Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 530054 - <dev-db/phpmyadmin-{4.0.10.6,4.1.14.7,4.2.13}: multiple vulnerabilities (CVE-2014-{8958,8959,8960,8961})
Summary: <dev-db/phpmyadmin-{4.0.10.6,4.1.14.7,4.2.13}: multiple vulnerabilities (CVE-...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks: CVE-2014-6300 CVE-2014-7217 CVE-2014-8326
  Show dependency tree
 
Reported: 2014-11-21 15:19 UTC by Agostino Sarubbo
Modified: 2015-05-31 19:21 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2014-11-21 15:55:11 UTC
Also fixed, for the affected issues, in version:
4.0.10.6

I'm already working in the bump and hope to commit the new versions to the tree later today.
Comment 2 Agostino Sarubbo gentoo-dev 2014-11-21 16:18:28 UTC
(In reply to Jorge Manuel B. S. Vicetto from comment #1)
> Also fixed, for the affected issues, in version:
> 4.0.10.6

No.

4.0.10.6 fixes only pmasa 13 and 14
Comment 3 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2014-11-21 17:16:52 UTC
(In reply to Agostino Sarubbo from comment #2)
> (In reply to Jorge Manuel B. S. Vicetto from comment #1)
> > Also fixed, for the affected issues, in version:
> > 4.0.10.6
> 
> No.
> 
> 4.0.10.6 fixes only pmasa 13 and 14

As I said, it fixes the issues that affect that version. The 4.0 series is not affected by pmasa 15 and 16 (at least that's what I read in the advisories).
Comment 4 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2014-11-22 05:04:23 UTC
05:03 < irker179> gentoo-x86: jmbsvicetto dev-db/phpmyadmin: Version bumps to address PMASA-2014-{13,14,15,16} - fixes bug 530054.
Comment 5 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2014-12-01 22:03:26 UTC
@arch teams,

please mark stable the following versions:

4.0.10.6
4.1.14.7
4.2.13

Target KEYWORDS="alpha amd64 ppc ppc64 sparc x86".

I just added 4.2.13, but it should be the last feature release of the 4.2 series and I noticed at least 2 or 3 new calls to htmlspecialchars in the diff between 4.2.12 and 4.2.13.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2014-12-02 08:30:34 UTC
(In reply to Jorge Manuel B. S. Vicetto from comment #5)
> please mark stable the following versions:

You mean:

=dev-db/phpmyadmin-4.0.10.6
=dev-db/phpmyadmin-4.1.14.7
=dev-db/phpmyadmin-4.2.13

But why 4.0.10.6?
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2014-12-02 10:21:26 UTC
Stable for HPPA.
Comment 8 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2014-12-02 11:19:39 UTC
(In reply to Jeroen Roovers from comment #6)
> (In reply to Jorge Manuel B. S. Vicetto from comment #5)
> > please mark stable the following versions:
> 
> You mean:
> 
> =dev-db/phpmyadmin-4.0.10.6
> =dev-db/phpmyadmin-4.1.14.7
> =dev-db/phpmyadmin-4.2.13
> 
> But why 4.0.10.6?

Upstream is still supporting it. But if you want to reduce your arch load, feel free to drop the keywords for that series.
I've added the 4.3 series to the tree, so we could reduce the number of supported series.
Comment 9 Agostino Sarubbo gentoo-dev 2014-12-02 11:48:15 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-12-02 11:50:29 UTC
x86 stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-12-03 10:02:20 UTC
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-12-04 08:28:12 UTC
ppc64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2014-12-23 09:37:04 UTC
alpha stable
Comment 14 Agostino Sarubbo gentoo-dev 2014-12-26 09:29:41 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2014-12-28 22:34:10 UTC
CVE-2014-8961 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8961):
  Directory traversal vulnerability in libraries/error_report.lib.php in the
  error-reporting feature in phpMyAdmin 4.1.x before 4.1.14.7 and 4.2.x before
  4.2.12 allows remote authenticated users to obtain potentially sensitive
  information about a file's line count via a crafted parameter.

CVE-2014-8960 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8960):
  Cross-site scripting (XSS) vulnerability in libraries/error_report.lib.php
  in the error-reporting feature in phpMyAdmin 4.1.x before 4.1.14.7 and 4.2.x
  before 4.2.12 allows remote authenticated users to inject arbitrary web
  script or HTML via a crafted filename.

CVE-2014-8959 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8959):
  Directory traversal vulnerability in libraries/gis/GIS_Factory.class.php in
  the GIS editor in phpMyAdmin 4.0.x before 4.0.10.6, 4.1.x before 4.1.14.7,
  and 4.2.x before 4.2.12 allows remote authenticated users to include and
  execute arbitrary local files via a crafted geometry-type parameter.

CVE-2014-8958 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8958):
  Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x
  before 4.0.10.6, 4.1.x before 4.1.14.7, and 4.2.x before 4.2.12 allow remote
  authenticated users to inject arbitrary web script or HTML via a crafted (1)
  database, (2) table, or (3) column name that is improperly handled during
  rendering of the table browse page; a crafted ENUM value that is improperly
  handled during rendering of the (4) table print view or (5) zoom search
  page; or (6) a crafted pma_fontsize cookie that is improperly handled during
  rendering of the home page.
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2014-12-29 04:02:50 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version.

GLSA Vote: Yes
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2014-12-29 06:04:13 UTC
Please drop vulnerable version: 
Version 4.1.14.3 - Needs to be dropped as it is vulnerable to multiple vulnerabilities covered in 4 other Bugs.

Setting those bugs Dependencies for cleanup of this one.
Comment 18 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2015-03-14 15:38:12 UTC
15:33 < gentoovcs> jmbsvicetto → gentoo-x86 (dev-db/phpmyadmin/) Bump phpmyadmin to the latest releases and add 4.4.0_beta1. Address CVE-2014-{9218,9219} - fixes bug 531684. Address PMASA-2015-1 - fixes bug 542218. Drop old vulnerable versions.

Old version cleaned.
Comment 19 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-03-14 15:46:59 UTC
GLSA Vote: (In reply to Yury German from comment #16)
> Arches, Thank you for your work
> Maintainer(s), please drop the vulnerable version.
> 
> GLSA Vote: Yes

GLSA Vote: Yes. Together with bug 522844, bug 524366, bug 526416

GLSA Request filed.
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2015-05-31 19:21:33 UTC
This issue was resolved and addressed in
 GLSA 201505-03 at https://security.gentoo.org/glsa/201505-03
by GLSA coordinator Kristian Fiskerstrand (K_F).