From 3a32a5d173da46008ff8ada3e13cc9dff808e8f7d79781dfaca86bcf4a1a35d5 Mon Sep 17 00:00:00 2001
From: Eric Schirra <ecsos@schirra.net>
Date: Mon, 29 Jul 2013 20:47:38 +0000
Subject: [PATCH 1/2] Accepting request 184885 from home:ecsos

update to 4.0.4.2

OBS-URL: https://build.opensuse.org/request/show/184885
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/phpMyAdmin?expand=0&rev=67
---
 phpMyAdmin-4.0.4.1-all-languages.tar.bz2 |  3 ---
 phpMyAdmin-4.0.4.2-all-languages.tar.bz2 |  3 +++
 phpMyAdmin.changes                       | 14 ++++++++++++++
 phpMyAdmin.spec                          |  4 ++--
 4 files changed, 19 insertions(+), 5 deletions(-)
 delete mode 100644 phpMyAdmin-4.0.4.1-all-languages.tar.bz2
 create mode 100644 phpMyAdmin-4.0.4.2-all-languages.tar.bz2

diff --git a/phpMyAdmin-4.0.4.1-all-languages.tar.bz2 b/phpMyAdmin-4.0.4.1-all-languages.tar.bz2
deleted file mode 100644
index faefffc..0000000
--- a/phpMyAdmin-4.0.4.1-all-languages.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:bd4f5c8084f9378657a02bb9ec3396db365f98b2a0f7b1a3930d7a116502ea8c
-size 5987530
diff --git a/phpMyAdmin-4.0.4.2-all-languages.tar.bz2 b/phpMyAdmin-4.0.4.2-all-languages.tar.bz2
new file mode 100644
index 0000000..9ff5654
--- /dev/null
+++ b/phpMyAdmin-4.0.4.2-all-languages.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:aadbe787db33c6da6abfddfd8b16b4adbb2beb204558db88970347f3b8f699e9
+size 5768927
diff --git a/phpMyAdmin.changes b/phpMyAdmin.changes
index caf32ac..0edc79a 100644
--- a/phpMyAdmin.changes
+++ b/phpMyAdmin.changes
@@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Mon Jul 29 20:20:03 UTC 2013 - ecsos@schirra.net
+
+- update to 4.0.4.2 (2013-07-28)
+  - [security] Fix stored XSS in Server status monitor, see PMASA-2013-9
+  - [security] Fix stored XSS in navigation panel logo link, see PMASA-2013-9
+  - [security] Fix self-XSS in setup, trusted proxies validation, see PMASA-2013-9
+  - [security] Fix full path disclosure, see PMASA-2013-12
+  - [security] Fix control user SQL injection in pmd_pdf.php, see PMASA-2013-15
+  - [security] Fix control user SQL injection in schema_export.php, see PMASA-2013-15
+  - [security] Fix self-XSS in schema export, see PMASA-2013-14
+  - [security] Fix unencoded json object, see PMASA-2013-11
+  - [security] Fix stored XSS in link transformation plugin, see PMASA-2013-13
+
 -------------------------------------------------------------------
 Wed Jul  3 21:40:23 UTC 2013 - obs@ladisch.de
 
diff --git a/phpMyAdmin.spec b/phpMyAdmin.spec
index 070c227..4250640 100644
--- a/phpMyAdmin.spec
+++ b/phpMyAdmin.spec
@@ -34,7 +34,7 @@ Name:           phpMyAdmin
 Summary:        Administration of MySQL over the web
 License:        GPL-2.0+
 Group:          Productivity/Networking/Web/Frontends
-Version:        4.0.4.1
+Version:        4.0.4.2
 Release:        0
 Url:            http://www.phpMyAdmin.net
 Source0:        %{name}-%{version}-all-languages.tar.bz2
@@ -105,7 +105,7 @@ find . -type d -exec chmod 755 {} \;
 find . -type f -exec chmod 644 {} \;
 find . -type f -name '*.orig' -exec rm {} \;
 #rm lang/*.sh
-%{__rm} libraries/.htaccess
+#%%{__rm} libraries/.htaccess
 
