Hello community, here is the log from the commit of package phpMyAdmin for openSUSE:12.1:Update:Test checked in at 2011-11-21 18:46:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.1:Update:Test/phpMyAdmin (Old) and /work/SRC/openSUSE:12.1:Update:Test/.phpMyAdmin.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "phpMyAdmin", Maintainer is "CrRodriguez@novell.com" Changes: -------- --- /work/SRC/openSUSE:12.1:Update:Test/phpMyAdmin/phpMyAdmin.changes 2011-11-21 18:46:26.000000000 +0100 +++ /work/SRC/openSUSE:12.1:Update:Test/.phpMyAdmin.new/phpMyAdmin.changes 2011-11-21 18:46:27.000000000 +0100 @@ -1,0 +2,8 @@ +Mon Nov 14 20:22:30 UTC 2011 - chris@computersalat.de + +- update to 3.4.7.1 (fix for bnc#728243) + - [security] Fixed possible local file inclusion in XML import + (CVE-2011-4107), see PMASA-2011-17 + http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php + +------------------------------------------------------------------- Old: ---- phpMyAdmin-3.4.7-all-languages.tar.bz2 New: ---- phpMyAdmin-3.4.7.1-all-languages.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ phpMyAdmin.spec ++++++ --- /var/tmp/diff_new_pack.qE6QIh/_old 2011-11-21 18:46:30.000000000 +0100 +++ /var/tmp/diff_new_pack.qE6QIh/_new 2011-11-21 18:46:30.000000000 +0100 @@ -33,7 +33,7 @@ %endif Summary: Administration of MySQL over the web -Version: 3.4.7 +Version: 3.4.7.1 Release: 1 License: GPLv2+ Group: Productivity/Networking/Web/Frontends ++++++ phpMyAdmin-3.4.7-all-languages.tar.bz2 -> phpMyAdmin-3.4.7.1-all-languages.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.4.7-all-languages/ChangeLog new/phpMyAdmin-3.4.7.1-all-languages/ChangeLog --- old/phpMyAdmin-3.4.7-all-languages/ChangeLog 2011-10-23 14:17:12.000000000 +0200 +++ new/phpMyAdmin-3.4.7.1-all-languages/ChangeLog 2011-11-10 15:14:51.000000000 +0100 @@ -1,7 +1,10 @@ phpMyAdmin - ChangeLog ====================== -3.4.7.0 (not yet released) +3.4.7.1 (2011-11-10) +- [security] Fixed possible local file inclusion in XML import (CVE-2011-4107). + +3.4.7.0 (2011-10-23) - bug #3418610 [interface] Links in navigation when $cfg['MainPageIconic'] = false - bug #3418849 [interface] Inline edit shows dropdowns even after closing - bug [view] View renaming did not work diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.4.7-all-languages/Documentation.html new/phpMyAdmin-3.4.7.1-all-languages/Documentation.html --- old/phpMyAdmin-3.4.7-all-languages/Documentation.html 2011-10-23 14:17:12.000000000 +0200 +++ new/phpMyAdmin-3.4.7.1-all-languages/Documentation.html 2011-11-10 15:14:51.000000000 +0100 @@ -9,7 +9,7 @@ <link rel="icon" href="./favicon.ico" type="image/x-icon" /> <link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - <title>phpMyAdmin 3.4.7 - Documentation</title> + <title>phpMyAdmin 3.4.7.1 - Documentation</title> <link rel="stylesheet" type="text/css" href="docs.css" /> </head> @@ -17,7 +17,7 @@ <div id="header"> <h1> <a href="http://www.phpmyadmin.net/">php<span class="myadmin">MyAdmin</span></a> - 3.4.7 + 3.4.7.1 Documentation </h1> </div> @@ -82,6 +82,9 @@ <li>To support BLOB streaming, see PHP and MySQL requirements in <a href="#faq6_25"> <abbr title="Frequently Asked Questions">FAQ</abbr> 6.25</a>.