Add fixes for the security vulnerabilities reported in CVE-2010-4480 and
CVE-2010-4481 taken from the phpMyAdmin GIT repository. Thanks a lot to Tim Zingelman for pointing out that the fixes had finally been made available.
This commit is contained in:
parent
01b65be373
commit
dddbf0533e
7 changed files with 144 additions and 4 deletions
|
@ -1,7 +1,8 @@
|
|||
# $NetBSD: Makefile,v 1.85 2010/11/29 19:13:30 tron Exp $
|
||||
# $NetBSD: Makefile,v 1.86 2011/01/27 13:45:55 tron Exp $
|
||||
|
||||
DISTNAME= phpMyAdmin-${DIST_VERSION}-all-languages
|
||||
PKGNAME= phpmyadmin-${DIST_VERSION:S/-//}
|
||||
PKGREVISION= 1
|
||||
CATEGORIES= databases www
|
||||
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=phpmyadmin/}
|
||||
EXTRACT_SUFX= .tar.bz2
|
||||
|
@ -55,6 +56,10 @@ INSTALL_DIRS= js lang libraries libraries/auth libraries/dbg \
|
|||
themes/darkblue_orange/css themes/darkblue_orange/img \
|
||||
themes/original themes/original/css themes/original/img
|
||||
|
||||
# Part of the fix for CVE-2010-4480.
|
||||
post-extract:
|
||||
${RM} -f ${WRKSRC}/error.php
|
||||
|
||||
do-configure:
|
||||
${SED} -e "s|@PMDIR@|${PMDIR}|g" ${FILESDIR}/phpmyadmin.conf \
|
||||
>${WRKDIR}/phpmyadmin.conf
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
@comment $NetBSD: PLIST,v 1.21 2009/06/14 17:43:21 joerg Exp $
|
||||
@comment $NetBSD: PLIST,v 1.22 2011/01/27 13:45:55 tron Exp $
|
||||
share/doc/phpmyadmin/CREDITS
|
||||
share/doc/phpmyadmin/ChangeLog
|
||||
share/doc/phpmyadmin/Documentation.txt
|
||||
|
@ -26,7 +26,6 @@ share/phpmyadmin/db_search.php
|
|||
share/phpmyadmin/db_sql.php
|
||||
share/phpmyadmin/db_structure.php
|
||||
share/phpmyadmin/docs.css
|
||||
share/phpmyadmin/error.php
|
||||
share/phpmyadmin/export.php
|
||||
share/phpmyadmin/import.php
|
||||
share/phpmyadmin/index.php
|
||||
|
@ -197,6 +196,7 @@ share/phpmyadmin/libraries/engines/merge.lib.php
|
|||
share/phpmyadmin/libraries/engines/mrg_myisam.lib.php
|
||||
share/phpmyadmin/libraries/engines/myisam.lib.php
|
||||
share/phpmyadmin/libraries/engines/ndbcluster.lib.php
|
||||
share/phpmyadmin/libraries/error.inc.php
|
||||
share/phpmyadmin/libraries/export/csv.php
|
||||
share/phpmyadmin/libraries/export/excel.php
|
||||
share/phpmyadmin/libraries/export/htmlexcel.php
|
||||
|
|
|
@ -1,5 +1,9 @@
|
|||
$NetBSD: distinfo,v 1.46 2010/11/29 19:13:30 tron Exp $
|
||||
$NetBSD: distinfo,v 1.47 2011/01/27 13:45:55 tron Exp $
|
||||
|
||||
SHA1 (phpMyAdmin-2.11.11.1-all-languages.tar.bz2) = da1b74626a24dd296ed0ccad04ad8d1e49b7c398
|
||||
RMD160 (phpMyAdmin-2.11.11.1-all-languages.tar.bz2) = bda8a90444df683eea585769a186df42498a96cf
|
||||
Size (phpMyAdmin-2.11.11.1-all-languages.tar.bz2) = 3122604 bytes
|
||||
SHA1 (patch-CVE-2010-4480-1) = e2a36a254e573406bc8aeb027935b1dde5717c03
