Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 600814 (CVE-2016-4412, CVE-2016-9847, CVE-2016-9848, CVE-2016-9849, CVE-2016-9850, CVE-2016-9851, CVE-2016-9852, CVE-2016-9853, CVE-2016-9854, CVE-2016-9855, CVE-2016-9856, CVE-2016-9857, CVE-2016-9858, CVE-2016-9859, CVE-2016-9860, CVE-2016-9861, CVE-2016-9862, CVE-2016-9863, CVE-2016-9864, CVE-2016-9865, CVE-2016-9866) - <dev-db/phpmyadmin-4.6.5.1: multiple vulnerabilities
Summary: <dev-db/phpmyadmin-4.6.5.1: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2016-4412, CVE-2016-9847, CVE-2016-9848, CVE-2016-9849, CVE-2016-9850, CVE-2016-9851, CVE-2016-9852, CVE-2016-9853, CVE-2016-9854, CVE-2016-9855, CVE-2016-9856, CVE-2016-9857, CVE-2016-9858, CVE-2016-9859, CVE-2016-9860, CVE-2016-9861, CVE-2016-9862, CVE-2016-9863, CVE-2016-9864, CVE-2016-9865, CVE-2016-9866
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://www.phpmyadmin.net/news/2016/...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-11-25 15:54 UTC by Thomas Deutschmann (RETIRED)
Modified: 2017-05-27 00:42 UTC (History)
2 users (show)

See Also:
Package list:
=dev-db/phpmyadmin-4.6.5.1
Runtime testing required: ---
kensington: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-25 15:54:47 UTC 
From $URL:

The phpMyAdmin project is pleased to announce the release of phpMyAdmin versions 4.6.5 (including bug and security fixes), 4.4.15.9 (security fixes), and 4.0.10.18 (security fixes). We recommend all users update their phpMyAdmin installations.

Aside from the security improvements, many bugs have been fixed in version 4.6.5 including:

 - Fix for expanding in navigation pane
 - Reintroduced a simplified version of PmaAbsoluteUri directive (needed with
   reverse proxies)
 - Fix editing of ENUM/SET/DECIMAL field structures
 - Improvements to the parser

Please note that this is expected to be the final release of the 4.4 branch, which ended security support on October 1, 2016.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-25 16:05:04 UTC 
PMASA-2016-57 aka CVE-2016-4412

A vulnerability was discovered where a user can be tricked in to following a link leading to phpMyAdmin, which after authentication redirects to another malicious site.

The attacker must sniff the user's valid phpMyAdmin token.


PMASA-2016-58 aka ???

When the user does not specify a blowfish_secret key for encrypting cookies, phpMyAdmin generates one at runtime. A vulnerability was reported where the way this value is created using a weak algorithm.

This could allow an attacker to determine the user's blowfish_secret and potentially decrypt their cookies.


PMASA-2016-59 aka ???

phpinfo (phpinfo.php) shows PHP information including values of HttpOnly cookies.


PMASA-2016-60 aka ???

It is possible to bypass AllowRoot restriction ($cfg['Servers'][$i]['AllowRoot']) and deny rules for username by using Null Byte in the username.


PMASA-2016-61 aka ???

A vulnerability in username matching for the allow/deny rules may result in wrong matches and detection of the username in the rule due to non-constant execution time.


PMASA-2016-62 aka ???

With a crafted request parameter value it is possible to bypass the logout timeout.


PMASA-2016-63 aka ???

By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directory of phpMyAdmin is written to the export file.


PMASA-2016-64 aka ???

Several XSS vulnerabilities have been reported, including an improper fix for PMASA-2016-10 and a weakness in a regular expression using in some JavaScript processing.


PMASA-2016-65 aka ???

With a crafted request parameter value it is possible to initiate a denial of service attack in saved searches feature.

With a crafted request parameter value it is possible to initiate a denial of service attack in import feature.

An unauthenticated user can execute a denial of service attack when phpMyAdmin is running with $cfg['AllowArbitraryServer']=true;.


PMASA-2016-66 aka ???

Due to the limitation in URL matching, it was possible to bypass the URL white-list protection.


PMASA-2016-67 aka ???

