Bug 13766

Summary: phpmyadmin new security issues CVE-2014-4955 and CVE-2014-498[67]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: dpremy, mageia, rverschelde, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard: MGA3TOO mga3-32-ok mga4-64-ok mga4-32-ok advisory
Source RPM: phpmyadmin-4.1.14.1-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-07-18 20:28:29 CEST 
Upstream has issued advisories on July 17:
http://www.phpmyadmin.net/home_page/security/PMASA-2014-5.php
http://www.phpmyadmin.net/home_page/security/PMASA-2014-6.php
http://www.phpmyadmin.net/home_page/security/PMASA-2014-7.php

There is also CVE-2014-4954, which only affected the version in Cauldron:
http://www.phpmyadmin.net/home_page/security/PMASA-2014-4.php

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated phpmyadmin package fixes security vulnerabilities:

In phpMyAdmin before 4.1.14.2, when navigating into the database triggers
page, it is possible to trigger an XSS with a crafted trigger name
(CVE-2014-4955).

In phpMyAdmin before 4.1.14.2, with a crafted column name it is possible to
trigger an XSS when dropping the column in table structure page. With a
crafted table name it is possible to trigger an XSS when dropping or
truncating the table in table operations page (CVE-2014-4986).

In phpMyAdmin before 4.1.14.2, An unpriviledged user could view the MySQL
user list and manipulate the tabs displayed in phpMyAdmin for them
(CVE-2014-4987).

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4955
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4986
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4987
http://www.phpmyadmin.net/home_page/security/PMASA-2014-5.php
http://www.phpmyadmin.net/home_page/security/PMASA-2014-6.php
http://www.phpmyadmin.net/home_page/security/PMASA-2014-7.php
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-4.1.14.2-1.mga3
phpmyadmin-4.1.14.2-1.mga4

from SRPMS:
phpmyadmin-4.1.14.2-1.mga3.src.rpm
phpmyadmin-4.1.14.2-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-07-18 20:28:35 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 David Remy 2014-07-19 00:31:32 CEST 
Testing MGA4-64

I could not produce the security bugs to confirm they were or were not patched however phpMyAdmin is running and is working ok after upgrading to phpmyadmin-4.1.14.2-1.mga4

Adding ok.

CC: (none) => dpremy
Whiteboard: MGA3TOO => MGA3TOO mga4-64-ok

Comment 2 David Remy 2014-07-19 03:55:25 CEST 
Again on mga4-32, can't reproduce security issues but after upgrade pma works as I would expect it to. adding ok

Whiteboard: MGA3TOO mga4-64-ok => MGA3TOO mga4-64-ok mga4-32-ok

Comment 3 Rémi Verschelde 2014-07-26 11:50:01 CEST 
Advisory uploaded. This still needs tested on mga3 before it can be validated.

CC: (none) => remi
Whiteboard: MGA3TOO mga4-64-ok mga4-32-ok => MGA3TOO mga4-64-ok mga4-32-ok advisory

Comment 4 David Walser 2014-08-01 15:49:50 CEST 
Validating this.  See the discussion in the QA meeting:
http://meetbot.mageia.org/mageia-qa/2014/mageia-qa.2014-07-31-19.02.log.html#l-30

Please push this to core/updates for Mageia 3 and Mageia 4.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Rémi Verschelde 2014-08-05 19:57:34 CEST 
Made sure it installs in Mageia 3 32bit.

Whiteboard: MGA3TOO mga4-64-ok mga4-32-ok advisory => MGA3TOO mga3-32-ok mga4-64-ok mga4-32-ok advisory

Comment 6 Colin Guthrie 2014-08-05 22:22:36 CEST 
Update pushed.

http://advisories.mageia.org/MGASA-2014-0310.html

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED