Bug 30385 - pgadmin4 new security issue CVE-2022-0959
Summary: pgadmin4 new security issue CVE-2022-0959
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
: 29066 (view as bug list)
Depends on:
Blocks:
 
Reported: 2022-05-05 17:45 CEST by David Walser
Modified: 2022-07-13 22:44 CEST (History)
5 users (show)

See Also:
Source RPM: pgadmin4-4.22-6.mga9.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-05-05 17:45:29 CEST
openSUSE has issued an advisory on May 4:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JSL3A3EFXELNQREOPMKA3CGCYH5WGQXK/

The issue is fixed upstream in 6.7.

Mageia 8 is also affected.
David Walser 2022-05-05 17:47:06 CEST

Status comment: (none) => Fixed upstream in 6.7
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=29066, https://bugs.mageia.org/show_bug.cgi?id=30373
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-05-07 20:40:37 CEST
In the wake of the recent bug 30373 for the same package, assigning this one also to DavidG; and CC'ing joequant who is the registered maintainer for it.

Thanks DavidW for linking the two bugs.

Assignee: bugsquad => geiger.david68210
CC: (none) => joequant

Comment 2 papoteur 2022-07-04 22:51:53 CEST
Cauldron updated with fixes for 4.30 from Suse.

For Mageia 8:
pgadmin4-4.30-1.mga8
pgadmin4-doc-4.30-1.mga8
pgadmin4-web-4.30-1.mga8

Version: Cauldron => 8
CC: (none) => yves.brungard_mageia
Status comment: Fixed upstream in 6.7 => (none)
Whiteboard: MGA8TOO => (none)
Assignee: geiger.david68210 => qa-bugs

Comment 3 Dave Hodgins 2022-07-05 00:39:42 CEST
Testing in a vb snapshot where it previously was not installed. Installed
using qarepo.

Found another missing requires for python3-flask-security.

After that's installed pgadmin4 fails on permissions ...
Jul 04 18:26:52 python3[12322]: ERROR  : Failed to create the directory /var/lib/pgadmin:
Jul 04 18:26:52 python3[12322]:            [Errno 13] Permission denied: '/var/lib/pgadmin'
Jul 04 18:26:52 python3[12322]: HINT :   Create the directory /var/lib/pgadmin, ensure it is writeable by
Jul 04 18:26:52 python3[12322]:          'apache', and try again, or, create a config_local.py file
Jul 04 18:26:52 python3[12322]:          and override the SQLITE_PATH setting per
Jul 04 18:26:52 python3[12322]:          https://www.pgadmin.org/docs/pgadmin4/4.30/config_py.html

# ll -d /var/l*/pg*
drwxr-xr-x 2 root root 4096 Jul  4 18:34 /var/lib/pgadmin/
drwxr-xr-x 2 root root 4096 Jul  4 16:27 /var/log/pgadmin/

They need to be owned by apache. Fixing the ownership, it starts ok.

CC: (none) => davidwhodgins

Comment 4 papoteur 2022-07-05 14:13:36 CEST
Rebuild:
pgadmin4-4.30-2.mga8
pgadmin4-doc-4.30-2.mga8
pgadmin4-web-4.30-2.mga8
Comment 5 Dave Hodgins 2022-07-05 19:59:01 CEST
Another missing requires. python3-psutil
Not sure why I missed it earlier.
Comment 6 Dave Hodgins 2022-07-05 20:05:59 CEST
After installing python3-psutil and starting pgadmin4.service,
http://127.0.0.1:5050 works (redirecting to http://127.0.0.1:5050/browser/
automatically).
Trying http://127.0.0.1/pgadmin4, it does not work.
Comment 7 papoteur 2022-07-05 21:20:20 CEST
OK, I will build a new release with this added requires.
Comment 8 papoteur 2022-07-06 10:06:02 CEST
Rebuild:
pgadmin4-4.30-3.mga8
pgadmin4-doc-4.30-3.mga8
pgadmin4-web-4.30-3.mga8
Comment 9 Herman Viaene 2022-07-11 16:23:19 CEST
MGA8-64 Plasma on Acer Aspire 5253
No insstallation issues.
Starting pgAdmin4 as a normal user just after installation results in "Could not connect to pgAdmin4-server"
Started with
# systemctl  start pgadmin4
[root@mach7 ~]# systemctl -l status pgadmin4
● pgadmin4.service - pgAdmin4
     Loaded: loaded (/usr/lib/systemd/system/pgadmin4.service; disabled; vendor preset: disabled)
     Active: active (running) since Mon 2022-07-11 16:08:50 CEST; 4s ago
   Main PID: 18684 (python3)
      Tasks: 1 (limit: 4364)
     Memory: 36.3M
        CPU: 3.900s
     CGroup: /system.slice/pgadmin4.service
             └─18684 /usr/bin/python3 /usr/lib/python3.8/site-packages/pgadmin4-web/pgAdmin4.py

