From 034c444daf2ccb60155386b3ef3691faa87662c688f0ebb4ba5191ffac0b9fd4 Mon Sep 17 00:00:00 2001 From: Christian Wittmer Date: Fri, 3 Nov 2023 11:01:53 +0000 Subject: [PATCH] Accepting request 1123213 from home:computersalat:devel:php Update to 7.14.6, Fix for CVE-2023-40619, boo#1215551 OBS-URL: https://build.opensuse.org/request/show/1123213 OBS-URL: https://build.opensuse.org/package/show/server:php:applications/phpPgAdmin?expand=0&rev=36 --- csrf-samesite-fix.patch | 86 ++----------------- phpPgAdmin-7.13.0.tar.bz2 | 3 - phpPgAdmin-7.14.6-mod.tar.gz | 3 + phpPgAdmin.changes | 13 +++ phpPgAdmin.spec | 19 ++-- phpPgAdmin_appVersion.patch | 13 +++ ...g.inc.patch => phpPgAdmin_config.inc.patch | 2 +- 7 files changed, 50 insertions(+), 89 deletions(-) delete mode 100644 phpPgAdmin-7.13.0.tar.bz2 create mode 100644 phpPgAdmin-7.14.6-mod.tar.gz create mode 100644 phpPgAdmin_appVersion.patch rename phpPgAdmin-config.inc.patch => phpPgAdmin_config.inc.patch (97%) diff --git a/csrf-samesite-fix.patch b/csrf-samesite-fix.patch index 4cfe07a..b50ac93 100644 --- a/csrf-samesite-fix.patch +++ b/csrf-samesite-fix.patch @@ -2,9 +2,9 @@ Index: classes/Misc.php =================================================================== --- classes/Misc.php.orig +++ classes/Misc.php -@@ -1333,6 +1333,10 @@ - $server_info = $this->getServerInfo(); - $reqvars = $this->getRequestVars('table'); +@@ -1354,6 +1354,10 @@ + echo '

', htmlspecialchars($lang['sessionsecuritywarning']), '

'; + } + if (!$conf['extra_session_security']) { + echo '

', htmlspecialchars($lang['sessionsecuritywarning']), '

