Hello community, here is the log from the commit of package phpMyAdmin for openSUSE:Factory checked in at 2013-05-06 09:06:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/phpMyAdmin (Old) and /work/SRC/openSUSE:Factory/.phpMyAdmin.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "phpMyAdmin" Changes: -------- --- /work/SRC/openSUSE:Factory/phpMyAdmin/phpMyAdmin.changes 2013-04-10 20:27:09.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.phpMyAdmin.new/phpMyAdmin.changes 2013-05-06 09:06:13.000000000 +0200 @@ -1,0 +2,9 @@ +Wed Apr 24 22:41:50 UTC 2013 - ecsos@schirra.net + +- update to 3.5.8.1 (2013-04-24) + * [security] Remote code execution (preg_replace), reported by Janek Vind + (see PMASA-2013-2) + * [security] Locally Saved SQL Dump File Multiple File Extension Remote Code + Execution, reported by Janek Vind (see PMASA-2013-3) + +------------------------------------------------------------------- Old: ---- phpMyAdmin-3.5.8-all-languages.tar.bz2 New: ---- phpMyAdmin-3.5.8.1-all-languages.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ phpMyAdmin.spec ++++++ --- /var/tmp/diff_new_pack.xFvAcB/_old 2013-05-06 09:06:15.000000000 +0200 +++ /var/tmp/diff_new_pack.xFvAcB/_new 2013-05-06 09:06:15.000000000 +0200 @@ -34,7 +34,7 @@ Summary: Administration of MySQL over the web License: GPL-2.0+ Group: Productivity/Networking/Web/Frontends -Version: 3.5.8 +Version: 3.5.8.1 Release: 0 Url: http://www.phpMyAdmin.net Source0: %{name}-%{version}-all-languages.tar.bz2 ++++++ phpMyAdmin-3.5.8-all-languages.tar.bz2 -> phpMyAdmin-3.5.8.1-all-languages.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.5.8-all-languages/ChangeLog new/phpMyAdmin-3.5.8.1-all-languages/ChangeLog --- old/phpMyAdmin-3.5.8-all-languages/ChangeLog 2013-04-08 14:06:50.000000000 +0200 +++ new/phpMyAdmin-3.5.8.1-all-languages/ChangeLog 2013-04-24 14:30:15.000000000 +0200 @@ -1,6 +1,12 @@ phpMyAdmin - ChangeLog ====================== +3.5.8.1 (2013-04-24) +- [security] Remote code execution (preg_replace), reported by Janek Vind + (see PMASA-2013-2) +- [security] Locally Saved SQL Dump File Multiple File Extension Remote Code + Execution, reported by Janek Vind (see PMASA-2013-3) + 3.5.8.0 (2013-04-08) - bug #3828 MariaDB reported as MySQL - bug #3854 Incorrect header for Safari 6.0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.5.8-all-languages/Documentation.html new/phpMyAdmin-3.5.8.1-all-languages/Documentation.html --- old/phpMyAdmin-3.5.8-all-languages/Documentation.html 2013-04-08 14:06:50.000000000 +0200 +++ new/phpMyAdmin-3.5.8.1-all-languages/Documentation.html 2013-04-24 14:30:15.000000000 +0200 @@ -8,7 +8,7 @@ <link rel="icon" href="./favicon.ico" type="image/x-icon" /> <link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - <title>phpMyAdmin 3.5.8 - Documentation</title> + <title>phpMyAdmin 3.5.8.1 - Documentation</title> <link rel="stylesheet" type="text/css" href="docs.css" /> </head> @@ -16,7 +16,7 @@ <div id="header"> <h1> <a href="http://www.phpmyadmin.net/">php<span class="myadmin">MyAdmin</span></a> - 3.5.8 + 3.5.8.1 Documentation </h1> </div> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.5.8-all-languages/Documentation.txt new/phpMyAdmin-3.5.8.1-all-languages/Documentation.txt --- old/phpMyAdmin-3.5.8-all-languages/Documentation.txt 2013-04-08 14:06:50.000000000 +0200 +++ new/phpMyAdmin-3.5.8.1-all-languages/Documentation.txt 2013-04-24 14:30:15.000000000 +0200 @@ -1,4 +1,4 @@ -phpMyAdmin 3.5.8 Documentation +phpMyAdmin 3.5.8.1 Documentation * Top * Requirements diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.5.8-all-languages/README new/phpMyAdmin-3.5.8.1-all-languages/README --- old/phpMyAdmin-3.5.8-all-languages/README 2013-04-08 14:06:50.000000000 +0200 +++ new/phpMyAdmin-3.5.8.1-all-languages/README 2013-04-24 14:30:15.000000000 +0200 @@ -1,7 +1,7 @@ phpMyAdmin - Readme =================== -Version 3.5.8 +Version 3.5.8.1 A set of PHP-scripts to manage MySQL over the web. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.5.8-all-languages/RELEASE-DATE-3.5.8 new/phpMyAdmin-3.5.8.1-all-languages/RELEASE-DATE-3.5.8 --- old/phpMyAdmin-3.5.8-all-languages/RELEASE-DATE-3.5.8 2013-04-08 14:06:51.000000000 +0200 +++ new/phpMyAdmin-3.5.8.1-all-languages/RELEASE-DATE-3.5.8 1970-01-01 01:00:00.000000000 +0100 @@ -1 +0,0 @@ -Mon Apr 8 12:03:54 UTC 2013 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.5.8-all-languages/RELEASE-DATE-3.5.8.1 new/phpMyAdmin-3.5.8.1-all-languages/RELEASE-DATE-3.5.8.1 --- old/phpMyAdmin-3.5.8-all-languages/RELEASE-DATE-3.5.8.1 1970-01-01 01:00:00.000000000 +0100 +++ new/phpMyAdmin-3.5.8.1-all-languages/RELEASE-DATE-3.5.8.1 2013-04-24 14:30:15.000000000 +0200 @@ -0,0 +1 @@ +Wed Apr 24 12:27:17 UTC 2013 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.5.8-all-languages/export.php