Jul 11 16:08:50 mach7.hviaene.thuis systemd[1]: Started pgAdmin4.
Then
$ pgAdmin4 
QCoreApplication::applicationFilePath: Please instantiate the QApplication object first
QCoreApplication::applicationFilePath: Please instantiate the QApplication object first
 * Serving Flask app "pgadmin" (lazy loading)
 * Environment: production
   WARNING: This is a development server. Do not use it in a production deployment.
   Use a production WSGI server instead.
 * Debug mode: off

(firefox:19175): Gtk-WARNING **: 16:11:38.303: Theme parsing error: gtk.css:2:33: Failed to import: Error opening file /home/tester8/.config/gtk-3.0/window_decorations.css: No such file or directory
That opened the web application in Firefox, there I could define my desktop postgres installation as a new server and connect to it and see, the databases, schemas etc....
BTW, the web application says "You are using 4.30, the current version is 6.11" so I wonder whether all features of the latest postgres versions are supported. But for the moment I'm quite relieved that this version works OK for now.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 10 papoteur 2022-07-11 18:33:16 CEST
Release 6.11 is a major change at least on how to package this application. This won't occur in Mageia 8.
Comment 11 Dave Hodgins 2022-07-11 19:19:31 CEST
Would be nice if the update check/notification can be disabled.
Installed the packages and started the server.
http://127.0.0.1:5050 works.

Installed postgresql13 and started postgresql.service
In pgAdmin4 (via firefox), connected to the postgresql service on localhost.
Used it to create a database.

papoteur, can you disable the update check?
If not, I'll validate this update.
Comment 12 papoteur 2022-07-12 16:22:47 CEST
Yes, I can disable the update check.
New release is coming.
pgadmin4-4.30-4.mga8
pgadmin4-doc-4.30-4.mga8
pgadmin4-web-4.30-4.mga8

Source: pgadmin4-4.30-4.mga8.src.rpm
Comment 13 Dave Hodgins 2022-07-12 17:39:30 CEST
With 4.30-4.mga8 it's still showing the update being available.

Also I noticed the journal and status show ...
Jul 12 11:34:50 python3[8681]: Starting pgAdmin 4. Please navigate to http://127.0.0.1:5050 in your browser.
Jul 12 11:34:50 python3[8681]:  * Serving Flask app "pgadmin" (lazy loading)
Jul 12 11:34:50 python3[8681]:  * Environment: production
Jul 12 11:34:50 python3[8681]:    WARNING: This is a development server. Do not use it in a production deployment.
Jul 12 11:34:50 python3[8681]:    Use a production WSGI server instead.
Jul 12 11:34:50 python3[8681]:  * Debug mode: off

What's with the warning of it being a development server?
Comment 14 papoteur 2022-07-12 18:38:16 CEST
Hi Dave,
As you can, see, this warning is also reported in the documentation page of pgadmin: https://www.pgadmin.org/download/pgadmin-4-python/
In my opinion, the application is served for a standalone usage, thus this can be considered as a development environment, even if the intention is not to change the code.
Comment 15 Dave Hodgins 2022-07-12 19:05:36 CEST
Ok, that can be ignored. However the gui is still showing the pop up stating
the current version is 6.11
Comment 16 papoteur 2022-07-12 20:07:18 CEST
I had to restart the virtual machine to get rid of it.
Comment 17 Dave Hodgins 2022-07-12 20:51:29 CEST
I'm still seeing it even after closing the popup, restarting the vb guest and
then opening http://127.0.0.1:5050/browser/ again.
Comment 18 Dave Hodgins 2022-07-12 22:44:13 CEST
*** Bug 29066 has been marked as a duplicate of this bug. ***
Comment 19 David Walser 2022-07-12 22:50:37 CEST
Does it save the upstream version into a local configuration file, from which it will continue to report that, but that it otherwise wouldn't have saved in the first first place had the latest change to the package already been in place?  I'm just guessing, I haven't looked at the change.
Comment 20 Dave Hodgins 2022-07-12 23:56:14 CEST
I considered that. I reverted the snapshot of the vb guest to before I installed
pgadmin or postgresql. Installed postgresql13-server and pgadmin, then installed
the update using qarepo. Started the services and opened pgadmin in the browser.
It still showed the popup for the upstream update.
Comment 21 Dave Hodgins 2022-07-12 23:57:30 CEST
After seeing the popup, closed it, rebooted the vb guest, started the services
and opened pgadmin in the browser again. It still showed the upstream update
popup.
Comment 22 David Walser 2022-07-12 23:57:47 CEST
Roger that.  Something else still probably needs to be patched out.
Comment 23 papoteur 2022-07-13 09:40:22 CEST
New release pgadmin4-web-4.30-5.mga8 is coming.
The patch I applied to config.py was reverted in unknown way during the packaging process.
Thus I propose an alteration of config_local.py with the directive:
UPGRADE_CHECK_ENABLED = False
I have checked that adding this directive disable the check, and that the directive exists in the package. I just hope that nothing overload it.
Comment 24 Dave Hodgins 2022-07-13 18:45:41 CEST
It's finally working. :-)

Update validated, advisory committed to svn.

CC: (none) => sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 25 Mageia Robot 2022-07-13 22:44:56 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0257.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.