With a crafted login request it is possible to inject BBCode in the login page.


PMASA-2016-68 aka ???

With a very large request to table partitioning function, it is possible to invoke a Denial of Service (DOS) attack.


PMASA-2016-69 aka ???

With a crafted username or a table name, it was possible to inject SQL statements in the tracking functionality that would run with the privileges of the control user. This gives read and write access to the tables of the configuration storage database, and if the control user has the necessary privileges, read access to some tables of the mysql database.


PMASA-2016-70 aka ???

Due to a bug in serialized string parsing, it was possible to bypass the protection offered by PMA_safeUnserialize() function.


PMASA-2016-71 aka ???

When the arg_separator is different from its default value of &, the token was not properly stripped from the return URL of the preference import action.



Highest rated vulnerability is PMASA-2016-69.
Comment 2 Jorge Manuel B. S. Vicetto (RETIRED) gentoo-dev 2016-11-27 13:27:48 UTC 
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c132e5e587292316d6edc7c2546f3f7e8a74f6e3
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b7f34ba9b148731bf984215f1f22e3d1b5016b48

13:15 < gentoovcs> jmbsvicetto → repo/gentoo (dev-db/phpmyadmin/) dev-db/phpmyadmin: dev-db/phpmyadmin: Security bump - bug 600814
13:15 < gentoovcs> jmbsvicetto → repo/gentoo (dev-db/phpmyadmin/) dev-db/phpmyadmin: Drop vulnerable versions, but keep the last stable versions.
13:15 < willikins> gentoovcs: https://bugs.gentoo.org/600814 "dev-db/phpmyadmin: multiple vulnerabilities"; Gentoo Security, Vulnerabilities; IN_P; whissi:security

Dear @arches:

please test and mark stable =dev-db/phpmyadmin-4.6.5.1
The 4.4 branch has reached the end of its security supported life and so we should move to the 4.6 branch.

Stable targets: "alpha amd64 hppa ppc ppc64 sparc x86"
Comment 3 Tobias Klausmann (RETIRED) gentoo-dev 2016-11-27 16:44:19 UTC 
Stable on alpha.
Comment 4 Agostino Sarubbo gentoo-dev 2016-11-29 10:42:24 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2016-11-29 10:44:46 UTC 
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-12-19 14:41:15 UTC 
sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-12-20 09:50:32 UTC 
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-12-22 09:38:58 UTC 
ppc64 stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-10 07:13:02 UTC 
Stable for HPPA.
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-10 14:43:50 UTC 
New GLSA request filed.

@ Maintainer(s): Please cleanup and drop <dev-db/phpmyadmin-4.6.5.1!
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2017-01-11 13:15:42 UTC 
This issue was resolved and addressed in
 GLSA 201701-32 at https://security.gentoo.org/glsa/201701-32
by GLSA coordinator Aaron Bauman (b-man).
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2017-01-11 13:22:53 UTC 
reopened for cleanup.
Comment 13 Jorge Manuel B. S. Vicetto (RETIRED) gentoo-dev 2017-01-11 15:41:09 UTC 
(In reply to Aaron Bauman from comment #12)
> reopened for cleanup.

I've removed the affected versions and the complete 4.4 series since it's no longer supported and was removed from upstream's download page[1].

 [1] - https://www.phpmyadmin.net/downloads/
Comment 14 László Szalma 2017-01-22 15:48:21 UTC 
The export functionality is commpletely broken in 4.6.5.1, it is fixed in 4.6.5.2

https://github.com/phpmyadmin/phpmyadmin/issues/12765

Because the stable is 4.6.5.1 in Gentoo, this causes headache to many users.
Comment 15 Jorge Manuel B. S. Vicetto (RETIRED) gentoo-dev 2017-01-22 20:37:08 UTC 
(In reply to László Szalma from comment #14)
> The export functionality is commpletely broken in 4.6.5.1, it is fixed in
> 4.6.5.2
> 
> https://github.com/phpmyadmin/phpmyadmin/issues/12765
> 
> Because the stable is 4.6.5.1 in Gentoo, this causes headache to many users.

This is a regression that can be handled on its own bug.
Also, 4.6.5.2 has been in the tree since December 7th.