Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 67409 - dev-db/phpmyadmin: 2.6.0-pl2 released with security fix
Summary: dev-db/phpmyadmin: 2.6.0-pl2 released with security fix
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major
Assignee: Gentoo Security
URL: http://sourceforge.net/forum/forum.ph...
Whiteboard: B1 [glsa] koon
Keywords:
Depends on:
Blocks:
 
Reported: 2004-10-13 09:25 UTC by Matthias Geerdsen (RETIRED)
Modified: 2011-10-30 22:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-13 09:25:42 UTC
from release note:

This is patch level 2 of phpMyAdmin 2.6.0, containing a security fix and a few other fixes (see ChangeLog). 
 
Security fix: If PHP is not running in safe mode, a problem in the MIME-based transformation system (with an "external" transformation) allows to execute any command with the privileges of the web server's user.

______

http://secunia.com/advisories/12813/

Critical: Highly critical
Impact:	System access
Where:	From remote
Solution Status:	Vendor Patch

Software:	phpMyAdmin 2.x


Description:
A vulnerability has been reported in phpMyAdmin, which potentially can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a problem in the MIME-based transformation system with "external" transformations. This can be exploited to execute arbitrary commands.

Successful exploitation requires that PHP's safe mode is disabled.

Solution:
Update to version 2.6.0-pl2.
http://www.phpmyadmin.net/home_page/

Provided and/or discovered by:
Reported by vendor.

__________________

twp, please bump the ebuild
Comment 1 Tom Payne (RETIRED) gentoo-dev 2004-10-13 16:22:03 UTC
OK, 2.6.0-pl2 in CVS, 2.6.0 removed. Not heavily tested. I'll close the bug in a couple of days unless there are reported problems.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-10-14 01:25:44 UTC
Tom: please don't close the bug, we've still security work to do on it.

It's unclear if the vulnerability affects all phpmyadmin versions or just the 2.6.0 series. Could you look into it ? The stable keywords need is not the same in each case...
Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-14 02:36:01 UTC
according to http://www.heise.de/security/news/meldung/52132 (german) all versions since 2.5 are affected, since the transformation system (http://www.phpmyadmin.net/documentation/#transformations) has been implemented there for the first time
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-10-14 02:43:13 UTC
OK, then we need to keyword it stable as in 2.5.7_p1.
Arches, please test and mark dev-db/phpmyadmin-2.6.0_p2 stable

Comment 5 Jochen Maes (RETIRED) gentoo-dev 2004-10-14 03:05:58 UTC
stable on ppc
Comment 6 Guy Martin (RETIRED) gentoo-dev 2004-10-14 04:38:59 UTC
Stable on hppa.
Comment 7 Jason Wever (RETIRED) gentoo-dev 2004-10-14 20:48:31 UTC
Stable on sparc
Comment 8 Bryan Østergaard (RETIRED) gentoo-dev 2004-10-15 03:36:00 UTC
Stable on alpha.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2004-10-16 03:35:59 UTC
GLSA drafted, blocked by amd64 missing keyword.
Comment 10 Danny van Dyk (RETIRED) gentoo-dev 2004-10-16 07:33:17 UTC
stable on amd64.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2004-10-18 05:11:45 UTC
GLSA 200410-14