014-02-28 12:47:02 UTC

CVE-2014-1879 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1879):
  Cross-site scripting (XSS) vulnerability in import.php in phpMyAdmin before
  4.1.7 allows remote authenticated users to inject arbitrary web script or
  HTML via a crafted filename in an import action.

Comment 8 Agostino Sarubbo gentoo-dev

2014-03-12 10:37:37 UTC

sparc stable

Comment 9 Agostino Sarubbo gentoo-dev

2014-03-16 11:08:13 UTC

ppc stable

Comment 10 Agostino Sarubbo gentoo-dev

2014-03-19 14:13:59 UTC

alpha stable

Comment 11 Agostino Sarubbo gentoo-dev

2014-03-24 14:29:23 UTC

ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 12 Yury German Gentoo Infrastructure

2014-05-15 04:48:34 UTC

Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version.

Comment 13 Yury German Gentoo Infrastructure

2014-06-10 00:59:19 UTC

Maintainer(s), please drop the vulnerable version.

GLSA Vote: no

Comment 14 Yury German Gentoo Infrastructure

2014-06-17 23:47:48 UTC

No GLSA for Cross Site Scripting

The vulnerable versions have been around since 2014-03-24, please clean up.

Comment 15 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure

2014-08-14 12:38:42 UTC

12:37 < irker982> gentoo-x86: jmbsvicetto dev-db/phpmyadmin: Drop old and vulnerable versions.

There should be nothing left to do in this bug.

Comment 16 Yury German Gentoo Infrastructure

2014-08-16 18:08:42 UTC

(In reply to Jorge Manuel B. S. Vicetto from comment #15)
> 
> There should be nothing left to do in this bug.

phpmyadmin-4.0.10.1 - is still in tree, and based on the information from the CVE it is still vulnerable.

Comment 17 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure

2014-08-17 17:14:52 UTC

(In reply to Yury German from comment #16)
> (In reply to Jorge Manuel B. S. Vicetto from comment #15)
> > 
> > There should be nothing left to do in this bug.
> 
> phpmyadmin-4.0.10.1 - is still in tree, and based on the information from
> the CVE it is still vulnerable.

http://www.phpmyadmin.net/home_page/news.php#phpMyAdmin_4.0.10.1__4.1.14.2_and_4.2.6_are_released

Since these were all released at the same time, I believe the security issue tracked in this bug doesn't affect 4.0.10.1.
In any case, the only reason I added it to the tree was that upstream seems to still be actively supporting it. If no one cares about it, I don't mind keeping just 4.1 and 4.2 series in the tree.

Comment 18 Yury German Gentoo Infrastructure

2014-08-19 04:28:49 UTC

I was going by the text in the URL's provided, 4.0.10.1 was released after 4.1.7.

But in either case, we will have to bump to 4.0.10.2 (if you want to keep 4.0.X tree) as part of Bug 517858 & 514894 as 4.0.10.2 contains the same fixes. 

This is cleaned up though.