Accepting request 184888 from server:php:applications

update to 4.0.4.2, fix for bnc#831896 (forwarded request 184887 from computersalat) OBS-URL: https://build.opensuse.org/request/show/184888 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/phpMyAdmin?expand=0&rev=39
2013-07-30 14:47:15 +00:00 · 2013-07-30 14:47:15 +00:00 · b71e7e4996
commit b71e7e4996
parent 70951d5af2 67da26ad23
5 changed files with 61 additions and 36 deletions
--- a/phpMyAdmin-4.0.4.1-all-languages.tar.bz2
+++ b/phpMyAdmin-4.0.4.1-all-languages.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:bd4f5c8084f9378657a02bb9ec3396db365f98b2a0f7b1a3930d7a116502ea8c
-size 5987530
--- a/phpMyAdmin-4.0.4.2-all-languages.tar.bz2
+++ b/phpMyAdmin-4.0.4.2-all-languages.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:aadbe787db33c6da6abfddfd8b16b4adbb2beb204558db88970347f3b8f699e9
+size 5768927
--- a/phpMyAdmin-config.patch
+++ b/phpMyAdmin-config.patch
@ -1,5 +1,7 @@
--- config.sample.inc.php.orig	2013-05-03 14:16:36.000000000 +0200
-+++ config.sample.inc.php	2013-05-03 20:13:46.549034257 +0200
+Index: config.sample.inc.php
+===================================================================
+--- config.sample.inc.php.orig
+++ config.sample.inc.php
@@ -11,10 +11,51 @@
  */
 
@ -22,20 +24,20 @@
 + * $cfg['PmaAbsoluteUri_DisableWarning'] variable below.
 + */
 +$cfg['PmaAbsoluteUri'] = '';
-+ 
+
 +/*
  * This is needed for cookie based authentication to encrypt password in
  * cookie
 + * YOU MUST FILL IN THIS FOR COOKIE AUTH!
-  */
-$cfg['blowfish_secret'] = 'a8b7c6d'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
+ */
 +$cfg['blowfish_secret'] = '';
 +
 +/*
 + * Disable the default warning about $cfg['PmaAbsoluteUri'] not being set
 + * You should use this if and ONLY if the PmaAbsoluteUri auto-detection
 + * works perfectly.
-+ */
+  */
+-$cfg['blowfish_secret'] = 'a8b7c6d'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
 +$cfg['PmaAbsoluteUri_DisableWarning'] = false;
 +
 +/*
@ -133,30 +135,12 @@
  * phpMyAdmin configuration storage settings.
  */
 +$cfg['Servers'][$i]['controlhost']         = '';
- 
-/* User used to manipulate with storage */
-// $cfg['Servers'][$i]['controlhost'] = '';
-// $cfg['Servers'][$i]['controluser'] = 'pma';
-// $cfg['Servers'][$i]['controlpass'] = 'pmapass';
+
 +// MySQL control user settings (this user must have read-only
 +// access to the "mysql/user" and "mysql/db" tables).
 +// The controluser is also used for all relational features (pmadb)
 +$cfg['Servers'][$i]['controluser']         = '';
- 
-/* Storage database and tables */
-// $cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
-// $cfg['Servers'][$i]['bookmarktable'] = 'pma__bookmark';
-// $cfg['Servers'][$i]['relation'] = 'pma__relation';
-// $cfg['Servers'][$i]['table_info'] = 'pma__table_info';
-// $cfg['Servers'][$i]['table_coords'] = 'pma__table_coords';
-// $cfg['Servers'][$i]['pdf_pages'] = 'pma__pdf_pages';
-// $cfg['Servers'][$i]['column_info'] = 'pma__column_info';
-// $cfg['Servers'][$i]['history'] = 'pma__history';
-// $cfg['Servers'][$i]['table_uiprefs'] = 'pma__table_uiprefs';
-// $cfg['Servers'][$i]['tracking'] = 'pma__tracking';
-// $cfg['Servers'][$i]['designer_coords'] = 'pma__designer_coords';
-// $cfg['Servers'][$i]['userconfig'] = 'pma__userconfig';
-// $cfg['Servers'][$i]['recent'] = 'pma__recent';
+
 +// The password needed for the controluser to login
 +// (see $cfg['Servers'][$i]['controluser'])
 +$cfg['Servers'][$i]['controlpass']         = '';
@ -235,7 +219,26 @@
 +// used tables, but it will disappear after you logout.
 +//   DEFAULT: 'pma_recent'
 +$cfg['Servers'][$i]['recent']              = 'pma_recent';
-+ 
+ 
+-/* User used to manipulate with storage */
+-// $cfg['Servers'][$i]['controlhost'] = '';
+-// $cfg['Servers'][$i]['controluser'] = 'pma';
+-// $cfg['Servers'][$i]['controlpass'] = 'pmapass';
+-
+-/* Storage database and tables */
+-// $cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
+-// $cfg['Servers'][$i]['bookmarktable'] = 'pma__bookmark';
+-// $cfg['Servers'][$i]['relation'] = 'pma__relation';
+-// $cfg['Servers'][$i]['table_info'] = 'pma__table_info';
+-// $cfg['Servers'][$i]['table_coords'] = 'pma__table_coords';
+-// $cfg['Servers'][$i]['pdf_pages'] = 'pma__pdf_pages';
+-// $cfg['Servers'][$i]['column_info'] = 'pma__column_info';
+-// $cfg['Servers'][$i]['history'] = 'pma__history';
+-// $cfg['Servers'][$i]['table_uiprefs'] = 'pma__table_uiprefs';
+-// $cfg['Servers'][$i]['tracking'] = 'pma__tracking';
+-// $cfg['Servers'][$i]['designer_coords'] = 'pma__designer_coords';
+-// $cfg['Servers'][$i]['userconfig'] = 'pma__userconfig';
+-// $cfg['Servers'][$i]['recent'] = 'pma__recent';
 /* Contrib / Swekey authentication */
 -// $cfg['Servers'][$i]['auth_swekey_config'] = '/etc/swekey-pma.conf';
 +// The name of the file containing Swekey ids and login names for
@ -276,7 +279,7 @@
 /*
 + * phpMyAdmin configuration storage settings.
 + */
-+ 
+
 +/*
 +$cfg['Servers'][$i]['controlhost']         = '';
 +$cfg['Servers'][$i]['controluser']         = '';
@ -312,8 +315,10 @@
  * End of servers configuration
  */
 
