Hi, I recently applied to join the Debian LTS project as a paid contributor. As part of this process I'm preparing a DLA for phpmyadmin following data/dla-needed.txt.
CVE-2019-6798 is actually not-affected (related Designer code was refactored twice since Jessie). CVE-2019-6799 is an annoying one that varies on whether: - php5-mysql or php5-mysqlnd is installed, - mysql.so or mysqli.so is used, - open_basedir is in use, - the user runs an arbitrary query or uses the import feature Here is a package where I believe this vulnerability is fixed: https://www.beuc.net/tmp/debian-lts/ Attached is the debdiff. Testing a temporary database and attempting to run something like: LOAD DATA LOCAL INFILE '/etc/phpmyadmin/config-db.php' INTO TABLE test(text); in one configuration from above would be a good test. I would very much welcome your feedback :) Cheers! Sylvain
diff -Nru phpmyadmin-4.2.12/debian/changelog phpmyadmin-4.2.12/debian/changelog --- phpmyadmin-4.2.12/debian/changelog 2019-01-29 18:10:17.000000000 +0100 +++ phpmyadmin-4.2.12/debian/changelog 2019-02-24 01:12:19.000000000 +0100 @@ -1,3 +1,11 @@ +phpmyadmin (4:4.2.12-2+deb8u5) UNRELEASED; urgency=high + + * Non-maintainer upload by the Debian LTS team. + * Fix CVE-2019-6799: information leak (arbitrary file read) using SQL + queries. + + -- Sylvain Beucler <b...@debian.org> Sun, 24 Feb 2019 01:12:19 +0100 + phpmyadmin (4:4.2.12-2+deb8u4) jessie-security; urgency=high * Non-maintainer upload by the Debian LTS team. diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2019-6799.patch phpmyadmin-4.2.12/debian/patches/CVE-2019-6799.patch --- phpmyadmin-4.2.12/debian/patches/CVE-2019-6799.patch 1970-01-01 01:00:00.000000000 +0100 +++ phpmyadmin-4.2.12/debian/patches/CVE-2019-6799.patch 2019-02-24 01:12:19.000000000 +0100 @@ -0,0 +1,84 @@ +Description: Fix information leak (arbitrary file read) using SQL queries + Fix CVE-2019-6799 + https://www.phpmyadmin.net/security/PMASA-2019-1/ + + This patch is based on upstream patches: + https://github.com/phpmyadmin/phpmyadmin/commit/c5e01f84ad48c5c626001cb92d7a95500920a900 + https://github.com/phpmyadmin/phpmyadmin/commit/aeac90623e525057a7672ab3d98154b5c57c15ec + Avoid regression in 'Table > Import > Load CSV with LOAD DATA' by backporting: + https://github.com/phpmyadmin/phpmyadmin/commit/d02d61ada7c8e29753fd37440b511a1088efb060 + + Note: mitigated by /etc/phpmyadmin/apache.conf's open_basedir: + - php5-mysql: open_basedir fully disables LOAD DATA LOCAL INFILE; + - php5-mysqlnd: open_basedir is respected but some sensitive files + remain accessible, notably '/etc/phpmyadmin/config-db.php'. + + Note: nothing to do with AllowArbitraryServer, works on local MySQL server as well. + + Note: https://bugs.php.net/bug.php?id=77496 applies php5-mysqlnd but not php5-mysql. + +Author: Sylvain Beucler <b...@debian.org> +Last-Updated: 2019-02-24 + +Index: phpmyadmin-4.2.12/import.php +=================================================================== +--- phpmyadmin-4.2.12.orig/import.php ++++ phpmyadmin-4.2.12/import.php +@@ -6,6 +6,11 @@ + * @package PhpMyAdmin + */ + ++/* Enable LOAD DATA LOCAL INFILE for LDI plugin */ ++if (isset($_POST['format']) && $_POST['format'] == 'ldi') { ++ define('PMA_ENABLE_LDI', 1); ++} ++ + /** + * Get the variables sent or posted to this script and a core script + */ +Index: phpmyadmin-4.2.12/libraries/dbi/DBIMysql.class.php +=================================================================== +--- phpmyadmin-4.2.12.orig/libraries/dbi/DBIMysql.class.php ++++ phpmyadmin-4.2.12/libraries/dbi/DBIMysql.class.php +@@ -52,6 +52,10 @@ class PMA_DBI_Mysql implements PMA_DBI_E + ) { + global $cfg; + ++ if (ini_get('mysql.allow_local_infile')) { ++ PMA_fatalError(__('Please disable mysql.allow_local_infile in your PHP configuration or install the mysqli extension.')); ++ } ++ + if (empty($client_flags)) { + if ($cfg['PersistentConnections'] || $persistent) { + $link = @mysql_pconnect($server, $user, $password); +Index: phpmyadmin-4.2.12/libraries/dbi/DBIMysqli.class.php +=================================================================== +--- phpmyadmin-4.2.12.orig/libraries/dbi/DBIMysqli.class.php ++++ phpmyadmin-4.2.12/libraries/dbi/DBIMysqli.class.php +@@ -156,7 +156,12 @@ class PMA_DBI_Mysqli implements PMA_DBI_ + + $link = mysqli_init(); + +- mysqli_options($link, MYSQLI_OPT_LOCAL_INFILE, true); ++ // Note: CVE-2019-6799 for php5-mysql (non-nd) ++ if (defined('PMA_ENABLE_LDI')) { ++ mysqli_options($link, MYSQLI_OPT_LOCAL_INFILE, true); ++ } else { ++ mysqli_options($link, MYSQLI_OPT_LOCAL_INFILE, false); ++ } + + $client_flags = 0; + +@@ -219,6 +224,12 @@ class PMA_DBI_Mysqli implements PMA_DBI_ + } + + if ($return_value != false) { ++ // Note: CVE-2019-6799 for php5-mysqlnd ++ if (defined('PMA_ENABLE_LDI')) { ++ mysqli_options($link, MYSQLI_OPT_LOCAL_INFILE, true); ++ } else { ++ mysqli_options($link, MYSQLI_OPT_LOCAL_INFILE, false); ++ } + $GLOBALS['dbi']->postConnect($link, $is_controluser); + return $link; + } diff -Nru phpmyadmin-4.2.12/debian/patches/series phpmyadmin-4.2.12/debian/patches/series --- phpmyadmin-4.2.12/debian/patches/series 2019-01-29 18:10:05.000000000 +0100 +++ phpmyadmin-4.2.12/debian/patches/series 2019-02-23 23:51:17.000000000 +0100 @@ -34,3 +34,4 @@ CVE-2017-18264.patch CVE-2018-19970.patch CVE-2018-19968.patch +CVE-2019-6799.patch