 %build
 

From 67da26ad23283818878b0ea7600ea81bb10a817cddb9165e7dc01ca2d260ec46 Mon Sep 17 00:00:00 2001
From: Christian Wittmer <chris@computersalat.de>
Date: Mon, 29 Jul 2013 20:55:25 +0000
Subject: [PATCH 2/2] Accepting request 184887 from
 home:computersalat:devel:php

update to 4.0.4.2, fix for bnc#831896

OBS-URL: https://build.opensuse.org/request/show/184887
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/phpMyAdmin?expand=0&rev=68
---
 phpMyAdmin-config.patch | 65 ++++++++++++++++++++++-------------------
 phpMyAdmin.changes      | 28 +++++++++++-------
 phpMyAdmin.spec         |  2 --
 3 files changed, 53 insertions(+), 42 deletions(-)

diff --git a/phpMyAdmin-config.patch b/phpMyAdmin-config.patch
index 4806d4d..2799bbd 100644
--- a/phpMyAdmin-config.patch
+++ b/phpMyAdmin-config.patch
@@ -1,5 +1,7 @@
---- config.sample.inc.php.orig	2013-05-03 14:16:36.000000000 +0200
-+++ config.sample.inc.php	2013-05-03 20:13:46.549034257 +0200
+Index: config.sample.inc.php
+===================================================================
+--- config.sample.inc.php.orig
++++ config.sample.inc.php
 @@ -11,10 +11,51 @@
   */
  
@@ -22,20 +24,20 @@
 + * $cfg['PmaAbsoluteUri_DisableWarning'] variable below.
 + */
 +$cfg['PmaAbsoluteUri'] = '';
-+ 
++
 +/*
   * This is needed for cookie based authentication to encrypt password in
   * cookie
 + * YOU MUST FILL IN THIS FOR COOKIE AUTH!
-  */
--$cfg['blowfish_secret'] = 'a8b7c6d'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
++ */
 +$cfg['blowfish_secret'] = '';
 +
 +/*
 + * Disable the default warning about $cfg['PmaAbsoluteUri'] not being set
 + * You should use this if and ONLY if the PmaAbsoluteUri auto-detection
 + * works perfectly.
-+ */
+  */
+-$cfg['blowfish_secret'] = 'a8b7c6d'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
 +$cfg['PmaAbsoluteUri_DisableWarning'] = false;
 +
 +/*
@@ -133,30 +135,12 @@
   * phpMyAdmin configuration storage settings.
   */
 +$cfg['Servers'][$i]['controlhost']         = '';
- 
--/* User used to manipulate with storage */
--// $cfg['Servers'][$i]['controlhost'] = '';
--// $cfg['Servers'][$i]['controluser'] = 'pma';
--// $cfg['Servers'][$i]['controlpass'] = 'pmapass';
++
 +// MySQL control user settings (this user must have read-only
 +// access to the "mysql/user" and "mysql/db" tables).
 +// The controluser is also used for all relational features (pmadb)
 +$cfg['Servers'][$i]['controluser']         = '';
- 
--/* Storage database and tables */
--// $cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
--// $cfg['Servers'][$i]['bookmarktable'] = 'pma__bookmark';
--// $cfg['Servers'][$i]['relation'] = 'pma__relation';
--// $cfg['Servers'][$i]['table_info'] = 'pma__table_info';
--// $cfg['Servers'][$i]['table_coords'] = 'pma__table_coords';
--// $cfg['Servers'][$i]['pdf_pages'] = 'pma__pdf_pages';
--// $cfg['Servers'][$i]['column_info'] = 'pma__column_info';
--// $cfg['Servers'][$i]['history'] = 'pma__history';
--// $cfg['Servers'][$i]['table_uiprefs'] = 'pma__table_uiprefs';
--// $cfg['Servers'][$i]['tracking'] = 'pma__tracking';
--// $cfg['Servers'][$i]['designer_coords'] = 'pma__designer_coords';
--// $cfg['Servers'][$i]['userconfig'] = 'pma__userconfig';
--// $cfg['Servers'][$i]['recent'] = 'pma__recent';
++
 +// The password needed for the controluser to login
 +// (see $cfg['Servers'][$i]['controluser'])
 +$cfg['Servers'][$i]['controlpass']         = '';
@@ -235,7 +219,26 @@
 +// used tables, but it will disappear after you logout.
 +//   DEFAULT: 'pma_recent'
 +$cfg['Servers'][$i]['recent']              = 'pma_recent';
-+ 
+ 
+-/* User used to manipulate with storage */
+-// $cfg['Servers'][$i]['controlhost'] = '';
+-// $cfg['Servers'][$i]['controluser'] = 'pma';
+-// $cfg['Servers'][$i]['controlpass'] = 'pmapass';
+-
+-/* Storage database and tables */
+-// $cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
+-// $cfg['Servers'][$i]['bookmarktable'] = 'pma__bookmark';
+-// $cfg['Servers'][$i]['relation'] = 'pma__relation';
+-// $cfg['Servers'][$i]['table_info'] = 'pma__table_info';
+-// $cfg['Servers'][$i]['table_coords'] = 'pma__table_coords';
+-// $cfg['Servers'][$i]['pdf_pages'] = 'pma__pdf_pages';
+-// $cfg['Servers'][$i]['column_info'] = 'pma__column_info';
+-// $cfg['Servers'][$i]['history'] = 'pma__history';
+-// $cfg['Servers'][$i]['table_uiprefs'] = 'pma__table_uiprefs';
+-// $cfg['Servers'][$i]['tracking'] = 'pma__tracking';
+-// $cfg['Servers'][$i]['designer_coords'] = 'pma__designer_coords';
+-// $cfg['Servers'][$i]['userconfig'] = 'pma__userconfig';
+-// $cfg['Servers'][$i]['recent'] = 'pma__recent';
  /* Contrib / Swekey authentication */
 -// $cfg['Servers'][$i]['auth_swekey_config'] = '/etc/swekey-pma.conf';
 +// The name of the file containing Swekey ids and login names for
@@ -276,7 +279,7 @@
  /*
 + * phpMyAdmin configuration storage settings.
 + */
-+ 
++
 +/*
 +$cfg['Servers'][$i]['controlhost']         = '';
 +$cfg['Servers'][$i]['controluser']         = '';
@@ -312,8 +315,10 @@
   * End of servers configuration
   */
  