|
||||
SHA1 (patch-CVE-2010-4480-2) = 650f0a8d60a1ad1e1a14c8c66c715d4304138433
|
||||
SHA1 (patch-CVE-2010-4480-3) = 403dbfdd099e5928f38fa1a9beac210b26e8ab89
|
||||
SHA1 (patch-CVE-2010-4481) = 3bbf3576d8c39df22613ac2560cadb6f890f534e
|
||||
|
|
16
databases/phpmyadmin/patches/patch-CVE-2010-4480-1
Normal file
16
databases/phpmyadmin/patches/patch-CVE-2010-4480-1
Normal file
|
@ -0,0 +1,16 @@
|
|||
$NetBSD: patch-CVE-2010-4480-1,v 1.1 2011/01/27 13:45:55 tron Exp $
|
||||
|
||||
Fix for CVE-2010-4480 taken from the phpMyAdmin GIT repository:
|
||||
|
||||
http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=b01a58118f973f98ab99a4bb28d340af49fa251f
|
||||
|
||||
--- libraries/common.inc.php.orig 2010-11-29 17:18:35.000000000 +0000
|
||||
+++ libraries/common.inc.php 2011-01-27 13:21:56.000000000 +0000
|
||||
@@ -305,7 +305,6 @@
|
||||
'db_printview.php',
|
||||
'db_search.php',
|
||||
//'Documentation.html',
|
||||
- //'error.php',
|
||||
'export.php',
|
||||
'import.php',
|
||||
//'index.php',
|
33
databases/phpmyadmin/patches/patch-CVE-2010-4480-2
Normal file
33
databases/phpmyadmin/patches/patch-CVE-2010-4480-2
Normal file
|
@ -0,0 +1,33 @@
|
|||
$NetBSD: patch-CVE-2010-4480-2,v 1.1 2011/01/27 13:45:55 tron Exp $
|
||||
|
||||
Fix for CVE-2010-4480 taken from the phpMyAdmin GIT repository:
|
||||
|
||||
http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=b01a58118f973f98ab99a4bb28d340af49fa251f
|
||||
|
||||
--- libraries/core.lib.php.orig 2010-11-29 17:18:35.000000000 +0000
|
||||
+++ libraries/core.lib.php 2011-01-27 13:21:56.000000000 +0000
|
||||
@@ -241,18 +241,18 @@
|
||||
$error_message = strtr($error_message, array('<br />' => '[br]'));
|
||||
|
||||
// Displays the error message
|
||||
- // (do not use & for parameters sent by header)
|
||||
- header('Location: ' . (defined('PMA_SETUP') ? '../' : '') . 'error.php'
|
||||
- . '?lang=' . urlencode($GLOBALS['available_languages'][$GLOBALS['lang']][2])
|
||||
- . '&dir=' . urlencode($GLOBALS['text_dir'])
|
||||
- . '&type=' . urlencode($GLOBALS['strError'])
|
||||
- . '&error=' . urlencode($error_message));
|
||||
+ $lang = $GLOBALS['available_languages'][$GLOBALS['lang']][2];
|
||||
+ $dir = $GLOBALS['text_dir'];
|
||||
+ $type = $GLOBALS['strError'];
|
||||
+ $error = $error_message;
|
||||
|
||||
// on fatal errors it cannot hurt to always delete the current session
|
||||
if (isset($GLOBALS['session_name']) && isset($_COOKIE[$GLOBALS['session_name']])) {
|
||||
PMA_removeCookie($GLOBALS['session_name']);
|
||||
}
|
||||
|
||||
+ require('./libraries/error.inc.php');
|
||||
+
|
||||
exit;
|
||||
}
|
||||
|
66
databases/phpmyadmin/patches/patch-CVE-2010-4480-3
Normal file
66
databases/phpmyadmin/patches/patch-CVE-2010-4480-3
Normal file
|
@ -0,0 +1,66 @@
|
