Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 701830 (CVE-2019-18622) - <dev-db/phpmyadmin-4.9.2: a crafted database/table name can be used to trigger an SQL injection attack through the designer feature (CVE-2019-18622)
Summary: <dev-db/phpmyadmin-4.9.2: a crafted database/table name can be used to trigge...
Status: RESOLVED FIXED
Alias: CVE-2019-18622
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.phpmyadmin.net/security/P...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-12-02 22:52 UTC by GLSAMaker/CVETool Bot
Modified: 2020-03-19 16:21 UTC (History)
2 users (show)

See Also:
Package list:
=dev-db/phpmyadmin-4.9.2 amd64 ppc ppc64 sparc x86
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-12-02 22:52:06 UTC
CVE-2019-18622 (https://nvd.nist.gov/vuln/detail/CVE-2019-18622):
  An issue was discovered in phpMyAdmin before 4.9.2. A crafted database/table
  name can be used to trigger an SQL injection attack through the designer
  feature.
Comment 1 Miroslav Šulc gentoo-dev 2019-12-03 10:37:23 UTC
we have 4.9.2 (unaffected) in the tree for ~2 days.

commit b393a9bdd8e49c2a75c1760190fd864362b8532f
Author: Miroslav Šulc <fordfrog@gentoo.org>
Date:   Sun Dec 1 19:37:04 2019 +0100

    dev-db/phpmyadmin-4.9.2: bump
    
    Closes: https://bugs.gentoo.org/701672
    Package-Manager: Portage-2.3.80, Repoman-2.3.19
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

it's security and bugfix release: https://www.phpmyadmin.net/news/2019/11/22/phpmyadmin-492-released/

i suppose it can go stable so archs please stabilize.
Comment 2 Agostino Sarubbo gentoo-dev 2019-12-09 13:10:52 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2019-12-10 08:54:21 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2019-12-10 08:56:39 UTC
ppc64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-12-10 08:57:18 UTC
sparc stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-12-10 10:56:01 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 7 Larry the Git Cow gentoo-dev 2019-12-10 11:03:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d6b3b97b42cb8014c6beb424a3d7e604e3e1f052

commit d6b3b97b42cb8014c6beb424a3d7e604e3e1f052
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2019-12-10 11:02:51 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2019-12-10 11:02:51 +0000

    dev-db/phpmyadmin-4.9.1: removed old and vulnerable
    
    Bug: https://bugs.gentoo.org/701830
    Package-Manager: Portage-2.3.81, Repoman-2.3.20
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-db/phpmyadmin/Manifest                |  1 -
 dev-db/phpmyadmin/phpmyadmin-4.9.1.ebuild | 61 -------------------------------
 2 files changed, 62 deletions(-)
Comment 8 Thomas Deutschmann gentoo-dev Security 2020-03-19 16:05:37 UTC
New GLSA request filed.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2020-03-19 16:21:05 UTC
This issue was resolved and addressed in
 GLSA 202003-39 at https://security.gentoo.org/glsa/202003-39
by GLSA coordinator Thomas Deutschmann (whissi).