---- libraries/vendor_config.php.orig	2013-05-03 14:16:36.000000000 +0200
-+++ libraries/vendor_config.php	2013-05-03 19:57:54.344938439 +0200
+Index: libraries/vendor_config.php
+===================================================================
+--- libraries/vendor_config.php.orig
++++ libraries/vendor_config.php
 @@ -17,18 +17,18 @@ if (! defined('PHPMYADMIN')) {
   * Path to changelog file, can be gzip compressed. Useful when you want to
   * have documentation somewhere else, eg. /usr/share/doc.
diff --git a/phpMyAdmin.changes b/phpMyAdmin.changes
index 0edc79a..a0806e9 100644
--- a/phpMyAdmin.changes
+++ b/phpMyAdmin.changes
@@ -1,16 +1,24 @@
 -------------------------------------------------------------------
-Mon Jul 29 20:20:03 UTC 2013 - ecsos@schirra.net
+Mon Jul 29 20:07:45 UTC 2013 - chris@computersalat.de
 
+- fix for bnc#831896
+  * multiple XSS issues (+ a SQL injection and full path disclosure flaw)
+  * fix for PMASA-2013-9 (CWE-661 CWE-79 CWE-80)
+  * fix for PMASA-2013-11 (CWE-300 CWE-79)
+  * fix for PMASA-2013-12 (CWE-661 CWE-200)
+  * fix for PMASA-2013-13 (CWE-661 CWE-79 CWE-80)
+  * fix for PMASA-2013-14 (CWE-661 CWE-79)
+  * fix for PMASA-2013-15 (CWE-661 CWE-89 CWE-269)
 - update to 4.0.4.2 (2013-07-28)
-  - [security] Fix stored XSS in Server status monitor, see PMASA-2013-9
-  - [security] Fix stored XSS in navigation panel logo link, see PMASA-2013-9
-  - [security] Fix self-XSS in setup, trusted proxies validation, see PMASA-2013-9
-  - [security] Fix full path disclosure, see PMASA-2013-12
-  - [security] Fix control user SQL injection in pmd_pdf.php, see PMASA-2013-15
-  - [security] Fix control user SQL injection in schema_export.php, see PMASA-2013-15
-  - [security] Fix self-XSS in schema export, see PMASA-2013-14
-  - [security] Fix unencoded json object, see PMASA-2013-11
-  - [security] Fix stored XSS in link transformation plugin, see PMASA-2013-13
+  * [security] Fix stored XSS in Server status monitor, see PMASA-2013-9
+  * [security] Fix stored XSS in navigation panel logo link, see PMASA-2013-9
+  * [security] Fix self-XSS in setup, trusted proxies validation, see PMASA-2013-9
+  * [security] Fix full path disclosure, see PMASA-2013-12
+  * [security] Fix control user SQL injection in pmd_pdf.php, see PMASA-2013-15
+  * [security] Fix control user SQL injection in schema_export.php, see PMASA-2013-15
+  * [security] Fix self-XSS in schema export, see PMASA-2013-14
+  * [security] Fix unencoded json object, see PMASA-2013-11
+  * [security] Fix stored XSS in link transformation plugin, see PMASA-2013-13
 
 -------------------------------------------------------------------
 Wed Jul  3 21:40:23 UTC 2013 - obs@ladisch.de
diff --git a/phpMyAdmin.spec b/phpMyAdmin.spec
index 4250640..04d9028 100644
--- a/phpMyAdmin.spec
+++ b/phpMyAdmin.spec
@@ -104,8 +104,6 @@ Currently phpMyAdmin can:
 find . -type d -exec chmod 755 {} \;
 find . -type f -exec chmod 644 {} \;
 find . -type f -name '*.orig' -exec rm {} \;
-#rm lang/*.sh
-#%%{__rm} libraries/.htaccess
 
 %build