new/phpMyAdmin-3.5.8.1-all-languages/export.php --- old/phpMyAdmin-3.5.8-all-languages/export.php 2013-04-08 14:06:50.000000000 +0200 +++ new/phpMyAdmin-3.5.8.1-all-languages/export.php 2013-04-24 14:30:15.000000000 +0200 @@ -273,7 +273,9 @@ } } $filename = PMA_expandUserString($filename_template); - $filename = PMA_sanitize_filename($filename); + // remove dots in filename (coming from either the template or already + // part of the filename) to avoid a remote code execution vulnerability + $filename = PMA_sanitize_filename($filename, $replaceDots = true); // Grab basic dump extension and mime type // Check if the user already added extension; get the substring where the extension would be if it was included diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.5.8-all-languages/libraries/Config.class.php new/phpMyAdmin-3.5.8.1-all-languages/libraries/Config.class.php --- old/phpMyAdmin-3.5.8-all-languages/libraries/Config.class.php 2013-04-08 14:06:50.000000000 +0200 +++ new/phpMyAdmin-3.5.8.1-all-languages/libraries/Config.class.php 2013-04-24 14:30:15.000000000 +0200 @@ -98,7 +98,7 @@ */ function checkSystem() { - $this->set('PMA_VERSION', '3.5.8'); + $this->set('PMA_VERSION', '3.5.8.1'); /** * @deprecated */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.5.8-all-languages/libraries/Tracker.class.php new/phpMyAdmin-3.5.8.1-all-languages/libraries/Tracker.class.php --- old/phpMyAdmin-3.5.8-all-languages/libraries/Tracker.class.php 2013-04-08 14:06:50.000000000 +0200 +++ new/phpMyAdmin-3.5.8.1-all-languages/libraries/Tracker.class.php 2013-04-24 14:30:15.000000000 +0200 @@ -877,6 +877,9 @@ if (empty($dbname)) { return; } + // Remove null bytes (preg_replace() is vulnerable in some + // PHP versions) + $dbname = str_replace("\0", "", $dbname); // If we found a valid statement if (isset($result['identifier'])) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.5.8-all-languages/libraries/mult_submits.inc.php new/phpMyAdmin-3.5.8.1-all-languages/libraries/mult_submits.inc.php --- old/phpMyAdmin-3.5.8-all-languages/libraries/mult_submits.inc.php 2013-04-08 14:06:50.000000000 +0200 +++ new/phpMyAdmin-3.5.8.1-all-languages/libraries/mult_submits.inc.php 2013-04-24 14:30:15.000000000 +0200 @@ -425,14 +425,23 @@ case 'replace_prefix_tbl': $current = $selected[$i]; - $newtablename = preg_replace("/^" . $from_prefix . "/", $to_prefix, $current); + if (substr($current, 0, strlen($from_prefix)) == $from_prefix) { + $newtablename = $to_prefix . substr($current, strlen($from_prefix)); + } else { + $newtablename = $current; + } $a_query = 'ALTER TABLE ' . PMA_backquote($selected[$i]) . ' RENAME ' . PMA_backquote($newtablename) ; // CHANGE PREFIX PATTERN $run_parts = true; break; case 'copy_tbl_change_prefix': $current = $selected[$i]; - $newtablename = preg_replace("/^" . $from_prefix . "/", $to_prefix, $current); + if (substr($current, 0, strlen($from_prefix)) == $from_prefix) { + $newtablename = $to_prefix . substr($current, strlen($from_prefix)); + } else { + $newtablename = $current; + } + $newtablename = $to_prefix . substr($current, strlen($from_prefix)); $a_query = 'CREATE TABLE ' . PMA_backquote($newtablename) . ' SELECT * FROM ' . PMA_backquote($selected[$i]) ; // COPY TABLE AND CHANGE PREFIX PATTERN $run_parts = true; break; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.5.8-all-languages/libraries/sanitizing.lib.php new/phpMyAdmin-3.5.8.1-all-languages/libraries/sanitizing.lib.php --- old/phpMyAdmin-3.5.8-all-languages/libraries/sanitizing.lib.php 2013-04-08 14:06:50.000000000 +0200 +++ new/phpMyAdmin-3.5.8.1-all-languages/libraries/sanitizing.lib.php 2013-04-24 14:30:15.000000000 +0200 @@ -134,18 +134,29 @@ /** - * Sanitize a filename by removing anything besides A-Za-z0-9_.- + * Sanitize a filename by removing anything besides legit characters * * Intended usecase: - * When using a filename in a Content-Disposition header the value should not contain ; or " + * When using a filename in a Content-Disposition header the value + * should not contain ; or " + * + * When exporting, avoiding generation of an unexpected double-extension file * * @param string The filename + * @param boolean Whether to also replace dots * * @return string the sanitized filename * */ -function PMA_sanitize_filename($filename) { - $filename = preg_replace('/[^A-Za-z0-9_.-]/', '_', $filename); +function PMA_sanitize_filename($filename, $replaceDots = false) { + $pattern = '/[^A-Za-z0-9_'; + // if we don't have to replace dots + if (! $replaceDots) { + // then add the dot to the list of legit characters + $pattern .= '.'; + } + $pattern .= '-]/'; + $filename = preg_replace($pattern, '_', $filename); return $filename; } -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org