'; @@ -17,9 +17,9 @@ Index: conf/config.inc.php-dist =================================================================== --- conf/config.inc.php-dist.orig +++ conf/config.inc.php-dist -@@ -89,6 +89,15 @@ - // your browser preference. - $conf['default_lang'] = 'auto'; +@@ -98,6 +98,15 @@ + // to this feature and will be vulnerable to CSRF attacks. + $conf['extra_session_security'] = true; + // If extra session security is true, then PHP's session cookies will have + // SameSite cookie flags set to prevent CSRF attacks. If you're using @@ -33,64 +33,6 @@ Index: conf/config.inc.php-dist // AutoComplete uses AJAX interaction to list foreign key values // on insert fields. It currently only works on single column // foreign keys. You can choose one of the following values: -Index: lang/english.php -=================================================================== ---- lang/english.php.orig -+++ lang/english.php -@@ -807,6 +807,7 @@ - $lang['strloading'] = 'Loading...'; - $lang['strerrorloading'] = 'Error Loading'; - $lang['strclicktoreload'] = 'Click to reload'; -+ $lang['sessionsecuritywarning'] = 'You are running phpPgAdmin without session security.'; - - // Autovacuum - $lang['strautovacuum'] = 'Autovacuum'; -Index: libraries/lib.inc.php -=================================================================== ---- libraries/lib.inc.php.orig -+++ libraries/lib.inc.php -@@ -50,11 +50,36 @@ - require_once('./classes/Misc.php'); - $misc = new Misc(); - -- // Start session (if not auto-started) -- if (!ini_get('session.auto_start')) { -- session_name('PPA_ID'); -- session_start(); -- } -+ // Session start: if extra_session_security is on, make sure cookie_samesite -+ // is on (exit if we fail); otherwise, just start the session -+ $our_session_name = 'PPA_ID'; -+ if ($conf['extra_session_security']) { -+ if (version_compare(phpversion(), '7.3', '<')) { -+ exit('PHPPgAdmin cannot be fully secured while running under PHP versions before 7.3. Please upgrade PHP if possible. If you cannot upgrade, and you\'re willing to assume the risk of CSRF attacks, you can change the value of "extra_session_security" to false in your config.inc.php file.'); -+ } -+ if (ini_get('session.auto_start')) { -+ // If session.auto_start is on, and the session doesn't have -+ // session.cookie_samesite set, destroy and re-create the session -+ if (session_name() !== $our_session_name) { -+ $setting = strtolower(ini_get('session.cookie_samesite')); -+ if ($setting !== 'lax' && $setting !== 'strict') { -+ session_destroy(); -+ session_name($our_session_name); -+ ini_set('session.cookie_samesite', 'Strict'); -+ session_start(); -+ } -+ } -+ } else { -+ session_name($our_session_name); -+ ini_set('session.cookie_samesite', 'Strict'); -+ session_start(); -+ } -+ } else { -+ if (!ini_get('session.auto_start')) { -+ session_name($our_session_name); -+ session_start(); -+ } -+ } - - // Do basic PHP configuration checks - if (ini_get('magic_quotes_gpc')) { Index: tests/manual/issue-94/README.md =================================================================== --- /dev/null @@ -270,9 +212,9 @@ Index: themes/global.css =================================================================== --- themes/global.css.orig +++ themes/global.css -@@ -72,6 +72,26 @@ body.browser { +@@ -92,6 +92,26 @@ body.browser { + color: #9F6000; } - .ac_values {width:100%} +/** alert banner **/ +.alert-banner { @@ -297,15 +239,3 @@ Index: themes/global.css /** bottom link back to top **/ .bottom_link { position: fixed; -Index: themes/gotar/global.css -=================================================================== ---- themes/gotar/global.css.orig -+++ themes/gotar/global.css -@@ -136,6 +136,7 @@ td.opbutton1 a, td.opbutton2 a { - padding-left:6px; - padding-right:6px; - } -+.alert-banner { margin-top: 0 } - .topbar { border: 0 } - .topbar, .topbar *, .trail, .tab, .crumb { - border: 0; diff --git a/phpPgAdmin-7.13.0.tar.bz2 b/phpPgAdmin-7.13.0.tar.bz2 deleted file mode 100644 index 462ed45..0000000 --- a/phpPgAdmin-7.13.0.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:dc9a5d74c49330af65664b3fd145df2b76c63f946e0de86e306b308ad104939c -size 620530 diff --git a/phpPgAdmin-7.14.6-mod.tar.gz b/phpPgAdmin-7.14.6-mod.tar.gz new file mode 100644 index 0000000..ba1c14b --- /dev/null +++ b/phpPgAdmin-7.14.6-mod.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b33282d8c36873dff30a0a56039d31067fcdb2d3274701ec1d79c2d01b5e6e64 +size 1153991 diff --git a/phpPgAdmin.changes b/phpPgAdmin.changes index 1f0b88e..3ef1f31 100644 --- a/phpPgAdmin.changes +++ b/phpPgAdmin.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Fri Nov 3 10:58:05 UTC 2023 - chris@computersalat.de + +- Update to 7.14.6 + * fix for CVE-2023-40619 (boo#1215551) + * no real ChangeLog available +- Changed to fork 'ReimuHakurei' +- rebased patches + * csrf-samesite-fix.patch + * phpPgAdmin_config.inc.patch +- rename phpPgAdmin-config.inc.patch to phpPgAdmin_config.inc.patch +- add phpPgAdmin_appVersion.patch (remove suffix '-mod') + ------------------------------------------------------------------- Mon Feb 13 10:55:19 UTC 2023 - ecsos diff --git a/phpPgAdmin.spec b/phpPgAdmin.spec index 23b0f21..44de9ba 100644 --- a/phpPgAdmin.spec +++ b/phpPgAdmin.spec @@ -18,6 +18,7 @@ Name: phpPgAdmin +%define lc_prj ReimuHakurei %define lc_name phppgadmin %define ap_docroot_old %{apache_serverroot}/htdocs %define ap_docroot %{_datadir} @@ -26,14 +27,17 @@ Name: phpPgAdmin Summary: Administration of PostgreSQL over the web License: GPL-2.0-or-later Group: Productivity/Databases/Tools -Version: 7.13.0 +Version: 7.14.6 Release: 0 -%define rel_version REL_7-13-0 -URL: http://phppgadmin.sourceforge.net -Source0: https://github.com/%{lc_name}/%{lc_name}/releases/download/%{rel_version}/%{name}-%{version}.tar.bz2 +%define rel_version REL_7-14-6 +#URL: https://github.com/phppgadmin/phppgadmin +#Source0: https://github.com/%{lc_name}/%{lc_name}/releases/download/%{rel_version}/%{name}-%{version}.tar.bz2 +URL: https://github.com/ReimuHakurei/phpPgAdmin +Source0: %{name}-%{version}-mod.tar.gz Source1: %{name}.http Source2: %{name}.http.inc -Patch0: %{name}-config.inc.patch +Patch0: %{name}_config.inc.patch +Patch10: %{name}_appVersion.patch Patch100: csrf-samesite-fix.patch BuildArch: noarch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -49,7 +53,7 @@ perfect for PostgreSQL DBAs, newbies and hosting services. Features * Administer multiple servers -* Support for PostgreSQL 9.x.x, 10.x, 11.x, 12.x +* Support for PostgreSQL 9.x.x, 10.x, 11.x, 12.x, 14.x * Manage all aspects of: o Users & groups o Databases @@ -83,8 +87,9 @@ Supplements: packageand(apache2:%name) This subpackage contains the Apache configuration files %prep -%setup -q +%setup -q -n %{name}-%{version}-mod %patch0 +%patch10 %patch100 ### remove not needed files diff --git a/phpPgAdmin_appVersion.patch b/phpPgAdmin_appVersion.patch new file mode 100644 index 0000000..cb639b9 --- /dev/null +++ b/phpPgAdmin_appVersion.patch @@ -0,0 +1,13 @@ +Index: libraries/lib.inc.php +=================================================================== +--- libraries/lib.inc.php.orig ++++ libraries/lib.inc.php +@@ -16,7 +16,7 @@ + $appName = 'phpPgAdmin'; + + // Application version +- $appVersion = '7.14.6-mod'; ++ $appVersion = '7.14.6'; + + // PostgreSQL and PHP minimum version + global $postgresqlMinVer; diff --git a/phpPgAdmin-config.inc.patch b/phpPgAdmin_config.inc.patch similarity index 97% rename from phpPgAdmin-config.inc.patch rename to phpPgAdmin_config.inc.patch index 4274e8c..15b2f19 100644 --- a/phpPgAdmin-config.inc.patch +++ b/phpPgAdmin_config.inc.patch @@ -2,7 +2,7 @@ Index: libraries/lib.inc.php =================================================================== --- libraries/lib.inc.php.orig +++ libraries/lib.inc.php -@@ -27,12 +27,12 @@ +@@ -28,12 +28,12 @@ exit(sprintf('Version of PHP not supported. Please upgrade to version %s or later.', $phpMinVer)); // Check to see if the configuration file exists, if not, explain