Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 714014 (CVE-2020-10802, CVE-2020-10803, CVE-2020-10804, PMASA-2020-2, PMASA-2020-3, PMASA-2020-4) - <dev-db/phpmyadmin-{4.9.5,5.0.2}: Multiple vulnerabilities (CVE-2020-{10802,10803,10804} / PMASA-2020-{3,4,2})
Summary: <dev-db/phpmyadmin-{4.9.5,5.0.2}: Multiple vulnerabilities (CVE-2020-{10802,1...
Status: RESOLVED FIXED
Alias: CVE-2020-10802, CVE-2020-10803, CVE-2020-10804, PMASA-2020-2, PMASA-2020-3, PMASA-2020-4
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-22 17:09 UTC by Sam James
Modified: 2020-05-04 01:27 UTC (History)
2 users (show)

See Also:
Package list:
=dev-db/phpmyadmin-4.9.5 amd64 ppc64 ppc sparc x86
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-03-22 17:09:30 UTC
1) CVE-2020-10802
Description:
"In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table."

Advisory: https://www.phpmyadmin.net/security/PMASA-2020-3/
Patch: https://github.com/phpmyadmin/phpmyadmin/commit/a8acd7a42cf743186528b0453f90aaa32bfefabe

2) CVE-2020-10803
Description:
"In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger the XSS attack."

Advisory: https://www.phpmyadmin.net/security/PMASA-2020-4/
Patches:
* https://github.com/phpmyadmin/phpmyadmin/commit/46a7aa7cd4ff2be0eeb23721fbf71567bebe69a5
* https://github.com/phpmyadmin/phpmyadmin/commit/6b9b2601d8af916659cde8aefd3a6eaadd10284a

3) CVE-2020-10804
Description:
"In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retrieval of the current username (in libraries/classes/Server/Privileges.php and libraries/classes/UserPassword.php). A malicious user with access to the server could create a crafted username, and then trick the victim into performing specific actions with that user account (such as editing its privileges)."

Advisory: https://www.phpmyadmin.net/security/PMASA-2020-2/
Patch: same as 10803
Comment 1 Larry the Git Cow gentoo-dev 2020-03-24 15:15:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/dev/jmbsvicetto.git/commit/?id=2f792e1787303bdb871267f8e9fbf75d7085d893

commit 2f792e1787303bdb871267f8e9fbf75d7085d893
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2020-03-24 15:05:09 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2020-03-24 15:05:09 +0000

    dev-db/phpmyadmin: Security bump - CVE-2020-{10802,10803,10804} PMASA-2020-{3,4,2}
    
    Add 4.9.5 and 5.0.2 releases to address the following security advisories.
    PMASA-2020-2: SQL injection vulnerability in the user accounts page, particularly when changing a password
    PMASA-2020-3: SQL injection vulnerability relating to the search feature
    PMASA-2020-4: SQL injection and XSS having to do with displaying results
    Bug: https://bugs.gentoo.org/714014
    
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 dev-db/phpmyadmin/Manifest                |  2 +
 dev-db/phpmyadmin/phpmyadmin-4.9.5.ebuild | 61 +++++++++++++++++++++++++++++++
 dev-db/phpmyadmin/phpmyadmin-5.0.2.ebuild | 61 +++++++++++++++++++++++++++++++
 3 files changed, 124 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2020-03-24 15:23:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a81c2975bff0bf2f8f4dce7c9a98628dd3b9c10d

commit a81c2975bff0bf2f8f4dce7c9a98628dd3b9c10d
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2020-03-24 15:22:32 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2020-03-24 15:22:58 +0000

    dev-db/phpmyadmin: Security bump - CVE-2020-{10802,10803,10804}.
    
    Add 4.9.5 and 5.0.2 releases to address the following security advisories.
    CVE-2020-{10802,10803,10804} - PMASA-2020-{3,4,2}
    PMASA-2020-2: SQL injection vulnerability in the user accounts page,
    particularly when changing a password
    PMASA-2020-3: SQL injection vulnerability relating to the search feature
    PMASA-2020-4: SQL injection and XSS having to do with displaying results
    Bug: https://bugs.gentoo.org/714014
    Package-Manager: Portage-2.3.94, Repoman-2.3.21
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 dev-db/phpmyadmin/Manifest                |  2 +
 dev-db/phpmyadmin/phpmyadmin-4.9.5.ebuild | 61 +++++++++++++++++++++++++++++++
 dev-db/phpmyadmin/phpmyadmin-5.0.2.ebuild | 61 +++++++++++++++++++++++++++++++
 3 files changed, 124 insertions(+)
Comment 3 Sam James archtester gentoo-dev Security 2020-03-24 15:24:53 UTC
@maintainer(s), please advise if ready for stabilisation, or call yourself.
Comment 6 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2020-03-24 18:42:00 UTC
Arch teams, please add stable keywords.

Desired keywords:
KEYWORDS="~alpha amd64 ~arm ~hppa ~ia64 ppc ppc64 sparc x86 ~ppc-macos ~x64-macos ~x86-macos"
Comment 7 Agostino Sarubbo gentoo-dev 2020-04-03 12:05:33 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-04-03 12:12:43 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-04-03 12:16:59 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-04-03 13:12:50 UTC
x86 stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-04-03 15:23:32 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 12 NATTkA bot gentoo-dev 2020-04-12 19:21:33 UTC
Resetting sanity check; package list is empty or all packages are done.
Comment 13 Larry the Git Cow gentoo-dev 2020-04-15 23:56:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d702e013bdd2e04a3f78e09c7b198d24b7e8e4ad

commit d702e013bdd2e04a3f78e09c7b198d24b7e8e4ad
Author:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
AuthorDate: 2020-04-15 23:55:49 +0000
Commit:     Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>
CommitDate: 2020-04-15 23:56:15 +0000

    dev-db/phpmyadmin: Drop vulnerable release.
    
    Bug: https://bugs.gentoo.org/714014
    Bug: https://bugs.gentoo.org/715660
    Bug: https://bugs.gentoo.org/717630
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org>

 dev-db/phpmyadmin/Manifest                |  1 -
 dev-db/phpmyadmin/phpmyadmin-4.9.2.ebuild | 61 -------------------------------
 2 files changed, 62 deletions(-)