Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 604714 (CVE-2016-4855, CVE-2016-7405) - <dev-php/adodb-5.20.9: multiple vulnerabilities (CVE-2016-{4855,7405})
Summary: <dev-php/adodb-5.20.9: multiple vulnerabilities (CVE-2016-{4855,7405})
Status: RESOLVED FIXED
Alias: CVE-2016-4855, CVE-2016-7405
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-05 01:27 UTC by Thomas Deutschmann
Modified: 2017-01-24 10:51 UTC (History)
1 user (show)

See Also:
Package list:
=dev-php/adodb-5.20.9
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev 2017-01-05 01:27:17 UTC
CVE-2016-7405 (from http://www.openwall.com/lists/oss-security/2016/09/07/8):

jdavidlists reported an issue [1] with ADOdb 5.x, qstr() method,
improperly quoting strings resulting in a potential SQL injection attack
vector.

This affects only PDO-based drivers, and only in the case where the
query is built by inlining the quoted string, e.g.

$strHack = 'xxxx\\\' OR 1 -- ';
$sql = "SELECT * FROM employees WHERE name = " . $db->qstr( $strHack );
$rs = $db->getAll($strSQL); // dumps the whole table

Note that it is not recommended to write SQL as per the above example,
the code should be rewritten to use query parameters, like

$strHack = 'xxxx\\\' OR 1 -- ';
$sql = "SELECT * FROM employees WHERE name = ?"
$rs = $db->getAll($strSQL, array($strHack));

Please let me know if a CVE is needed for this.

Patch for the issue is available [2], and will be included in upcoming
ADOdb v5.20.7 release.


[1] https://github.com/ADOdb/ADOdb/issues/226
[2] https://github.com/ADOdb/ADOdb/commit/bd9eca9



CVE-2016-4855 (https://jvn.jp/en/jp/JVN48237713/):


 JVN#48237713
ADOdb vulnerable to cross-site scripting
Overview

ADOdb test script contains a cross-site scripting vulnerability.
Products Affected

    ADOdb versions prior to 5.20.6

Description

ADOdb is a database abstraction layer for PHP. The library's test script (test.php) contains a cross-site scripting (CWE-79) vulnerability.
Impact

An arbitrary script may be executed on the user's web browser.
Solution

Update the Software
Update to the latest version according to the information provided by the developer.

Apply a Workaround
The developer recommends the following workaround:

    "The whole ./tests directory should be removed from client installations.
    It is only used for development purposes and not necessary for ADOdb operations."
Comment 1 Thomas Deutschmann gentoo-dev 2017-01-05 01:29:55 UTC
Fixed version already in tree via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cf5ef14a19396a61ea2905aaf00851b9d51b17cd


@ Maintainer(s): Can we stabilize =dev-php/adodb-5.20.9?
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2017-01-05 01:32:03 UTC
CVE-2016-7405 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7405):
  The qstr method in the PDO driver in the ADOdb Library for PHP before 5.x
  before 5.20.7 might allow remote attackers to conduct SQL injection attacks
  via vectors related to incorrect quoting.
Comment 3 Michael Orlitzky gentoo-dev 2017-01-05 01:41:43 UTC
(In reply to Thomas Deutschmann from comment #1)
> 
> @ Maintainer(s): Can we stabilize =dev-php/adodb-5.20.9?

It's probably OK.. I just noticed the CVEs in the changelog and bumped this, but I haven't updated to it on our servers yet. Let's start the process; I'll update to it myself, and come back and make noise if I notice any problems.
Comment 4 Thomas Deutschmann gentoo-dev 2017-01-05 01:45:18 UTC
@ Arches,

please test and mark stable: =dev-php/adodb-5.20.9
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2017-01-05 12:41:43 UTC
Stable on alpha.
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-07 01:53:17 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-01-10 15:26:02 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2017-01-11 10:53:57 UTC
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-01-15 16:06:46 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-01-17 14:41:35 UTC
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-01-18 10:06:07 UTC
ppc64 stable
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-21 11:42:27 UTC
Stable for HPPA.
Comment 13 Michael Orlitzky gentoo-dev 2017-01-21 17:07:32 UTC
jer cleaned up for me? I don't mind =P

The vulnerable versions are gone.
Comment 14 Thomas Deutschmann gentoo-dev 2017-01-21 23:57:10 UTC
New GLSA request filed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-01-24 10:51:33 UTC
This issue was resolved and addressed in
 GLSA 201701-59 at https://security.gentoo.org/glsa/201701-59
by GLSA coordinator Aaron Bauman (b-man).