Bug 714014 (CVE-2020-10802, CVE-2020-10803, CVE-2020-10804, PMASA-2020-2, PMASA-2020-3, PMASA-2020-4)

Summary:	<dev-db/phpmyadmin-{4.9.5,5.0.2}: Multiple vulnerabilities (CVE-2020-{10802,10803,10804} / PMASA-2020-{3,4,2})
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	jmbsvicetto, web-apps
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=717630
Whiteboard:	B4 [noglsa cve]
Package list:	=dev-db/phpmyadmin-4.9.5 amd64 ppc64 ppc sparc x86	Runtime testing required:	---

Description Sam James archtester

2020-03-22 17:09:30 UTC

1) CVE-2020-10802
Description:
"In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table."

Advisory: https://www.phpmyadmin.net/security/PMASA-2020-3/
Patch: https://github.com/phpmyadmin/phpmyadmin/commit/a8acd7a42cf743186528b0453f90aaa32bfefabe

2) CVE-2020-10803
Description:
"In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger the XSS attack."

Advisory: https://www.phpmyadmin.net/security/PMASA-2020-4/
Patches:
* https://github.com/phpmyadmin/phpmyadmin/commit/46a7aa7cd4ff2be0eeb23721fbf71567bebe69a5
* https://github.com/phpmyadmin/phpmyadmin/commit/6b9b2601d8af916659cde8aefd3a6eaadd10284a

3) CVE-2020-10804
Description:
"In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retrieval of the current username (in libraries/classes/Server/Privileges.php and libraries/classes/UserPassword.php). A malicious user with access to the server could create a crafted username, and then trick the victim into performing specific actions with that user account (such as editing its privileges)."

Advisory: https://www.phpmyadmin.net/security/PMASA-2020-2/
Patch: same as 10803

Comment 1 Larry the Git Cow gentoo-dev

2020-03-24 15:15:30 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/dev/jmbsvicetto.git/commit/?id=2f792e1787303bdb871267f8e9fbf75d7085d893

commit 2f792e1787303bdb871267f8e9fbf75d7085d893
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2020-03-24 15:05:09 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2020-03-24 15:05:09 +0000

    dev-db/phpmyadmin: Security bump - CVE-2020-{10802,10803,10804} PMASA-2020-{3,4,2}
    
    Add 4.9.5 and 5.0.2 releases to address the following security advisories.
    PMASA-2020-2: SQL injection vulnerability in the user accounts page, particularly when changing a password
    PMASA-2020-3: SQL injection vulnerability relating to the search feature
    PMASA-2020-4: SQL injection and XSS having to do with displaying results
    Bug: https://bugs.gentoo.org/714014
    
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 dev-db/phpmyadmin/Manifest                |  2 +
 dev-db/phpmyadmin/phpmyadmin-4.9.5.ebuild | 61 +++++++++++++++++++++++++++++++
 dev-db/phpmyadmin/phpmyadmin-5.0.2.ebuild | 61 +++++++++++++++++++++++++++++++
 3 files changed, 124 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2020-03-24 15:23:10 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a81c2975bff0bf2f8f4dce7c9a98628dd3b9c10d

commit a81c2975bff0bf2f8f4dce7c9a98628dd3b9c10d
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2020-03-24 15:22:32 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2020-03-24 15:22:58 +0000

    dev-db/phpmyadmin: Security bump - CVE-2020-{10802,10803,10804}.
    
    Add 4.9.5 and 5.0.2 releases to address the following security advisories.
    CVE-2020-{10802,10803,10804} - PMASA-2020-{3,4,2}
    PMASA-2020-2: SQL injection vulnerability in the user accounts page,
    particularly when changing a password
    PMASA-2020-3: SQL injection vulnerability relating to the search feature
    PMASA-2020-4: SQL injection and XSS having to do with displaying results
    Bug: https://bugs.gentoo.org/714014
    Package-Manager: Portage-2.3.94, Repoman-2.3.21
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 dev-db/phpmyadmin/Manifest                |  2 +
 dev-db/phpmyadmin/phpmyadmin-4.9.5.ebuild | 61 +++++++++++++++++++++++++++++++
 dev-db/phpmyadmin/phpmyadmin-5.0.2.ebuild | 61 +++++++++++++++++++++++++++++++
 3 files changed, 124 insertions(+)

Comment 3 Sam James archtester

2020-03-24 15:24:53 UTC

@maintainer(s), please advise if ready for stabilisation, or call yourself.

Comment 4 Sam James archtester

2020-03-24 15:53:39 UTC

Vulnerable versions dropped: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2a9e195c3ec8bde5b3aa7d13000d04d00e1cdbe7

Comment 5 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure

2020-03-24 18:39:24 UTC

Apologies for the revert, but I was too quick and dropped the last stable.
I've now kept the last stable and dropped the other vulnerable versions.

https://gitweb.gentoo.org/repo/gentoo.git/commit/dev-db/phpmyadmin?id=2a9e195c3ec8bde5b3aa7d13000d04d00e1cdbe7
https://gitweb.gentoo.org/repo/gentoo.git/commit/dev-db/phpmyadmin?id=3f6197b0b73bf7182a32ecdb1eec5489fa28601d
https://gitweb.gentoo.org/repo/gentoo.git/commit/dev-db/phpmyadmin?id=1148c00d1dee62dd9939df5d9a6a432d623db50a

Comment 6 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure

2020-03-24 18:42:00 UTC

Arch teams, please add stable keywords.

Desired keywords:
KEYWORDS="~alpha amd64 ~arm ~hppa ~ia64 ppc ppc64 sparc x86 ~ppc-macos ~x64-macos ~x86-macos"

Comment 7 Agostino Sarubbo gentoo-dev

2020-04-03 12:05:33 UTC

amd64 stable

Comment 8 Agostino Sarubbo gentoo-dev

2020-04-03 12:12:43 UTC

ppc stable

Comment 9 Agostino Sarubbo gentoo-dev

2020-04-03 12:16:59 UTC

sparc stable

Comment 10 Agostino Sarubbo gentoo-dev

2020-04-03 13:12:50 UTC

x86 stable

Comment 11 Agostino Sarubbo gentoo-dev

2020-04-03 15:23:32 UTC

ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 12 NATTkA bot gentoo-dev

2020-04-12 19:21:33 UTC

Resetting sanity check; package list is empty or all packages are done.

Comment 13 Larry the Git Cow gentoo-dev

2020-04-15 23:56:24 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d702e013bdd2e04a3f78e09c7b198d24b7e8e4ad

commit d702e013bdd2e04a3f78e09c7b198d24b7e8e4ad
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2020-04-15 23:55:49 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2020-04-15 23:56:15 +0000

    dev-db/phpmyadmin: Drop vulnerable release.
    
    Bug: https://bugs.gentoo.org/714014
    Bug: https://bugs.gentoo.org/715660
    Bug: https://bugs.gentoo.org/717630
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 dev-db/phpmyadmin/Manifest                |  1 -
 dev-db/phpmyadmin/phpmyadmin-4.9.2.ebuild | 61 -------------------------------
 2 files changed, 62 deletions(-)