Dnia Wednesday 16 of November 2005 13:17, Martin Schulze napisaĆ: > > Vuln 1: > > Full Path Disclosures in the following files: > > > Vuln 2: > > Http Response Splitting in libraries/header_http.inc.php > > Do you know if this is the same vulnerability as the first one above?
The Full Path Disclosure is not fixed currently by upstream and I think it is not important for Debian version. I'm attaching the patch for sarge. Additionaly, I've fixed the important bug #324318. Please, include the patch for this bug to stable release. The patch doesn't change program functionality and resolve more problems with bad configration file which are not reported to BTS. -- .''`. Piotr Roszatycki, Netia SA : :' : mailto:[EMAIL PROTECTED] `. `' mailto:[EMAIL PROTECTED] `-
=== debian/changelog ================================================================== --- debian/changelog (revision 373) +++ debian/changelog (local) @@ -1,3 +1,19 @@ +phpmyadmin (4:2.6.2-3sarge2) stable-security; urgency=high + + * Security fix: HTTP Response Splitting vulnerability. + See: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-6 + See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3621 + Closes: #339437. + + * New 104-bug_PMASA-2005-6.patch: + - Fixes HTTP Response Splitting vulnerability. + * New 105-bug_debian_324318.patch: + - Always set the default configuration values, even if the config.inc.php + file seems to be up to date. This fix allows to utilise more than three + databases. Closes: #324318. + + -- Piotr Roszatycki <[EMAIL PROTECTED]> Wed, 16 Nov 2005 17:49:13 +0100 + phpmyadmin (4:2.6.2-3sarge1) stable-security; urgency=high * NMU by security team to fix several vulnerabilities. Patch provided === debian/patches/104-bug_PMASA-2005-6.patch ================================================================== --- debian/patches/104-bug_PMASA-2005-6.patch (revision 373) +++ debian/patches/104-bug_PMASA-2005-6.patch (local) @@ -0,0 +1,79 @@ +diff -Nru phpMyAdmin-2.6.4-pl3/libraries/db_table_exists.lib.php phpMyAdmin-2.6.4-pl4/libraries/db_table_exists.lib.php +--- phpMyAdmin-2.6.4-pl3/libraries/db_table_exists.lib.php 2004-10-19 21:51:54.000000000 +0200 ++++ phpMyAdmin-2.6.4-pl4/libraries/db_table_exists.lib.php 2005-11-15 16:21:47.000000000 +0100 +@@ -12,7 +12,7 @@ + $is_db = @PMA_DBI_select_db($db); + } + if (empty($db) || !$is_db) { +- if (!isset($is_transformation_wrapper)) { ++ if (!defined('IS_TRANSFORMATION_WRAPPER')) { + PMA_sendHeaderLocation($cfg['PmaAbsoluteUri'] . 'main.php?' . PMA_generate_common_url('', '', '&') . (isset($message) ? '&message=' . urlencode($message) : '') . '&reload=1'); + } + exit; +@@ -26,7 +26,7 @@ + if (empty($table) + || !($is_table && @PMA_DBI_num_rows($is_table))) { + $redirect = TRUE; +- if (!isset($is_transformation_wrapper)) { ++ if (!defined('IS_TRANSFORMATION_WRAPPER')) { + $redirect = TRUE; + if (!empty($table)) { + PMA_DBI_free_result($is_table); +diff -Nru phpMyAdmin-2.6.4-pl3/libraries/header_http.inc.php phpMyAdmin-2.6.4-pl4/libraries/header_http.inc.php +--- phpMyAdmin-2.6.4-pl3/libraries/header_http.inc.php 2004-04-27 14:36:11.000000000 +0200 ++++ phpMyAdmin-2.6.4-pl4/libraries/header_http.inc.php 2005-11-15 16:21:47.000000000 +0100 +@@ -5,19 +5,13 @@ + /** + * Sends http headers + */ +-// Don't use cache (required for Opera) +-$ctype = (isset($ctype) ? $ctype : 'html'); +-if ($ctype == 'css') { +- header('Content-Type: text/css; charset=ISO-8859-1'); +-} else { +- $GLOBALS['now'] = gmdate('D, d M Y H:i:s') . ' GMT'; +- header('Expires: ' . $GLOBALS['now']); // rfc2616 - Section 14.21 +- header('Last-Modified: ' . $GLOBALS['now']); +- header('Cache-Control: no-store, no-cache, must-revalidate, pre-check=0, post-check=0, max-age=0'); // HTTP/1.1 +- header('Pragma: no-cache'); // HTTP/1.0 +- if (!isset($is_transformation_wrapper)) { +- // Define the charset to be used +- header('Content-Type: text/' . $ctype . '; charset=' . $GLOBALS['charset']); +- } ++$GLOBALS['now'] = gmdate('D, d M Y H:i:s') . ' GMT'; ++header('Expires: ' . $GLOBALS['now']); // rfc2616 - Section 14.21 ++header('Last-Modified: ' . $GLOBALS['now']); ++header('Cache-Control: no-store, no-cache, must-revalidate, pre-check=0, post-check=0, max-age=0'); // HTTP/1.1 ++header('Pragma: no-cache'); // HTTP/1.0 ++if (!defined('IS_TRANSFORMATION_WRAPPER')) { ++ // Define the charset to be used ++ header('Content-Type: text/html; charset=' . $GLOBALS['charset']); + } + ?> +diff -Nru phpMyAdmin-2.6.4-pl3/css/phpmyadmin.css.php phpMyAdmin-2.6.4-pl4/css/phpmyadmin.css.php +--- phpMyAdmin-2.6.4-pl3/css/phpmyadmin.css.php 2005-08-16 19:49:57.000000000 +0200 ++++ phpMyAdmin-2.6.4-pl4/css/phpmyadmin.css.php 2005-11-15 16:21:47.000000000 +0100 +@@ -13,8 +13,8 @@ + // but only functions used to determine browser heritage. + PMA_setFontSizes(); + +-$ctype = 'css'; +-require_once('./libraries/header_http.inc.php'); ++// Send correct type: ++header('Content-Type: text/css; charset=ISO-8859-1'); + + if (!isset($js_frame)) { + $js_frame = 'left'; +diff -Nru phpMyAdmin-2.6.4-pl3/transformation_wrapper.php phpMyAdmin-2.6.4-pl4/transformation_wrapper.php +--- phpMyAdmin-2.6.4-pl3/transformation_wrapper.php 2004-08-21 15:41:41.000000000 +0200 ++++ phpMyAdmin-2.6.4-pl4/transformation_wrapper.php 2005-11-15 16:21:47.000000000 +0100 +@@ -1,8 +1,8 @@ + <?php + /* $Id: transformation_wrapper.php,v 2.7 2004/08/21 13:41:41 lem9 Exp $ */ + // vim: expandtab sw=4 ts=4 sts=4: + +-$is_transformation_wrapper = true; ++define('IS_TRANSFORMATION_WRAPPER', true); + + /** + * Get the variables sent or posted to this script and displays the header Property changes on: debian/patches/104-bug_PMASA-2005-6.patch ___________________________________________________________________ Name: svn:mime-type +text/x-patch === debian/patches/105-bug_debian_324318.patch ================================================================== --- debian/patches/105-bug_debian_324318.patch (revision 373) +++ debian/patches/105-bug_debian_324318.patch (local) @@ -0,0 +1,25 @@ +diff -Nru phpMyAdmin-2.6.2.orig/libraries/common.lib.php phpMyAdmin-2.6.2/libraries/common.lib.php +--- phpMyAdmin-2.6.2.orig/libraries/common.lib.php 2005-11-16 12:52:16.000000000 +0100 ++++ phpMyAdmin-2.6.2/libraries/common.lib.php 2005-11-16 17:43:34.000000000 +0100 +@@ -116,20 +116,8 @@ + + /** + * Includes compatibility code for older config.inc.php revisions +- * if necessary + */ +-if (isset($cfg['FileRevision'])) { +- // converting revision string into an array +- // e.g. "Revision: 2.0" becomes array(2, 0). +- $cfg['FileRevision'] = str_replace('$' . 'Revision: ', '', $cfg['FileRevision']); +- $cfg['FileRevision'] = str_replace(' $', '', $cfg['FileRevision']); +- $cfg['FileRevision'] = explode('.', $cfg['FileRevision']); +-} else { +- $cfg['FileRevision'] = array(1, 1); +-} +-if ($cfg['FileRevision'][0] < 2 || ($cfg['FileRevision'][0] == 2 && $cfg['FileRevision'][1] < 48)) { +- require_once('./libraries/config_import.lib.php'); +-} ++require_once('./libraries/config_import.lib.php'); + + /** + * Includes the language file if it hasn't been included yet Property changes on: debian/patches/105-bug_debian_324318.patch ___________________________________________________________________ Name: svn:mime-type +text/x-patch