30008 – php-adodb new security issue CVE-2021-3850

Bug 30008 - php-adodb new security issue CVE-2021-3850

Summary: php-adodb new security issue CVE-2021-3850

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2022-02-06 17:32 CET by David Walser
Modified:	2022-02-12 18:32 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	php-adodb-5.20.18-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-02-06 17:32:41 CET

Debian-LTS has issued an advisory today (February 6):
https://www.debian.org/lts/security/2022/dla-2912

The issue is fixed upstream in 5.20.21.

Mageia 8 is also affected.

David Walser 2022-02-06 17:32:54 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 5.20.21

Comment 1 Lewis Smith 2022-02-06 21:29:08 CET

Looks good for assigning to MarcK, maintainer of this package.

Assignee: bugsquad => mageia

Nicolas Lécureuil 2022-02-07 14:53:11 CET

CC: (none) => mageia
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 2 Nicolas Lécureuil 2022-02-07 14:55:02 CET

patch added in mga8/9


src:
    - php-adodb-5.20.18-1.1.mga8

Status comment: Fixed upstream in 5.20.21 => (none)
Assignee: mageia => qa-bugs
CC: (none) => mageia

Comment 3 Marc Krämer 2022-02-07 15:39:42 CET

@Nico: why not update. Is it worth to do patching?! Pecl libs do not change that much. In most cases the new release has just the patch in it.

Marc Krämer 2022-02-07 18:56:44 CET

Assignee: qa-bugs => mageia

Comment 4 Marc Krämer 2022-02-07 19:20:29 CET

Updated php-adodb to fix a critical vulnerability:
Security hotfix release addressing a critical vulnerability in PostgreSQL connections 

Additional fixes:
- Fix usage of get_magic_* functions #619 #657
- Fix PHP warning in _rs2rs() function #679
- pdo: Fix Fatal error in _query() #666
- pdo: Fix undefined variable #678
- pgsql: Fix Fatal error in _close() method (PHP8) #666
- pgsql: fix deprecated function aliases (PHP8) #667
- text: fix Cannot pass parameter by reference #668
- Add support for persistent connections in PDO driver #650
- Connect to SQL Server database on a specified port. #624
- DSN database connection with password containing # fails #651
- Metacolumns returns wrong type for integer fields in Mysql 8 #642
- Uninitialized Variable access in mssqlnative ErrorNo() method #637


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3850
https://github.com/ADOdb/ADOdb/releases/tag/v5.20.21

Updated packages in core/updates_testing:
========================
php-adodb-5.20.21-1.mga8.noarch

SRPM:
php-adodb-5.20.21-1.mga8.src.rpm

Assignee: mageia => qa-bugs

Comment 5 Herman Viaene 2022-02-09 16:38:15 CET

MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
Ref bug 19307: I do not see any proof (strace or something that this library is actually used in the example.
And
# urpmq --whatrequires php-adodb
php-adodb
# urpmq --whatrequires-recursive php-adodb
php-adodb
I don't like spending time on a developer's library, and will OK it on clean install as we usually do with such libraries.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 6 Thomas Andrews 2022-02-11 15:42:14 CET

Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-02-12 17:23:51 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2022-02-12 18:32:45 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0056.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.