Bug 14637

Summary: phpmyadmin new security issues CVE-2014-895[89] and CVE-2014-896[01]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: olchal, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/623206/
Whiteboard: MGA3TOO has_procedure advisory MGA3-64-OK MGA4-64-OK
Source RPM: phpmyadmin-4.1.14.6-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-11-21 19:27:42 CET 
Upstream has issued advisories on November 20:
http://www.phpmyadmin.net/home_page/security/PMASA-2014-13.php
http://www.phpmyadmin.net/home_page/security/PMASA-2014-14.php
http://www.phpmyadmin.net/home_page/security/PMASA-2014-15.php
http://www.phpmyadmin.net/home_page/security/PMASA-2014-16.php

The issues are fixed in 4.1.14.7 and 4.2.12.

Freeze push requested for Cauldron.

Updated packages uploaded for Mageia 3 and Mageia 4.

Advisory:
========================

Updated phpmyadmin package fixes security vulnerabilities:

In phpMyAdmin before 4.1.14.7, with a crafted database, table or column name
it is possible to trigger an XSS attack in the table browse page, with a
crafted ENUM value it is possible to trigger XSS attacks in the table print
view and zoom search pages, and with a crafted value for font size it is
possible to trigger an XSS attack in the home page (CVE-2014-8958).

In phpMyAdmin before 4.1.14.7, in the GIS editor feature, a parameter
specifying the geometry type was not correcly validated, opening the door to
a local file inclusion attack (CVE-2014-8959).

In phpMyAdmin before 4.1.14.7, with a crafted file name it is possible to
trigger an XSS in the error reporting page (CVE-2014-8960).

In phpMyAdmin before 4.1.14.7, in the error reporting feature, a parameter
specifying the file was not correctly validated, allowing the attacker to
derive the line count of an arbitrary file (CVE-2014-8961).

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8958
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8959
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8960
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8961
http://www.phpmyadmin.net/home_page/security/PMASA-2014-13.php
http://www.phpmyadmin.net/home_page/security/PMASA-2014-14.php
http://www.phpmyadmin.net/home_page/security/PMASA-2014-15.php
http://www.phpmyadmin.net/home_page/security/PMASA-2014-16.php
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-4.1.14.7-1.mga3
phpmyadmin-4.1.14.7-1.mga4

from SRPMS:
phpmyadmin-4.1.14.7-1.mga3.src.rpm
phpmyadmin-4.1.14.7-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-11-21 19:27:56 CET 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=12834#c7
https://bugs.mageia.org/show_bug.cgi?id=14208#c6

Whiteboard: (none) => MGA3TOO has_procedure

Comment 2 olivier charles 2014-11-22 00:00:55 CET 
Testing on Mageia3-64 real HW

Current package :
---------------

# rpm -q phpmyadmin
phpmyadmin-4.1.14.6-1.mga3


Followed procedure mentionned in comment 1

All ok

Updated to testing package
--------------------------
# rpm -q phpmyadmin
phpmyadmin-4.1.14.7-1.mga3

phpmyadmin first page states :
Version : 4.1.14.7, dernière version stable : 4.2.12

Followed same procedure.

All OK.

CC: (none) => olchal
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-64-OK

Comment 3 olivier charles 2014-11-23 20:18:48 CET 
Testing on Mageia4-64 real HW,

following procedures mentionned in comment 1

First with current package :

# rpm -q phpmyadmin
phpmyadmin-4.1.14.6-1.mga4

Then with updated testing package :

- phpmyadmin-4.1.14.7-1.mga4.noarch

On first page of http://localhost/phpmyadmin 
Version information: 4.1.14.7, 
latest stable version: 4.2.12.

All OK

Whiteboard: MGA3TOO has_procedure MGA3-64-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK

Comment 4 claire robinson 2014-11-26 11:24:07 CET 
Validating for inclusion in mga3. Advisory uploaded.

Please push to updates

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK => MGA3TOO has_procedure advisory MGA3-64-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

David Walser 2014-11-26 18:23:53 CET

URL: (none) => http://lwn.net/Vulnerabilities/623206/

Comment 5 Mageia Robot 2014-11-26 18:30:26 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0495.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED