From 350ad5dd558dc7d4e6d1cb7cf1a55a58d4036924 Mon Sep 17 00:00:00 2001 From: Liu Jian Date: Wed, 20 Jan 2016 17:36:46 +0800 Subject: phpmyadmin: CVE-2015-8669 libraries/config/messages.inc.php in phpMyAdmin 4.0.x before 4.0.10.12, 4.4.x before 4.4.15.2, and 4.5.x before 4.5.3.1 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message. This patch is from https://github.com/phpmyadmin/phpmyadmin/commit/c4d649325b25139d7c097e56e2e46cc7187fae45 Signed-off-by: Jian Liu Signed-off-by: Martin Jansa --- .../phpmyadmin/phpmyadmin-CVE-2015-8669.patch | 18 ++++++++++++++++++ .../recipes-php/phpmyadmin/phpmyadmin_4.5.0.2.bb | 4 +++- 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2015-8669.patch (limited to 'meta-webserver/recipes-php') diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2015-8669.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2015-8669.patch new file mode 100644 index 0000000000..65fff6455e --- /dev/null +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2015-8669.patch @@ -0,0 +1,18 @@ +[Security] Path disclosure, see PMASA-2015-6 + +Upstream-Status: Bacport + +Signed-off-by: Marc Delisle + +diff -Nur phpMyAdmin-4.5.0.2-all-languages.orig/libraries/config/messages.inc.php phpMyAdmin-4.5.0.2-all-languages/libraries/config/messages.inc.php +--- phpMyAdmin-4.5.0.2-all-languages.orig/libraries/config/messages.inc.php 2016-01-20 15:11:15.410106888 +0800 ++++ phpMyAdmin-4.5.0.2-all-languages/libraries/config/messages.inc.php 2016-01-20 15:14:05.758108076 +0800 +@@ -11,7 +11,7 @@ + */ + + if (!function_exists('__')) { +- PMA_fatalError('Bad invocation!'); ++ exit(); + } + + $strConfigAllowArbitraryServer_desc = __( diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.5.0.2.bb b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.5.0.2.bb index 9297d0c231..b8faf1273c 100644 --- a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.5.0.2.bb +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.5.0.2.bb @@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ SRC_URI = "https://files.phpmyadmin.net/phpMyAdmin/4.5.0.2/phpMyAdmin-4.5.0.2-all-languages.tar.xz \ file://Port-content-spoofing-fix-CVE-2015-7873.patch \ - file://apache.conf" + file://apache.conf \ + file://phpmyadmin-CVE-2015-8669.patch \ +" SRC_URI[md5sum] = "2d08d2fcc8f70f88a11a14723e3ca275" SRC_URI[sha256sum] = "d2e90ea486d90b4ebe5eb02d7ad349ad2916c12a8981f98553395ef78d22a8ec" -- cgit 1.2.3-korg