Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 502002 (CVE-2014-1879) - <dev-db/phpmyadmin-4.1.7: XSS in import.php (CVE-2014-1879)
Summary: <dev-db/phpmyadmin-4.1.7: XSS in import.php (CVE-2014-1879)
Status: RESOLVED FIXED
Alias: CVE-2014-1879
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-21 15:16 UTC by Agostino Sarubbo
Modified: 2014-08-19 04:28 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-02-21 15:16:28 UTC
From ${URL} :

Common Vulnerabilities and Exposures assigned an identifier CVE-2014-1879 to
the following vulnerability:

Name: CVE-2014-1879
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1879
Assigned: 20140207
Reference: http://www.phpmyadmin.net/home_page/security/PMASA-2014-1.php
Reference: https://github.com/phpmyadmin/phpmyadmin/commit/968d5d5f486820bfa30af046f063b9f23304e14a

Cross-site scripting (XSS) vulnerability in import.php in phpMyAdmin
before 4.1.7 allows remote authenticated users to inject arbitrary web
script or HTML via a crafted filename in an import action.


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2014-02-23 20:56:51 UTC
@arches:

please test and mark stable phpmyadmin-4.1.7.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2014-02-24 00:50:19 UTC
(In reply to Jorge Manuel B. S. Vicetto from comment #1)
> @arches:
> 
> please test and mark stable phpmyadmin-4.1.7.

No, like this, please:

Arch teams, please test and mark stable:
=dev-db/phpmyadmin-4.1.7
Targeted stable KEYWORDS : alpha amd64 hppa ppc ppc64 sparc x86
Comment 3 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2014-02-24 05:42:09 UTC
(In reply to Jeroen Roovers from comment #2)
> (In reply to Jorge Manuel B. S. Vicetto from comment #1)
> > @arches:
> > 
> > please test and mark stable phpmyadmin-4.1.7.
> 
> No, like this, please:
> 
> Arch teams, please test and mark stable:
> =dev-db/phpmyadmin-4.1.7
> Targeted stable KEYWORDS : alpha amd64 hppa ppc ppc64 sparc x86

Sorry about that.

ia64:

I see you don't have any version stable. Are you interested in adding it to the stable tree?
Comment 4 Agostino Sarubbo gentoo-dev 2014-02-24 05:57:56 UTC
(In reply to Jorge Manuel B. S. Vicetto from comment #3)
> ia64:
> 
> I see you don't have any version stable. Are you interested in adding it to
> the stable tree?

no
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2014-02-24 13:48:19 UTC
Stable for HPPA.
Comment 6 Sergey Popov gentoo-dev 2014-02-28 12:35:27 UTC
amd64/x86 stable
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-02-28 12:47:02 UTC
CVE-2014-1879 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1879):
  Cross-site scripting (XSS) vulnerability in import.php in phpMyAdmin before
  4.1.7 allows remote authenticated users to inject arbitrary web script or
  HTML via a crafted filename in an import action.
Comment 8 Agostino Sarubbo gentoo-dev 2014-03-12 10:37:37 UTC
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-03-16 11:08:13 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-03-19 14:13:59 UTC
alpha stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-03-24 14:29:23 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2014-05-15 04:48:34 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2014-06-10 00:59:19 UTC
Maintainer(s), please drop the vulnerable version.

GLSA Vote: no
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2014-06-17 23:47:48 UTC
No GLSA for Cross Site Scripting

The vulnerable versions have been around since 2014-03-24, please clean up.
Comment 15 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2014-08-14 12:38:42 UTC
12:37 < irker982> gentoo-x86: jmbsvicetto dev-db/phpmyadmin: Drop old and vulnerable versions.

There should be nothing left to do in this bug.
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2014-08-16 18:08:42 UTC
(In reply to Jorge Manuel B. S. Vicetto from comment #15)
> 
> There should be nothing left to do in this bug.

phpmyadmin-4.0.10.1 - is still in tree, and based on the information from the CVE it is still vulnerable.
Comment 17 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2014-08-17 17:14:52 UTC
(In reply to Yury German from comment #16)
> (In reply to Jorge Manuel B. S. Vicetto from comment #15)
> > 
> > There should be nothing left to do in this bug.
> 
> phpmyadmin-4.0.10.1 - is still in tree, and based on the information from
> the CVE it is still vulnerable.

http://www.phpmyadmin.net/home_page/news.php#phpMyAdmin_4.0.10.1__4.1.14.2_and_4.2.6_are_released

Since these were all released at the same time, I believe the security issue tracked in this bug doesn't affect 4.0.10.1.
In any case, the only reason I added it to the tree was that upstream seems to still be actively supporting it. If no one cares about it, I don't mind keeping just 4.1 and 4.2 series in the tree.
Comment 18 Yury German Gentoo Infrastructure gentoo-dev 2014-08-19 04:28:49 UTC
I was going by the text in the URL's provided, 4.0.10.1 was released after 4.1.7.

But in either case, we will have to bump to 4.0.10.2 (if you want to keep 4.0.X tree) as part of Bug 517858 & 514894 as 4.0.10.2 contains the same fixes. 

This is cleaned up though.