Bug#1116015: bookworm-pu: package libphp-adodb/5.21.4-1+deb12u2

Abhijith PA Tue, 23 Sep 2025 00:11:32 -0700

Package: release.debian.org
Severity: normal
Tags: bookworm
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:libphp-adodb


please approve the upload of package libphp-adodb to bookworm
to fix security issue. CVE-2025-54119

[ Reason ]

There is a SQL injection vulnerability in the sqlite3 driver.

[ Impact ]
Impacts the use of sqlite3 driver where SQL injection possible in
metaColumns(), metaForeignKeys() or metaIndexes() methods.

[ Tests ]
No tests in package. But The patch is backported from upstream without
any fuzzs.

[ Risks ]
Unlikely. Since backported from upstream with zero fuzz.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

--abhijith

diff -Nru libphp-adodb-5.21.4/debian/changelog 
libphp-adodb-5.21.4/debian/changelog
--- libphp-adodb-5.21.4/debian/changelog        2025-05-07 03:09:03.000000000 
+0530
+++ libphp-adodb-5.21.4/debian/changelog        2025-09-17 13:32:21.000000000 
+0530
@@ -1,3 +1,10 @@
+libphp-adodb (5.21.4-1+deb12u2) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2025-54119: SQL injection in sqlite3 driver (Closes: #1110464)
+
+ -- Abhijith PA <[email protected]>  Wed, 17 Sep 2025 13:32:21 +0530
+
 libphp-adodb (5.21.4-1+deb12u1) bookworm; urgency=high
 
   * Non-maintainer upload.
diff -Nru libphp-adodb-5.21.4/debian/patches/CVE-2025-54119.patch 
libphp-adodb-5.21.4/debian/patches/CVE-2025-54119.patch
--- libphp-adodb-5.21.4/debian/patches/CVE-2025-54119.patch     1970-01-01 
05:30:00.000000000 +0530
+++ libphp-adodb-5.21.4/debian/patches/CVE-2025-54119.patch     2025-09-17 
13:28:24.000000000 +0530
@@ -0,0 +1,87 @@
+From 5b8bd52cdcffefb4ecded1b399c98cfa516afe03 Mon Sep 17 00:00:00 2001
+From: Damien Regad <[email protected]>
+Date: Sat, 19 Jul 2025 18:37:59 +0200
+Subject: [PATCH] Prevent SQL injection in sqlite3 driver
+
+Use query parameters instead of injecting the table name in the SQL, in
+the following methods:
+- metaColumns()
+- metaForeignKeys()
+- metaIndexes()
+
+Thanks to Marco Nappi (@mrcnpp) for reporting this vulnerability.
+
+Fixes #1083, CVE-2025-54119, GHSA-vf2r-cxg9-p7rf
+---
+ drivers/adodb-sqlite3.inc.php | 37 ++++++++++++++---------------------
+ 1 file changed, 15 insertions(+), 22 deletions(-)
+
+--- a/drivers/adodb-sqlite3.inc.php
++++ b/drivers/adodb-sqlite3.inc.php
+@@ -160,7 +160,9 @@ class ADODB_sqlite3 extends ADOConnectio
+               if ($this->fetchMode !== false) {
+                       $savem = $this->SetFetchMode(false);
+               }
+-              $rs = $this->Execute("PRAGMA table_info('$table')");
++
++              $rs = $this->execute("PRAGMA table_info(?)", array($table));
++
+               if (isset($savem)) {
+                       $this->SetFetchMode($savem);
+               }
+@@ -214,9 +216,8 @@ class ADODB_sqlite3 extends ADOConnectio
+                                 )
+                               WHERE type != 'meta'
+                                 AND sql NOTNULL
+-                        AND LOWER(name) ='" . strtolower($table) . "'";
+-
+-              $tableSql = $this->getOne($sql);
++                        AND LOWER(name) = ?";
++              $tableSql = $this->getOne($sql, [strtolower($table)]);
+ 
+               $fkeyList = array();
+               $ylist = preg_split("/,+/",$tableSql);
+@@ -433,6 +434,7 @@ class ADODB_sqlite3 extends ADOConnectio
+                       $savem = $this->SetFetchMode(FALSE);
+               }
+ 
++              $table = strtolower($table);
+               $pragmaData = array();
+ 
+               /*
+@@ -441,26 +443,17 @@ class ADODB_sqlite3 extends ADOConnectio
+               */
+               if ($primary)
+               {
+-                      $sql = sprintf('PRAGMA table_info([%s]);',
+-                                                 strtolower($table)
+-                                                 );
+-                      $pragmaData = $this->getAll($sql);
++                      $sql = 'PRAGMA table_info(?)';
++                      $pragmaData = $this->getAll($sql, [$table]);
+               }
+ 
+-              /*
+-              * Exclude the empty entry for the primary index
+-              */
+-              $sqlite = "SELECT name,sql
+-                                       FROM sqlite_master
+-                                      WHERE type='index'
+-                                        AND sql IS NOT NULL
+-                                        AND LOWER(tbl_name)='%s'";
+-
+-              $SQL = sprintf($sqlite,
+-                                   strtolower($table)
+-                                       );
+-
+-              $rs = $this->execute($SQL);
++              // Exclude the empty entry for the primary index
++              $sql = "SELECT name,sql
++                              FROM sqlite_master
++                              WHERE type='index'
++                                AND sql IS NOT NULL
++                                AND LOWER(tbl_name)=?";
++              $rs = $this->execute($sql, [$table]);
+ 
+               if (!is_object($rs)) {
+                       if (isset($savem)) {
diff -Nru libphp-adodb-5.21.4/debian/patches/series 
libphp-adodb-5.21.4/debian/patches/series
--- libphp-adodb-5.21.4/debian/patches/series   2025-05-07 03:09:03.000000000 
+0530
+++ libphp-adodb-5.21.4/debian/patches/series   2025-09-17 11:56:11.000000000 
+0530
@@ -1 +1,2 @@
 00-fix-sec-pgsql-sql-injection.patch
+CVE-2025-54119.patch

Bug#1116015: bookworm-pu: package libphp-adodb/5.21.4-1+deb12u2

Reply via email to