Bug 17633 - phpmyadmin new security issues fixed upstream in 4.4.15.3
Summary: phpmyadmin new security issues fixed upstream in 4.4.15.3
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/674263/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-01-28 14:35 CET by David Walser
Modified: 2016-02-05 18:27 CET (History)
4 users (show)

See Also:
Source RPM: phpmyadmin-4.2.13.3-1.3.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-01-28 14:35:25 CET
Upstream has released new versions today (January 28):
https://www.phpmyadmin.net/news/2016/1/28/phpmyadmin-454-44153-and-401013-are-released/

These ones affect 4.2.x:
https://www.phpmyadmin.net/security/PMASA-2016-1/
https://www.phpmyadmin.net/security/PMASA-2016-2/
https://www.phpmyadmin.net/security/PMASA-2016-3/
https://www.phpmyadmin.net/security/PMASA-2016-4/
https://www.phpmyadmin.net/security/PMASA-2016-5/

That's too much to backport to the unsupported 4.2.x, so we'll update to 4.4.x:
https://www.phpmyadmin.net/files/4.4.15.3/

It also requires updating phpseclib.

Updated packages uploaded for Cauldron.

Updated packages checked into Mageia 5 SVN.  I will push them later.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2016-01-28 17:04:11 CET
Advisory:
========================

Updated phpmyadmin package fixes security vulnerabilities:

Password suggestion functionality uses Math.random() which does not provide
cryptographically secure random numbers (CVE-2016-1927).

By calling some scripts that are part of phpMyAdmin in an unexpected way, it
is possible to trigger phpMyAdmin to display a PHP error message which
contains the full path of the directory where phpMyAdmin is installed
(CVE-2016-2038).

The XSRF/CSRF token is generated with a weak algorithm using functions that
do not return cryptographically secure values (CVE-2016-2039).

With a crafted table name it is possible to trigger an XSS attack in the
database search page. With a crafted SET value or a crafted search query, it
is possible to trigger an XSS attacks in the zoom search page. With a
crafted hostname header, it is possible to trigger an XSS attacks in the
home page (CVE-2016-2040).

The comparison of the XSRF/CSRF token parameter with the value saved in the
session is vulnerable to timing attacks. Moreover, the comparison could be
bypassed if the XSRF/CSRF token matches a particular pattern
(CVE-2016-2041).

The phpmyadmin package has been updated to version 4.4.15.3 in the 4.4.x
stable branch, and the phpseclib dependency has been updated to version
2.0.1.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1927
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2038
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2039
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2040
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2041
https://www.phpmyadmin.net/security/PMASA-2016-1/
https://www.phpmyadmin.net/security/PMASA-2016-2/
https://www.phpmyadmin.net/security/PMASA-2016-3/
https://www.phpmyadmin.net/security/PMASA-2016-4/
https://www.phpmyadmin.net/security/PMASA-2016-5/
https://www.phpmyadmin.net/files/4.4.15.3/
https://www.phpmyadmin.net/news/2016/1/28/phpmyadmin-454-44153-and-401013-are-released/
========================

Updated packages in core/updates_testing:
========================
phpseclib-2.0.1-1.mga5
phpmyadmin-4.4.15.3-1.mga5

from SRPMS:
phpseclib-2.0.1-1.mga5.src.rpm
phpmyadmin-4.4.15.3-1.mga5.src.rpm

Assignee: bugsquad => qa-bugs
Severity: normal => major

Comment 2 David Walser 2016-01-28 17:04:27 CET
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=12834#c7
https://bugs.mageia.org/show_bug.cgi?id=14208#c6

Whiteboard: (none) => has_procedure

Comment 3 William Kenney 2016-01-28 18:34:51 CET
In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
mariadb phpmyadmin

default install of mariadb & phpmyadmin

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.23-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.2.13.3-1.3.mga5.noarch is already installed

start mysqladmin, set password, open http://localhost/phpmyadmin/
create new database called test01. Close browser.
Successfully reopen: http://localhost/phpmyadmin/

install phpmyadmin from updates_testing

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.22-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.4.15.3-1.mga5.noarch is already installed

open http://localhost/phpmyadmin/
Oh oh! phpmyadmin fails to open. :-(

CC: (none) => wilcal.int

Comment 4 claire robinson 2016-01-28 22:38:36 CET
Mariadb seems to have go back a version Bill, is that correct or a typo?

From mariadb-10.0.23-1.mga5.i586 to mariadb-10.0.22-1.mga5.i586
Comment 5 David Walser 2016-01-29 00:36:26 CET
Jóse, did I make any obvious mistakes with this update?  Should I have only updated phpseclib to 1.0.0 perhaps?

