Upstream has released 3.5.8.1 to fix several security issues: http://www.phpmyadmin.net/home_page/news.php#phpMyAdmin_3.5.8.1_and_4.0.0-rc3_are_released Details are available on the upstream security advisories: http://www.phpmyadmin.net/home_page/security/PMASA-2013-2.php http://www.phpmyadmin.net/home_page/security/PMASA-2013-3.php http://www.phpmyadmin.net/home_page/security/PMASA-2013-4.php http://www.phpmyadmin.net/home_page/security/PMASA-2013-5.php Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA2TOO
Pushed to cauldron
Status: NEW => ASSIGNED
Advisory: ======================== Updated phpmyadmin package fixes security vulnerability: phpMyAdmin 3.5.8.1 has been released to fix a number of security problems. Also, the third release candidate for phpMyAdmin 4.0.0 has been released, containing normal bug fixes for 4.0, along with security fixes. For more details, see the upcoming PMASA-2013-2, PMASA-2013-3, PMASA-2013-4 and PMASA-2013-5. ======================== Updated packages in core/updates_testing: ======================== phpmyadmin-3.5.8.1-1.mga2 from phpmyadmin-3.5.8.1-1.mga2.src.rpm
Assignee: lists.jjorge => qa-bugs
Version: Cauldron => 2Source RPM: phpmyadmin-3.5.8-1.mga3.src.rpm => phpmyadmin-3.5.8.1-1.mga2.src.rpmWhiteboard: MGA2TOO => (none)
Any CVE's you want to attach to this David?
Yes, they're listed in the upstream advisories. Actually, they say only the first two affect 3.5. Advisory: ======================== Updated phpmyadmin package fixes security vulnerabilities: In some PHP versions, the preg_replace() function can be tricked into executing arbitrary PHP code on the server. This is done by passing a crafted argument as the regular expression, containing a null byte. phpMyAdmin does not correctly sanitize an argument passed to preg_replace() when using the "Replace table prefix" feature, opening the way to this vulnerability (CVE-2013-3238). phpMyAdmin can be configured to save an export file on the web server, via its SaveDir directive. With this in place, it's possible, either via a crafted filename template or a crafted table name, to save a double extension file like foobar.php.sql. In turn, an Apache webserver on which there is no definition for the MIME type "sql" (the default) will treat this saved file as a ".php" script, leading to remote code execution (CVE-2013-3239). References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3238 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3239 http://www.phpmyadmin.net/home_page/security/PMASA-2013-2.php http://www.phpmyadmin.net/home_page/security/PMASA-2013-3.php ======================== Updated packages in core/updates_testing: ======================== phpmyadmin-3.5.8.1-1.mga2 from phpmyadmin-3.5.8.1-1.mga2.src.rpm
Fixed now for Cauldron in phpmyadmin-3.5.8.1-1.mga3.
PoC: http://www.waraxe.us/advisory-103.html Testing mga2 64 This is an upstream release rather than patched packaged but confirmed vulnerable with the PoC anyway and confirmed closed after updating. Everything seems fine. Created/dropped databases/users etc.
Whiteboard: (none) => has_procedure mga2-64-ok
Testing complete mga2 32 Validating SRPM & advisory in comment 4 Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateWhiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok mga2-32-okCC: (none) => sysadmin-bugs
====================================================== Name: CVE-2013-3238 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3238 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130422 Category: Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-2.php Reference: CONFIRM:https://github.com/phpmyadmin/phpmyadmin/commit/dedd542cdaf1606ca9aa3f6f8f8adb078d8ad549 Reference: CONFIRM:https://github.com/phpmyadmin/phpmyadmin/commit/ffa720d90a79c1f33cf4c5a33403d09a67b42a66 phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3 allows remote authenticated users to execute arbitrary code via a /e\x00 sequence, which is not properly handled before making a preg_replace function call within the "Replace table prefix" feature. ====================================================== Name: CVE-2013-3239 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3239 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130422 Category: Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-3.php Reference: CONFIRM:https://github.com/phpmyadmin/phpmyadmin/commit/1f6bc0b707002e26cab216b9e57b4d5de764de48 Reference: CONFIRM:https://github.com/phpmyadmin/phpmyadmin/commit/d3fafdfba0807068196655e9b6d16c5d1d3ccf8a phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir directory is configured, allows remote authenticated users to execute arbitrary code by using a double extension in the filename of an export file, leading to interpretation of this file as an executable file by the Apache HTTP Server, as demonstrated by a .php.sql filename. ====================================================== Name: CVE-2013-3240 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3240 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130422 Category: Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-4.php Directory traversal vulnerability in the Export feature in phpMyAdmin 4.x before 4.0.0-rc3 allows remote authenticated users to read arbitrary files or possibly have unspecified other impact via a parameter that specifies a crafted export type. ====================================================== Name: CVE-2013-3241 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3241 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130422 Category: Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-5.php export.php (aka the export script) in phpMyAdmin 4.x before 4.0.0-rc3 overwrites global variables on the basis of the contents of the POST superglobal array, which allows remote authenticated users to inject values via a crafted request.
CC: (none) => oe
Updatge pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0133
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED