Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 747805 (CVE-2020-26934, CVE-2020-26935) - <dev-db/phpmyadmin-{4.9.6,5.0.3}: multiple vulnerabilities (CVE-2020-{26934,26935})
Summary: <dev-db/phpmyadmin-{4.9.6,5.0.3}: multiple vulnerabilities (CVE-2020-{26934,2...
Status: RESOLVED FIXED
Alias: CVE-2020-26934, CVE-2020-26935
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.phpmyadmin.net/security/P...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-11 12:20 UTC by filip ambroz
Modified: 2021-01-27 16:15 UTC (History)
4 users (show)

See Also:
Package list:
dev-db/phpmyadmin-4.9.6
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description filip ambroz 2020-10-11 12:20:50 UTC
CVE-2020-26934 (PMASA-2020-5):
------------------------------
A vulnerability was discovered where an attacker can cause an XSS attack through the transformation feature.

If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run and complete the instructions made by the attacker.

Links:
https://www.phpmyadmin.net/security/PMASA-2020-5/
https://nvd.nist.gov/vuln/detail/CVE-2020-26934

Patch:
https://github.com/phpmyadmin/phpmyadmin/commit/19df63b0365621427697edc185ff7c9c5707c523



CVE-2020-26935 (PMASA-2020-6):
------------------------------
An SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query.

Links:
https://www.phpmyadmin.net/security/PMASA-2020-6/
https://nvd.nist.gov/vuln/detail/CVE-2020-26935

Patch:
https://github.com/phpmyadmin/phpmyadmin/commit/d09ab9bc9d634ad08b866d42bb8c4109869d38d2


Upstream considers both to be of moderate severity.
Comment 1 John Helmert III (ajak) gentoo-dev Security 2020-10-11 14:13:15 UTC
Package atom in summary should not be versioned until those versions are in tree.
Comment 2 Larry the Git Cow gentoo-dev 2020-10-14 16:08:26 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/dev/jmbsvicetto.git/commit/?id=db9b00696f52941c510bfa1e068038df67f7f7c5

commit db9b00696f52941c510bfa1e068038df67f7f7c5
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2020-10-14 16:01:24 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2020-10-14 16:01:24 +0000

    dev-db/phpmyadmin: Security bump (4.9.6, 5.0.3).
    
    CVE-2020-{26934,26935}
    Bug: https://bugs.gentoo.org/747805
    
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 dev-db/phpmyadmin/Manifest                |  2 +
 dev-db/phpmyadmin/phpmyadmin-4.9.6.ebuild | 61 +++++++++++++++++++++++++++++++
 dev-db/phpmyadmin/phpmyadmin-5.0.3.ebuild | 61 +++++++++++++++++++++++++++++++
 3 files changed, 124 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2020-10-14 16:15:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a8607d3bd46a14bb879f65b3888078562d11a3ef

commit a8607d3bd46a14bb879f65b3888078562d11a3ef
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2020-10-14 16:12:21 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2020-10-14 16:14:53 +0000

    dev-db/phpmyadmin: Security bump (4.9.6, 5.0.3).
    
    CVE-2020-{26934,26935}
    Bug: https://bugs.gentoo.org/747805
    Package-Manager: Portage-3.0.6, Repoman-3.0.1
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 dev-db/phpmyadmin/Manifest                |  2 +
 dev-db/phpmyadmin/phpmyadmin-4.9.6.ebuild | 61 +++++++++++++++++++++++++++++++
 dev-db/phpmyadmin/phpmyadmin-5.0.3.ebuild | 61 +++++++++++++++++++++++++++++++
 3 files changed, 124 insertions(+)
Comment 4 John Helmert III (ajak) gentoo-dev Security 2020-10-14 16:18:45 UTC
Thanks Jorge, please stabilize 4.9.6 when ready.
Comment 5 Sam James archtester gentoo-dev Security 2020-10-23 04:12:11 UTC
Ready?
Comment 6 Thomas Deutschmann gentoo-dev Security 2020-10-25 23:09:21 UTC
x86 stable
Comment 7 Sam James archtester gentoo-dev Security 2020-11-01 15:05:29 UTC
amd64 done
Comment 8 Agostino Sarubbo gentoo-dev 2020-11-17 18:50:10 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-11-17 19:11:58 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-11-19 11:18:07 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 11 Larry the Git Cow gentoo-dev 2020-11-19 19:18:58 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3397ead58a8062f38ef33150e4d6fd8a2123b09c

commit 3397ead58a8062f38ef33150e4d6fd8a2123b09c
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2020-11-19 19:18:49 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2020-11-19 19:18:49 +0000

    dev-db/phpmyadmin: Cleanup vulnuerable releases.
    
    Bug: https://bugs.gentoo.org/747805
    Package-Manager: Portage-3.0.6, Repoman-3.0.1
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 dev-db/phpmyadmin/Manifest                |  1 -
 dev-db/phpmyadmin/phpmyadmin-4.9.5.ebuild | 61 -------------------------------
 2 files changed, 62 deletions(-)
Comment 12 Thomas Deutschmann gentoo-dev Security 2020-11-19 19:31:23 UTC
New GLSA request filed.
Comment 13 toto 2020-12-07 14:08:14 UTC
4.9.6 don't work with php 5.6
bump to 4.9.7
Fixes this version:
* Two factor authentication was broken
* Incompatibilities with older PHP versions.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2021-01-27 16:15:34 UTC
This issue was resolved and addressed in
 GLSA 202101-35 at https://security.gentoo.org/glsa/202101-35
by GLSA coordinator Aaron Bauman (b-man).