Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 668914 (CVE-2018-15605)

Summary: <dev-db/phpmyadmin-4.8.3: XSS in the import dialog (CVE-2018-15605)
Product: Gentoo Security Reporter: René Fuchs <r.fuchs>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: jmbsvicetto, jstein, web-apps
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.phpmyadmin.net/security/PMASA-2018-5/
Whiteboard: B4 [noglsa cve]
Package list:
dev-db/phpmyadmin-4.8.3-r1
 Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 645700, 648330    

Description René Fuchs 2018-10-18 08:06:57 UTC 
dev-db/phpmyadmin-4.8.3 version bump Request

phpMyAdmin 4.8.3
Released 2018-08-22.
Comment 1 Larry the Git Cow gentoo-dev 2018-10-21 15:14:49 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/dev/jmbsvicetto.git/commit/?id=d307e699d7a1e49a3cd8c81f277925983d430473

commit d307e699d7a1e49a3cd8c81f277925983d430473
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2018-10-21 15:10:42 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2018-10-21 15:10:42 +0000

    dev-db/phpmyadmin: Security bump to release 4.8.3 (PMASA-2018-5).
    
    Bug: https://bugs.gentoo.org/668914
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 dev-db/phpmyadmin/Manifest                                             | 2 +-
 dev-db/phpmyadmin/{phpmyadmin-4.8.2.ebuild => phpmyadmin-4.8.3.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
Comment 2 Larry the Git Cow gentoo-dev 2018-10-22 02:08:07 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c663ae115b2cbacf06919d783f642c37b44c8d46

commit c663ae115b2cbacf06919d783f642c37b44c8d46
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2018-10-22 02:06:08 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2018-10-22 02:06:52 +0000

    dev-db/phpmyadmin: Security bump to release 4.8.3 (PMASA-2018-5).
    
    Bug: https://bugs.gentoo.org/668914
    Package-Manager: Portage-2.3.50, Repoman-2.3.11
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 dev-db/phpmyadmin/Manifest                |  1 +
 dev-db/phpmyadmin/phpmyadmin-4.8.3.ebuild | 61 +++++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+)
Comment 3 Vlad K. 2018-10-26 09:00:45 UTC 
CVE-2018-15605, please set the Alias too?

--
Gentoo Security Scout
Vladimir Krstulja
Comment 4 Jorge Manuel B. S. Vicetto (RETIRED) gentoo-dev 2018-10-26 09:55:47 UTC 
(In reply to Vlad K. from comment #3)
> CVE-2018-15605, please set the Alias too?
> 
> --
> Gentoo Security Scout
> Vladimir Krstulja

Done
Comment 5 Jorge Manuel B. S. Vicetto (RETIRED) gentoo-dev 2018-10-26 10:06:38 UTC 
@arch teams, please add stable keywords to =dev-db/phpmyadmin-4.8.2

Desired keywords:
=dev-db/phpmyadmin-4.8.2 KEYWORDS="alpha amd64 ~arm ~hppa ~ia64 ppc ppc64 ~sparc x86 ~x86-fbsd ~ppc-macos ~x64-macos ~x86-macos"


@sparc:

Not sure if you want to keep stable keywords or not.
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2018-10-28 21:30:09 UTC 
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2018-10-29 10:33:53 UTC 
amd64 stable
Comment 8 Rolf Eike Beer archtester 2018-11-08 07:52:09 UTC 
sparc stable
Comment 9 ernsteiswuerfel archtester 2018-11-26 22:26:12 UTC 
Looking good on ppc64.

# cat phpmyadmin-668914.report 
USE tests started on Mo 26. Nov 23:16:09 CET 2018

FEATURES=' test' USE='' succeeded for =dev-db/phpmyadmin-4.8.3-r1
USE='-setup -vhosts' succeeded for =dev-db/phpmyadmin-4.8.3-r1
USE='setup -vhosts' succeeded for =dev-db/phpmyadmin-4.8.3-r1
USE='-setup vhosts' succeeded for =dev-db/phpmyadmin-4.8.3-r1
USE='setup vhosts' succeeded for =dev-db/phpmyadmin-4.8.3-r1

And looking good on ppc.

# cat /mnt/mychroot/root/tatt/phpmyadmin-668914.report 
USE tests started on Mo 26. Nov 20:16:06 CET 2018

FEATURES=' test' USE='' succeeded for =dev-db/phpmyadmin-4.8.3-r1
USE='-setup -vhosts' succeeded for =dev-db/phpmyadmin-4.8.3-r1
USE='setup -vhosts' succeeded for =dev-db/phpmyadmin-4.8.3-r1
USE='-setup vhosts' succeeded for =dev-db/phpmyadmin-4.8.3-r1
USE='setup vhosts' succeeded for =dev-db/phpmyadmin-4.8.3-r1
Comment 10 Larry the Git Cow gentoo-dev 2018-11-27 20:57:37 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bfb211f99720b2d0634ea16675ecc385cb739247

commit bfb211f99720b2d0634ea16675ecc385cb739247
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2018-11-27 20:57:01 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2018-11-27 20:57:01 +0000

    dev-db/phpmyadmin-4.8.3-r1: alpha stable
    
    Bug: http://bugs.gentoo.org/668914
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 dev-db/phpmyadmin/phpmyadmin-4.8.3-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 11 Tobias Klausmann (RETIRED) gentoo-dev 2018-11-27 20:58:54 UTC 
Stable on alpha.
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2018-11-27 23:59:28 UTC 
ppc/ppc64 stable thanks to ernsteiswuerfel!