Bug 549540 (CVE-2015-3902)

Summary:	<dev-db/phpmyadmin-{4.0.10.10,4.2.13.3,4.3.13.1,4.4.6.1}: multiple vulnerabilities (CVE-2015-{3902,3903})
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	jmbsvicetto, web-apps
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [noglsa cve]
Package list:		Runtime testing required:	---

Description Agostino Sarubbo gentoo-dev

2015-05-15 10:28:20 UTC

From http://www.phpmyadmin.net/home_page/security/PMASA-2015-2.php:

PMASA-2015-2

Announcement-ID: PMASA-2015-2

Date: 2015-05-13

Summary

XSRF/CSRF vulnerability in phpMyAdmin setup.

Description

By deceiving a user to click on a crafted URL, it is possible to alter the configuration file being generated with phpMyAdmin setup.

Severity

We consider this vulnerability to be non critical.

Mitigation factor

This vulnerability only affects the configuration file generation process and does not affect the effective configuration file. Moreover, the configuration file being generated is at risk only during the period when it's writable.

Affected Versions

Versions 4.0.x (prior to 4.0.10.10), 4.2.x (prior to 4.2.13.3), 4.3.x (prior to 4.3.13.1) and 4.4.x (prior to 4.4.6.1) are affected.

Solution

Upgrade to phpMyAdmin 4.0.10.10 or newer, or 4.2.13.3 or newer, or 4.3.13.1 or newer, or 4.4.6.1 or newer, or apply the patch listed below.

References

Thanks to Inti De Ceukelaire (http://ceukelai.re) for reporting this vulnerability.

Assigned CVE ids: CVE-2015-3902

CWE ids: CWE-661 CWE-352

Patches

The following commits have been made to fix this issue:

ee92eb9bab8e2d546756c1d4aec81ec7c8e44b83
The following commits have been made on the 4.3 branch to fix this issue:

9817bd4030de949ba9ce4cd1b3f047e22d8f66bd
The following commits have been made on the 4.2 branch to fix this issue:

c903ecf6751684b6af2d079c78b1f0d09ea2bd47
The following commits have been made on the 4.0 branch to fix this issue:

fea1d39fef540afa4105c6fbcc849f7e516f3da8



From http://www.phpmyadmin.net/home_page/security/PMASA-2015-3.php:

PMASA-2015-3

Announcement-ID: PMASA-2015-3

Date: 2015-05-13

Summary

Vulnerability allowing man-in-the-middle attack on API call to GitHub.

Description

A vulnerability in the API call to GitHub can be exploited to perform a man-in-the-middle attack.

Severity

We consider this vulnerability to be serious.

Affected Versions

Versions 4.0.x (prior to 4.0.10.10), 4.2.x (prior to 4.2.13.3), 4.3.x (prior to 4.3.13.1) and 4.4.x (prior to 4.4.6.1) are affected.

Solution

Upgrade to phpMyAdmin 4.0.10.10 or newer, or 4.2.13.3 or newer, or 4.3.13.1 or newer, or 4.4.6.1 or newer, or apply the patch listed below.

References

Thanks to Maksymilian Arciemowicz of http://cxsecurity.com for reporting this vulnerability.

Assigned CVE ids: CVE-2015-3903

CWE ids: CWE-661 CWE-295

Patches

The following commits have been made to fix this issue:

5ebc4daf131dd3bd646326267f3e765d0249bbb4
The following commits have been made on the 4.3 branch to fix this issue:

75499e790429c491840a0ad31d4de84aca215d23
The following commits have been made on the 4.2 branch to fix this issue:

0e18931d9e4b23053285b6fddf3493ca426ff684
The following commits have been made on the 4.0 branch to fix this issue:

e97e7fb0ea2dedfaa95c7dbe872027fb4bd4204c



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Jorge Manuel B. S. Vicetto (RETIRED) gentoo-dev

2015-05-16 02:43:06 UTC

02:40 < gentoovcs> jmbsvicetto → gentoo-x86 (dev-db/phpmyadmin/) Bump phpmyadmin to releases 4.0.10.10, 4.2.13.3, 4.3.13.1 and 4.4.6.1. This bump addresses PMASA-2015-{2,3} and fixes bug 549540. Drop old versions and 4.1 series.

Comment 2 Yury German Gentoo Infrastructure

2015-06-06 14:08:45 UTC

Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself.

Comment 3 GLSAMaker/CVETool Bot gentoo-dev

2015-06-06 14:13:25 UTC

CVE-2015-3903 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3903):
  libraries/Config.class.php in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x
  before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 disables
  X.509 certificate verification for GitHub API calls over SSL, which allows
  man-in-the-middle attackers to spoof servers and obtain sensitive
  information via a crafted certificate.

CVE-2015-3902 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3902):
  Multiple cross-site request forgery (CSRF) vulnerabilities in the setup
  process in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x
  before 4.3.13.1, and 4.4.x before 4.4.6.1 allow remote attackers to hijack
  the authentication of administrators for requests that modify the
  configuration file.

Comment 4 Yury German Gentoo Infrastructure

2015-07-16 12:17:20 UTC

Ping on stabilization? It has been 30+ days in tree.
Are we ready for stabilization?

Comment 5 Jorge Manuel B. S. Vicetto (RETIRED) gentoo-dev

2015-07-17 00:42:17 UTC

(In reply to Yury German from comment #4)
> Ping on stabilization? It has been 30+ days in tree.
> Are we ready for stabilization?

I forgot about this bug.
Please move forward with the stabilization.

TARGET_KEYWORDS="alpha amd64 hppa ~ia64 ppc ppc64 sparc x86 ~x86-fbsd ~ppc-macos ~x64-macos ~x86-macos"

Please add stable keywords to:

=dev-db/phpmyadmin-4.3.13.1
=dev-db/phpmyadmin-4.4.6.1

Comment 6 Jeroen Roovers (RETIRED) gentoo-dev

2015-07-17 05:15:56 UTC

Stable for PPC64.

Comment 7 Jeroen Roovers (RETIRED) gentoo-dev

2015-07-17 06:04:51 UTC

Stable for HPPA.

Comment 8 Agostino Sarubbo gentoo-dev

2015-07-17 07:41:42 UTC

amd64 stable

Comment 9 Agostino Sarubbo gentoo-dev

2015-07-17 07:41:57 UTC

x86 stable

Comment 10 Tobias Klausmann (RETIRED) gentoo-dev

2015-07-17 16:42:32 UTC

Stable on alpha.

Comment 11 Agostino Sarubbo gentoo-dev

2015-07-23 09:03:55 UTC

ppc stable

Comment 12 Agostino Sarubbo gentoo-dev

2015-07-23 09:37:29 UTC

sparc stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 13 Jorge Manuel B. S. Vicetto (RETIRED) gentoo-dev

2015-07-23 17:11:11 UTC

(In reply to Agostino Sarubbo from comment #12)
> Maintainer(s), please cleanup.

17:10 < gentoovcs> jmbsvicetto → gentoo-x86 (dev-db/phpmyadmin/) Drop vulnerable version - bug 549540.

Done.

Comment 14 Mikle Kolyada (RETIRED) archtester

2015-07-23 17:12:17 UTC

GLSA vote: no.

Comment 15 Yury German Gentoo Infrastructure

2015-07-23 17:40:41 UTC

GLSA Vote: No
Thank you all. Closing as noglsa.