|||
$NetBSD: patch-CVE-2010-4480-3,v 1.1 2011/01/27 13:45:55 tron Exp $
|
||||
|
||||
Fix for CVE-2010-4480 taken from the phpMyAdmin GIT repository:
|
||||
|
||||
http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=b01a58118f973f98ab99a4bb28d340af49fa251f
|
||||
|
||||
--- /dev/null 2011-01-27 13:21:56.000000000 +0000
|
||||
+++ libraries/error.inc.php 2011-01-27 13:21:56.000000000 +0000
|
||||
@@ -0,0 +1,57 @@
|
||||
+<?php
|
||||
+/* vim: set expandtab sw=4 ts=4 sts=4: */
|
||||
+/**
|
||||
+ * phpMyAdmin fatal error display page
|
||||
+ *
|
||||
+ * @package phpMyAdmin
|
||||
+ */
|
||||
+
|
||||
+if (! defined('PHPMYADMIN')) {
|
||||
+ exit;
|
||||
+}
|
||||
+
|
||||
+header('Content-Type: text/html; charset=utf-8');
|
||||
+?>
|
||||
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
||||
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php echo $lang; ?>" dir="<?php echo $dir; ?>">
|
||||
+<head>
|
||||
+ <link rel="icon" href="./favicon.ico" type="image/x-icon" />
|
||||
+ <link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" />
|
||||
+ <title>phpMyAdmin</title>
|
||||
+ <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||||
+ <style type="text/css">
|
||||
+ <!--
|
||||
+ html {
|
||||
+ padding: 0;
|
||||
+ margin: 0;
|
||||
+ }
|
||||
+ body {
|
||||
+ font-family: sans-serif;
|
||||
+ font-size: small;
|
||||
+ color: #000000;
|
||||
+ background-color: #F5F5F5;
|
||||
+ margin: 1em;
|
||||
+ }
|
||||
+ h1 {
|
||||
+ margin: 0;
|
||||
+ padding: 0.3em;
|
||||
+ font-size: 1.4em;
|
||||
+ font-weight: bold;
|
||||
+ color: #ffffff;
|
||||
+ background-color: #ff0000;
|
||||
+ }
|
||||
+ p {
|
||||
+ margin: 0;
|
||||
+ padding: 0.5em;
|
||||
+ border: 0.1em solid red;
|
||||
+ background-color: #ffeeee;
|
||||
+ }
|
||||
+ //-->
|
||||
+ </style>
|
||||
+</head>
|
||||
+<body>
|
||||
+<h1>phpMyAdmin - <?php echo $error_header; ?></h1>
|
||||
+<p><?php echo PMA_sanitize($error_message); ?></p>
|
||||
+</body>
|
||||
+</html>
|
||||
+
|
16
databases/phpmyadmin/patches/patch-CVE-2010-4481
Normal file
16
databases/phpmyadmin/patches/patch-CVE-2010-4481
Normal file
|
@ -0,0 +1,16 @@
|
|||
$NetBSD: patch-CVE-2010-4481,v 1.1 2011/01/27 13:45:55 tron Exp $
|
||||
|
||||
Fix for CVE-2010-4481 taken from the phpMyAdmin GIT repository:
|
||||
|
||||
http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=373a6626ade37c0fee1dfc7c757ca55c7652874b
|
||||
|
||||
--- phpinfo.php.orig 2010-11-29 17:18:35.000000000 +0000
|
||||
+++ phpinfo.php 2011-01-27 13:33:04.000000000 +0000
|
||||
@@ -8,7 +8,6 @@
|
||||
/**
|
||||
* Gets core libraries and defines some variables
|
||||
*/
|
||||
-define('PMA_MINIMUM_COMMON', true);
|
||||
require_once './libraries/common.inc.php';
|
||||
|
||||
|
Loading…
Reference in a new issue