--- libraries/vendor_config.php.orig	2013-05-03 14:16:36.000000000 +0200
-+++ libraries/vendor_config.php	2013-05-03 19:57:54.344938439 +0200
+Index: libraries/vendor_config.php
+===================================================================
+--- libraries/vendor_config.php.orig
+++ libraries/vendor_config.php
@@ -17,18 +17,18 @@ if (! defined('PHPMYADMIN')) {
  * Path to changelog file, can be gzip compressed. Useful when you want to
  * have documentation somewhere else, eg. /usr/share/doc.
--- a/phpMyAdmin.changes
+++ b/phpMyAdmin.changes
@ -1,3 +1,25 @@
+-------------------------------------------------------------------
+Mon Jul 29 20:07:45 UTC 2013 - chris@computersalat.de
+
+- fix for bnc#831896
+  * multiple XSS issues (+ a SQL injection and full path disclosure flaw)
+  * fix for PMASA-2013-9 (CWE-661 CWE-79 CWE-80)
+  * fix for PMASA-2013-11 (CWE-300 CWE-79)
+  * fix for PMASA-2013-12 (CWE-661 CWE-200)
+  * fix for PMASA-2013-13 (CWE-661 CWE-79 CWE-80)
+  * fix for PMASA-2013-14 (CWE-661 CWE-79)
+  * fix for PMASA-2013-15 (CWE-661 CWE-89 CWE-269)
+- update to 4.0.4.2 (2013-07-28)
+  * [security] Fix stored XSS in Server status monitor, see PMASA-2013-9
+  * [security] Fix stored XSS in navigation panel logo link, see PMASA-2013-9
+  * [security] Fix self-XSS in setup, trusted proxies validation, see PMASA-2013-9
+  * [security] Fix full path disclosure, see PMASA-2013-12
+  * [security] Fix control user SQL injection in pmd_pdf.php, see PMASA-2013-15
+  * [security] Fix control user SQL injection in schema_export.php, see PMASA-2013-15
+  * [security] Fix self-XSS in schema export, see PMASA-2013-14
+  * [security] Fix unencoded json object, see PMASA-2013-11
+  * [security] Fix stored XSS in link transformation plugin, see PMASA-2013-13
+
 -------------------------------------------------------------------
 Wed Jul  3 21:40:23 UTC 2013 - obs@ladisch.de

--- a/phpMyAdmin.spec
+++ b/phpMyAdmin.spec
@ -34,7 +34,7 @@ Name:           phpMyAdmin
 Summary:        Administration of MySQL over the web
 License:        GPL-2.0+
 Group:          Productivity/Networking/Web/Frontends
-Version:        4.0.4.1
+Version:        4.0.4.2
 Release:        0
 Url:            http://www.phpMyAdmin.net
 Source0:        %{name}-%{version}-all-languages.tar.bz2
@ -104,8 +104,6 @@ Currently phpMyAdmin can:
 find . -type d -exec chmod 755 {} \;
 find . -type f -exec chmod 644 {} \;
 find . -type f -name '*.orig' -exec rm {} \;
-#rm lang/*.sh
-%{__rm} libraries/.htaccess

 %build