</li> + <li>To support XML and Open Document Spreadsheet importing, + you need PHP 5.2.17 or newer and the + <a href="http://www.php.net/libxml"><tt>libxml</tt></a> extension.</li> </ul> </li> <li><b>MySQL</b> 5.0 or newer (<a href="#faq1_17">details</a>);</li> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.4.7-all-languages/Documentation.txt new/phpMyAdmin-3.4.7.1-all-languages/Documentation.txt --- old/phpMyAdmin-3.4.7-all-languages/Documentation.txt 2011-10-23 14:17:12.000000000 +0200 +++ new/phpMyAdmin-3.4.7.1-all-languages/Documentation.txt 2011-11-10 15:14:51.000000000 +0100 @@ -1,4 +1,4 @@ -phpMyAdmin 3.4.7 Documentation +phpMyAdmin 3.4.7.1 Documentation * Top * Requirements @@ -36,6 +36,8 @@ slower. + To support upload progress bars, see FAQ 2.9. + To support BLOB streaming, see PHP and MySQL requirements in FAQ 6.25. + + To support XML and Open Document Spreadsheet importing, you need PHP + 5.2.17 or newer and the libxml extension. * MySQL 5.0 or newer (details); * Web browser with cookies enabled. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.4.7-all-languages/README new/phpMyAdmin-3.4.7.1-all-languages/README --- old/phpMyAdmin-3.4.7-all-languages/README 2011-10-23 14:17:12.000000000 +0200 +++ new/phpMyAdmin-3.4.7.1-all-languages/README 2011-11-10 15:14:51.000000000 +0100 @@ -1,7 +1,7 @@ phpMyAdmin - Readme =================== -Version 3.4.7 +Version 3.4.7.1 A set of PHP-scripts to manage MySQL over the web. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.4.7-all-languages/RELEASE-DATE-3.4.7 new/phpMyAdmin-3.4.7.1-all-languages/RELEASE-DATE-3.4.7 --- old/phpMyAdmin-3.4.7-all-languages/RELEASE-DATE-3.4.7 2011-10-23 14:17:12.000000000 +0200 +++ new/phpMyAdmin-3.4.7.1-all-languages/RELEASE-DATE-3.4.7 1970-01-01 01:00:00.000000000 +0100 @@ -1 +0,0 @@ -Sun Oct 23 12:16:04 UTC 2011 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.4.7-all-languages/RELEASE-DATE-3.4.7.1 new/phpMyAdmin-3.4.7.1-all-languages/RELEASE-DATE-3.4.7.1 --- old/phpMyAdmin-3.4.7-all-languages/RELEASE-DATE-3.4.7.1 1970-01-01 01:00:00.000000000 +0100 +++ new/phpMyAdmin-3.4.7.1-all-languages/RELEASE-DATE-3.4.7.1 2011-11-10 15:14:51.000000000 +0100 @@ -0,0 +1 @@ +Thu Nov 10 14:13:42 UTC 2011 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.4.7-all-languages/libraries/Config.class.php new/phpMyAdmin-3.4.7.1-all-languages/libraries/Config.class.php --- old/phpMyAdmin-3.4.7-all-languages/libraries/Config.class.php 2011-10-23 14:17:12.000000000 +0200 +++ new/phpMyAdmin-3.4.7.1-all-languages/libraries/Config.class.php 2011-11-10 15:14:51.000000000 +0100 @@ -96,7 +96,7 @@ */ function checkSystem() { - $this->set('PMA_VERSION', '3.4.7'); + $this->set('PMA_VERSION', '3.4.7.1'); /** * @deprecated */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.4.7-all-languages/libraries/import/ods.php new/phpMyAdmin-3.4.7.1-all-languages/libraries/import/ods.php --- old/phpMyAdmin-3.4.7-all-languages/libraries/import/ods.php 2011-10-23 14:17:12.000000000 +0200 +++ new/phpMyAdmin-3.4.7.1-all-languages/libraries/import/ods.php 2011-11-10 15:14:51.000000000 +0100 @@ -14,6 +14,13 @@ } /** + * We need way to disable external XML entities processing. + */ +if (!function_exists('libxml_disable_entity_loader')) { + return; +} + +/** * The possible scopes for $plugin_param are: 'table', 'database', and 'server' */ @@ -64,6 +71,11 @@ unset($data); /** + * Disable loading of external XML entities. + */ +libxml_disable_entity_loader(); + +/** * Load the XML string * * The option LIBXML_COMPACT is specified because it can diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.4.7-all-languages/libraries/import/xml.php new/phpMyAdmin-3.4.7.1-all-languages/libraries/import/xml.php --- old/phpMyAdmin-3.4.7-all-languages/libraries/import/xml.php 2011-10-23 14:17:12.000000000 +0200 +++ new/phpMyAdmin-3.4.7.1-all-languages/libraries/import/xml.php 2011-11-10 15:14:51.000000000 +0100 @@ -13,6 +13,13 @@ } /** + * We need way to disable external XML entities processing. + */ +if (!function_exists('libxml_disable_entity_loader')) { + return; +} + +/** * The possible scopes for $plugin_param are: 'table', 'database', and 'server' */ @@ -57,6 +64,11 @@ unset($data); /** + * Disable loading of external XML entities. + */ +libxml_disable_entity_loader(); + +/** * Load the XML string * * The option LIBXML_COMPACT is specified because it can @@ -141,19 +153,19 @@ * Get structures for all tables */ $struct = $xml->children($namespaces['pma']); - + $create = array(); - + foreach ($struct as $tier1 => $val1) { foreach($val1 as $tier2 => $val2) { /* Need to select the correct database for the creation of tables, views, triggers, etc. */ /** - * @todo Generating a USE here blocks importing of a table - * into another database. + * @todo Generating a USE here blocks importing of a table + * into another database. */ $attrs = $val2->attributes(); $create[] = "USE " . PMA_backquote($attrs["name"]); - + foreach ($val2 as $val3) { /** * Remove the extra cosmetic spacing @@ -163,7 +175,7 @@ } } } - + $struct_present = true; } @@ -179,13 +191,13 @@ */ if (@count($xml->children())) { $data_present = true; - + /** * Process all database content */ foreach ($xml as $k1 => $v1) { $tbl_attr = $v1->attributes(); - + $isInTables = false; for ($i = 0; $i < count($tables); ++$i) { if (! strcmp($tables[$i][TBL_NAME], (string)$tbl_attr['name'])) { @@ -193,11 +205,11 @@ break; } } - + if ($isInTables == false) { $tables[] = array((string)$tbl_attr['name']); } - + foreach ($v1 as $k2 => $v2) { $row_attr = $v2->attributes(); if (! array_search((string)$row_attr['name'], $tempRow)) @@ -206,17 +218,17 @@ } $tempCells[] = (string)$v2; } - + $rows[] = array((string)$tbl_attr['name'], $tempRow, $tempCells); - + $tempRow = array(); $tempCells = array(); } - + unset($tempRow); unset($tempCells); unset($xml); - + /** * Bring accumulated rows into the corresponding table */ @@ -227,17 +239,17 @@ if (! isset($tables[$i][COL_NAMES])) { $tables[$i][] = $rows[$j][COL_NAMES]; } - + $tables[$i][ROWS][] = $rows[$j][ROWS]; } } } - + unset($rows); - + if (! $struct_present) { $analyses = array(); - + $len = count($tables); for ($i = 0; $i < $len; ++$i) { $analyses[] = PMA_analyzeTable($tables[$i]); @@ -289,7 +301,7 @@ if ($db_name === NULL) { $db_name = 'XML_DB'; } - + /* Set database collation/charset */ $options = array( 'db_collation' => $collation, -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org