CC: (none) => lists.jjorge

Comment 6 William Kenney 2016-01-29 06:47:24 CET
(In reply to claire robinson from comment #4)

> Mariadb seems to have go back a version Bill, is that correct or a typo?
> 
> From mariadb-10.0.23-1.mga5.i586 to mariadb-10.0.22-1.mga5.i586

sorry, s/b:

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.23-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.4.15.3-1.mga5.noarch is already installed

Still fails.
Comment 7 José Jorge 2016-01-29 18:47:50 CET
(In reply to David Walser from comment #5)
> Jóse, did I make any obvious mistakes with this update?  Should I have only
> updated phpseclib to 1.0.0 perhaps?

What fails?
Comment 8 William Kenney 2016-01-29 21:15:47 CET
(In reply to José Jorge from comment #7)

> What fails?

When I go to: http://localhost/phpmyadmin/

that page opens to all white.
Comment 9 David Walser 2016-01-29 21:19:46 CET
Sounds like an upstream issue.  They made a bugfix release today (January 29):
https://www.phpmyadmin.net/news/2016/1/29/phpmyadmin-401014-44154-and-451/

Advisory:
========================

Updated phpmyadmin package fixes security vulnerabilities:

Password suggestion functionality uses Math.random() which does not provide
cryptographically secure random numbers (CVE-2016-1927).

By calling some scripts that are part of phpMyAdmin in an unexpected way, it
is possible to trigger phpMyAdmin to display a PHP error message which
contains the full path of the directory where phpMyAdmin is installed
(CVE-2016-2038).

The XSRF/CSRF token is generated with a weak algorithm using functions that
do not return cryptographically secure values (CVE-2016-2039).

With a crafted table name it is possible to trigger an XSS attack in the
database search page. With a crafted SET value or a crafted search query, it
is possible to trigger an XSS attacks in the zoom search page. With a
crafted hostname header, it is possible to trigger an XSS attacks in the
home page (CVE-2016-2040).

The comparison of the XSRF/CSRF token parameter with the value saved in the
session is vulnerable to timing attacks. Moreover, the comparison could be
bypassed if the XSRF/CSRF token matches a particular pattern
(CVE-2016-2041).

The phpmyadmin package has been updated to version 4.4.15.4 in the 4.4.x
stable branch, and the phpseclib dependency has been updated to version
2.0.1.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1927
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2038
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2039
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2040
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2041
https://www.phpmyadmin.net/security/PMASA-2016-1/
https://www.phpmyadmin.net/security/PMASA-2016-2/
https://www.phpmyadmin.net/security/PMASA-2016-3/
https://www.phpmyadmin.net/security/PMASA-2016-4/
https://www.phpmyadmin.net/security/PMASA-2016-5/
https://www.phpmyadmin.net/files/4.4.15.4/
https://www.phpmyadmin.net/news/2016/1/28/phpmyadmin-454-44153-and-401013-are-released/
https://www.phpmyadmin.net/news/2016/1/29/phpmyadmin-401014-44154-and-451/
========================

Updated packages in core/updates_testing:
========================
phpseclib-2.0.1-1.mga5
phpmyadmin-4.4.15.4-1.mga5

from SRPMS:
phpseclib-2.0.1-1.mga5.src.rpm
phpmyadmin-4.4.15.4-1.mga5.src.rpm
Comment 10 William Kenney 2016-01-30 19:02:10 CET
In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
mariadb phpmyadmin

default install of mariadb & phpmyadmin

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.23-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.2.13.3-1.3.mga5.noarch is already installed

start mysqladmin, set password, open http://localhost/phpmyadmin/
create new database called test01. Close browser.
Successfully reopen: http://localhost/phpmyadmin/

install phpmyadmin from updates_testing

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.23-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.4.15.4-1.mga5.noarch is already installed

open http://localhost/phpmyadmin/
phpmyadmin successfully opens. Previously create db test01 is still there.
create new database called test02. Close browser.
Successfully reopen: http://localhost/phpmyadmin/
db's test01 & test02 are still there and accessable.
Comment 11 William Kenney 2016-01-30 19:18:59 CET
In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
mariadb phpmyadmin

default install of mariadb & phpmyadmin

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.23-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.2.13.3-1.3.mga5.noarch is already installed

start mysqladmin, set password, open http://localhost/phpmyadmin/
create new database called test01. Close browser.
Successfully reopen: http://localhost/phpmyadmin/

install phpmyadmin from updates_testing

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.23-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.4.15.4-1.mga5.noarch is already installed

open http://localhost/phpmyadmin/
phpmyadmin successfully opens. Previously created db test01 is still there.
create new database called test02. Close browser.
Successfully reopen: http://localhost/phpmyadmin/
db's test01 & test02 are still there and accessable.
Comment 12 William Kenney 2016-01-30 19:19:58 CET
This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure => has_procedure MGA5-32-OK MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 13 David Walser 2016-02-02 13:54:23 CET
LWN reference for two of the CVEs:
http://lwn.net/Vulnerabilities/674259/

URL: (none) => http://lwn.net/Vulnerabilities/674263/

Dave Hodgins 2016-02-03 02:48:31 CET

CC: (none) => davidwhodgins
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory

Comment 14 Mageia Robot 2016-02-05 18:27:58 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0051.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.