Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 701830 (CVE-2019-18622)

Summary: <dev-db/phpmyadmin-4.9.2: a crafted database/table name can be used to trigger an SQL injection attack through the designer feature (CVE-2019-18622)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: jmbsvicetto, web-apps
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.phpmyadmin.net/security/PMASA-2019-5/
Whiteboard: B2 [glsa+ cve]
Package list:
=dev-db/phpmyadmin-4.9.2 amd64 ppc ppc64 sparc x86
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2019-12-02 22:52:06 UTC
CVE-2019-18622 (https://nvd.nist.gov/vuln/detail/CVE-2019-18622):
  An issue was discovered in phpMyAdmin before 4.9.2. A crafted database/table
  name can be used to trigger an SQL injection attack through the designer
  feature.
Comment 1 Miroslav Šulc gentoo-dev 2019-12-03 10:37:23 UTC
we have 4.9.2 (unaffected) in the tree for ~2 days.

commit b393a9bdd8e49c2a75c1760190fd864362b8532f
Author: Miroslav Šulc <fordfrog@gentoo.org>
Date:   Sun Dec 1 19:37:04 2019 +0100

    dev-db/phpmyadmin-4.9.2: bump
    
    Closes: https://bugs.gentoo.org/701672
    Package-Manager: Portage-2.3.80, Repoman-2.3.19
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

it's security and bugfix release: https://www.phpmyadmin.net/news/2019/11/22/phpmyadmin-492-released/

i suppose it can go stable so archs please stabilize.
Comment 2 Agostino Sarubbo gentoo-dev 2019-12-09 13:10:52 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2019-12-10 08:54:21 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2019-12-10 08:56:39 UTC
ppc64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-12-10 08:57:18 UTC
sparc stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-12-10 10:56:01 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 7 Larry the Git Cow gentoo-dev 2019-12-10 11:03:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d6b3b97b42cb8014c6beb424a3d7e604e3e1f052

commit d6b3b97b42cb8014c6beb424a3d7e604e3e1f052
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2019-12-10 11:02:51 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2019-12-10 11:02:51 +0000

    dev-db/phpmyadmin-4.9.1: removed old and vulnerable
    
    Bug: https://bugs.gentoo.org/701830
    Package-Manager: Portage-2.3.81, Repoman-2.3.20
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-db/phpmyadmin/Manifest                |  1 -
 dev-db/phpmyadmin/phpmyadmin-4.9.1.ebuild | 61 -------------------------------
 2 files changed, 62 deletions(-)
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-19 16:05:37 UTC
New GLSA request filed.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2020-03-19 16:21:05 UTC
This issue was resolved and addressed in
 GLSA 202003-39 at https://security.gentoo.org/glsa/202003-39
by GLSA coordinator Thomas Deutschmann (whissi).