Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 549540 (CVE-2015-3902) - <dev-db/phpmyadmin-{4.0.10.10,4.2.13.3,4.3.13.1,4.4.6.1}: multiple vulnerabilities (CVE-2015-{3902,3903})
Summary: <dev-db/phpmyadmin-{4.0.10.10,4.2.13.3,4.3.13.1,4.4.6.1}: multiple vulnerabil...
Status: RESOLVED FIXED
Alias: CVE-2015-3902
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-05-15 10:28 UTC by Agostino Sarubbo
Modified: 2015-07-23 17:40 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-05-15 10:28:20 UTC
From http://www.phpmyadmin.net/home_page/security/PMASA-2015-2.php:

PMASA-2015-2

Announcement-ID: PMASA-2015-2

Date: 2015-05-13

Summary

XSRF/CSRF vulnerability in phpMyAdmin setup.

Description

By deceiving a user to click on a crafted URL, it is possible to alter the configuration file being generated with phpMyAdmin setup.

Severity

We consider this vulnerability to be non critical.

Mitigation factor

This vulnerability only affects the configuration file generation process and does not affect the effective configuration file. Moreover, the configuration file being generated is at risk only during the period when it's writable.

Affected Versions

Versions 4.0.x (prior to 4.0.10.10), 4.2.x (prior to 4.2.13.3), 4.3.x (prior to 4.3.13.1) and 4.4.x (prior to 4.4.6.1) are affected.

Solution

Upgrade to phpMyAdmin 4.0.10.10 or newer, or 4.2.13.3 or newer, or 4.3.13.1 or newer, or 4.4.6.1 or newer, or apply the patch listed below.

References

Thanks to Inti De Ceukelaire (http://ceukelai.re) for reporting this vulnerability.

Assigned CVE ids: CVE-2015-3902

CWE ids: CWE-661 CWE-352

Patches

The following commits have been made to fix this issue:

ee92eb9bab8e2d546756c1d4aec81ec7c8e44b83
The following commits have been made on the 4.3 branch to fix this issue:

9817bd4030de949ba9ce4cd1b3f047e22d8f66bd
The following commits have been made on the 4.2 branch to fix this issue:

c903ecf6751684b6af2d079c78b1f0d09ea2bd47
The following commits have been made on the 4.0 branch to fix this issue:

fea1d39fef540afa4105c6fbcc849f7e516f3da8



From http://www.phpmyadmin.net/home_page/security/PMASA-2015-3.php:

PMASA-2015-3

Announcement-ID: PMASA-2015-3

Date: 2015-05-13

Summary

Vulnerability allowing man-in-the-middle attack on API call to GitHub.

Description

A vulnerability in the API call to GitHub can be exploited to perform a man-in-the-middle attack.

Severity

We consider this vulnerability to be serious.

Affected Versions

Versions 4.0.x (prior to 4.0.10.10), 4.2.x (prior to 4.2.13.3), 4.3.x (prior to 4.3.13.1) and 4.4.x (prior to 4.4.6.1) are affected.

Solution

Upgrade to phpMyAdmin 4.0.10.10 or newer, or 4.2.13.3 or newer, or 4.3.13.1 or newer, or 4.4.6.1 or newer, or apply the patch listed below.

References

Thanks to Maksymilian Arciemowicz of http://cxsecurity.com for reporting this vulnerability.

Assigned CVE ids: CVE-2015-3903

CWE ids: CWE-661 CWE-295

Patches

The following commits have been made to fix this issue:

5ebc4daf131dd3bd646326267f3e765d0249bbb4
The following commits have been made on the 4.3 branch to fix this issue:

75499e790429c491840a0ad31d4de84aca215d23
The following commits have been made on the 4.2 branch to fix this issue:

0e18931d9e4b23053285b6fddf3493ca426ff684
The following commits have been made on the 4.0 branch to fix this issue:

e97e7fb0ea2dedfaa95c7dbe872027fb4bd4204c



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2015-05-16 02:43:06 UTC
02:40 < gentoovcs> jmbsvicetto → gentoo-x86 (dev-db/phpmyadmin/) Bump phpmyadmin to releases 4.0.10.10, 4.2.13.3, 4.3.13.1 and 4.4.6.1. This bump addresses PMASA-2015-{2,3} and fixes bug 549540. Drop old versions and 4.1 series.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2015-06-06 14:08:45 UTC
Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-06-06 14:13:25 UTC
CVE-2015-3903 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3903):
  libraries/Config.class.php in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x
  before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 disables
  X.509 certificate verification for GitHub API calls over SSL, which allows
  man-in-the-middle attackers to spoof servers and obtain sensitive
  information via a crafted certificate.

CVE-2015-3902 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3902):
  Multiple cross-site request forgery (CSRF) vulnerabilities in the setup
  process in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x
  before 4.3.13.1, and 4.4.x before 4.4.6.1 allow remote attackers to hijack
  the authentication of administrators for requests that modify the
  configuration file.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2015-07-16 12:17:20 UTC
Ping on stabilization? It has been 30+ days in tree.
Are we ready for stabilization?
Comment 5 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2015-07-17 00:42:17 UTC
(In reply to Yury German from comment #4)
> Ping on stabilization? It has been 30+ days in tree.
> Are we ready for stabilization?

I forgot about this bug.
Please move forward with the stabilization.

TARGET_KEYWORDS="alpha amd64 hppa ~ia64 ppc ppc64 sparc x86 ~x86-fbsd ~ppc-macos ~x64-macos ~x86-macos"

Please add stable keywords to:

=dev-db/phpmyadmin-4.3.13.1
=dev-db/phpmyadmin-4.4.6.1
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2015-07-17 05:15:56 UTC
Stable for PPC64.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2015-07-17 06:04:51 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2015-07-17 07:41:42 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-07-17 07:41:57 UTC
x86 stable
Comment 10 Tobias Klausmann gentoo-dev 2015-07-17 16:42:32 UTC
Stable on alpha.
Comment 11 Agostino Sarubbo gentoo-dev 2015-07-23 09:03:55 UTC
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2015-07-23 09:37:29 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 13 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2015-07-23 17:11:11 UTC
(In reply to Agostino Sarubbo from comment #12)
> Maintainer(s), please cleanup.

17:10 < gentoovcs> jmbsvicetto → gentoo-x86 (dev-db/phpmyadmin/) Drop vulnerable version - bug 549540.

Done.
Comment 14 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-07-23 17:12:17 UTC
GLSA vote: no.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2015-07-23 17:40:41 UTC
GLSA Vote: No
Thank you all. Closing as noglsa.