diff --git a/phpMyAdmin-4.4.15.10-pmasa-2017-8.patch b/phpMyAdmin-4.4.15.10-pmasa-2017-8.patch new file mode 100644 index 0000000..f6c30f0 --- /dev/null +++ b/phpMyAdmin-4.4.15.10-pmasa-2017-8.patch @@ -0,0 +1,23 @@ +Backported patch for phpMyAdmin 4.4.x; a vulnerability was discovered where the restrictions +caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions. +This can allow the login of users who have no password set even if the administrator has set +$cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default). + +This behavior depends on the PHP version used (it seems PHP 5 is affected, while PHP 7.0 is not). + +Further details: + - https://www.phpmyadmin.net/security/PMASA-2017-8/ + - https://github.com/phpmyadmin/phpmyadmin/commit/b6ca92cc75c8a16001425be7881e73430bcc35b8 + - https://github.com/phpmyadmin/phpmyadmin/commit/7232271a379396ca1d4b083af051262057003c41 + +--- phpMyAdmin-4.4.15.10/libraries/common.inc.php 2017-01-23 20:08:47.000000000 +0100 ++++ phpMyAdmin-4.4.15.10/libraries/common.inc.php.pmasa-2017-8 2017-06-26 01:52:03.000000000 +0200 +@@ -858,7 +858,7 @@ + . ' ' . $cfg['Server']['auth_type'] + ); + } +- if (isset($_REQUEST['pma_password'])) { ++ if (isset($_REQUEST['pma_password']) && strlen($_REQUEST['pma_password']) > 256) { + $_REQUEST['pma_password'] = substr($_REQUEST['pma_password'], 0, 256); + } + include_once './libraries/plugins/auth/' . $auth_class . '.class.php'; diff --git a/phpMyAdmin.spec b/phpMyAdmin.spec index ae08fc2..0f42df7 100644 --- a/phpMyAdmin.spec +++ b/phpMyAdmin.spec @@ -18,7 +18,7 @@ Summary: Handle the administration of MySQL over the World Wide Web Name: phpMyAdmin Version: 4.4.15.10 -Release: 1%{?dist} +Release: 2%{?dist} # MIT (js/jquery/, js/canvg/, js/codemirror/, libraries/sql-formatter/), # BSD (libraries/plugins/auth/recaptcha/), # GPLv2+ (the rest) @@ -30,6 +30,7 @@ Source1: https://files.phpmyadmin.net/%{name}/%{version}/%{name}-%{version}-all- Source2: phpMyAdmin-config.inc.php Source3: phpMyAdmin.htaccess Source4: phpMyAdmin.nginx +Patch0: phpMyAdmin-4.4.15.10-pmasa-2017-8.patch # Optional (and partially redundant) runtime requirements: php-bcmath, php-gmp, php-recode, php-soap, # php-mcrypt, php-phpseclib-crypt-aes >= 2.0.0, php-phpseclib-crypt-random >= 2.0.0 Requires: php(language) >= 5.3.7, php-filter, php-xmlwriter @@ -79,6 +80,7 @@ like displaying BLOB-data as image or download-link and much more... %prep %setup -q -n %{pkgname}-%{version}-all-languages +%patch0 -p1 # Setup vendor config file sed -e "/'CHANGELOG_FILE'/s@./ChangeLog@%{_pkgdocdir}/ChangeLog@" \ @@ -167,6 +169,9 @@ sed -e "/'blowfish_secret'/s/MUSTBECHANGEDONINSTALL/$(cat /dev/urandom | tr -dc %dir %attr(0750,apache,apache) %{_localstatedir}/lib/%{pkgname}/config/ %changelog +* Mon Jun 26 2017 Robert Scheck 4.4.15.10-2 +- Added backported patch for PMASA-2017-8 (#1437828, #1464267) + * Thu Feb 23 2017 Robert Scheck 4.4.15.10-1 - Upgrade to 4.4.15.10 (#1415405, #1424968, #1415995, #1415996, #1415997, #1415998, #1415999, #1416000, #1416004)