diff options
author | tron <tron> | 2011-01-27 13:45:55 +0000 |
---|---|---|
committer | tron <tron> | 2011-01-27 13:45:55 +0000 |
commit | cbfed13de17deff4b385558d55f0914a845567aa (patch) | |
tree | 57f49b70af3cc7193b937304fa7fe411ce83e6f2 /databases | |
parent | 394330b431afb6054788cb827bbd051d7d276788 (diff) | |
download | pkgsrc-cbfed13de17deff4b385558d55f0914a845567aa.tar.gz |
Add fixes for the security vulnerabilities reported in CVE-2010-4480 and
CVE-2010-4481 taken from the phpMyAdmin GIT repository.
Thanks a lot to Tim Zingelman for pointing out that the fixes had
finally been made available.
Diffstat (limited to 'databases')
-rw-r--r-- | databases/phpmyadmin/Makefile | 7 | ||||
-rw-r--r-- | databases/phpmyadmin/PLIST | 4 | ||||
-rw-r--r-- | databases/phpmyadmin/distinfo | 6 | ||||
-rw-r--r-- | databases/phpmyadmin/patches/patch-CVE-2010-4480-1 | 16 | ||||
-rw-r--r-- | databases/phpmyadmin/patches/patch-CVE-2010-4480-2 | 33 | ||||
-rw-r--r-- | databases/phpmyadmin/patches/patch-CVE-2010-4480-3 | 66 | ||||
-rw-r--r-- | databases/phpmyadmin/patches/patch-CVE-2010-4481 | 16 |
7 files changed, 144 insertions, 4 deletions
diff --git a/databases/phpmyadmin/Makefile b/databases/phpmyadmin/Makefile index 64ab834244e..6e666ea97c0 100644 --- a/databases/phpmyadmin/Makefile +++ b/databases/phpmyadmin/Makefile @@ -1,7 +1,8 @@ -# $NetBSD: Makefile,v 1.85 2010/11/29 19:13:30 tron Exp $ +# $NetBSD: Makefile,v 1.86 2011/01/27 13:45:55 tron Exp $ DISTNAME= phpMyAdmin-${DIST_VERSION}-all-languages PKGNAME= phpmyadmin-${DIST_VERSION:S/-//} +PKGREVISION= 1 CATEGORIES= databases www MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=phpmyadmin/} EXTRACT_SUFX= .tar.bz2 @@ -55,6 +56,10 @@ INSTALL_DIRS= js lang libraries libraries/auth libraries/dbg \ themes/darkblue_orange/css themes/darkblue_orange/img \ themes/original themes/original/css themes/original/img +# Part of the fix for CVE-2010-4480. +post-extract: + ${RM} -f ${WRKSRC}/error.php + do-configure: ${SED} -e "s|@PMDIR@|${PMDIR}|g" ${FILESDIR}/phpmyadmin.conf \ >${WRKDIR}/phpmyadmin.conf diff --git a/databases/phpmyadmin/PLIST b/databases/phpmyadmin/PLIST index d7a68daca03..6fccf3cca91 100644 --- a/databases/phpmyadmin/PLIST +++ b/databases/phpmyadmin/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.21 2009/06/14 17:43:21 joerg Exp $ +@comment $NetBSD: PLIST,v 1.22 2011/01/27 13:45:55 tron Exp $ share/doc/phpmyadmin/CREDITS share/doc/phpmyadmin/ChangeLog share/doc/phpmyadmin/Documentation.txt @@ -26,7 +26,6 @@ share/phpmyadmin/db_search.php share/phpmyadmin/db_sql.php share/phpmyadmin/db_structure.php share/phpmyadmin/docs.css -share/phpmyadmin/error.php share/phpmyadmin/export.php share/phpmyadmin/import.php share/phpmyadmin/index.php @@ -197,6 +196,7 @@ share/phpmyadmin/libraries/engines/merge.lib.php share/phpmyadmin/libraries/engines/mrg_myisam.lib.php share/phpmyadmin/libraries/engines/myisam.lib.php share/phpmyadmin/libraries/engines/ndbcluster.lib.php +share/phpmyadmin/libraries/error.inc.php share/phpmyadmin/libraries/export/csv.php share/phpmyadmin/libraries/export/excel.php share/phpmyadmin/libraries/export/htmlexcel.php diff --git a/databases/phpmyadmin/distinfo b/databases/phpmyadmin/distinfo index bb2b51f0d12..8ca5d475d32 100644 --- a/databases/phpmyadmin/distinfo +++ b/databases/phpmyadmin/distinfo @@ -1,5 +1,9 @@ -$NetBSD: distinfo,v 1.46 2010/11/29 19:13:30 tron Exp $ +$NetBSD: distinfo,v 1.47 2011/01/27 13:45:55 tron Exp $ SHA1 (phpMyAdmin-2.11.11.1-all-languages.tar.bz2) = da1b74626a24dd296ed0ccad04ad8d1e49b7c398 RMD160 (phpMyAdmin-2.11.11.1-all-languages.tar.bz2) = bda8a90444df683eea585769a186df42498a96cf Size (phpMyAdmin-2.11.11.1-all-languages.tar.bz2) = 3122604 bytes +SHA1 (patch-CVE-2010-4480-1) = e2a36a254e573406bc8aeb027935b1dde5717c03 +SHA1 (patch-CVE-2010-4480-2) = 650f0a8d60a1ad1e1a14c8c66c715d4304138433 +SHA1 (patch-CVE-2010-4480-3) = 403dbfdd099e5928f38fa1a9beac210b26e8ab89 +SHA1 (patch-CVE-2010-4481) = 3bbf3576d8c39df22613ac2560cadb6f890f534e diff --git a/databases/phpmyadmin/patches/patch-CVE-2010-4480-1 b/databases/phpmyadmin/patches/patch-CVE-2010-4480-1 new file mode 100644 index 00000000000..e30a9bb78a2 --- /dev/null +++ b/databases/phpmyadmin/patches/patch-CVE-2010-4480-1 @@ -0,0 +1,16 @@ +$NetBSD: patch-CVE-2010-4480-1,v 1.1 2011/01/27 13:45:55 tron Exp $ + +Fix for CVE-2010-4480 taken from the phpMyAdmin GIT repository: + +http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=b01a58118f973f98ab99a4bb28d340af49fa251f + +--- libraries/common.inc.php.orig 2010-11-29 17:18:35.000000000 +0000 ++++ libraries/common.inc.php 2011-01-27 13:21:56.000000000 +0000 +@@ -305,7 +305,6 @@ + 'db_printview.php', + 'db_search.php', + //'Documentation.html', +- //'error.php', + 'export.php', + 'import.php', + //'index.php', diff --git a/databases/phpmyadmin/patches/patch-CVE-2010-4480-2 b/databases/phpmyadmin/patches/patch-CVE-2010-4480-2 new file mode 100644 index 00000000000..c1ecb86bfc5 --- /dev/null +++ b/databases/phpmyadmin/patches/patch-CVE-2010-4480-2 @@ -0,0 +1,33 @@ +$NetBSD: patch-CVE-2010-4480-2,v 1.1 2011/01/27 13:45:55 tron Exp $ + +Fix for CVE-2010-4480 taken from the phpMyAdmin GIT repository: + +http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=b01a58118f973f98ab99a4bb28d340af49fa251f + +--- libraries/core.lib.php.orig 2010-11-29 17:18:35.000000000 +0000 ++++ libraries/core.lib.php 2011-01-27 13:21:56.000000000 +0000 +@@ -241,18 +241,18 @@ + $error_message = strtr($error_message, array('<br />' => '[br]')); + + // Displays the error message +- // (do not use & for parameters sent by header) +- header('Location: ' . (defined('PMA_SETUP') ? '../' : '') . 'error.php' +- . '?lang=' . urlencode($GLOBALS['available_languages'][$GLOBALS['lang']][2]) +- . '&dir=' . urlencode($GLOBALS['text_dir']) +- . '&type=' . urlencode($GLOBALS['strError']) +- . '&error=' . urlencode($error_message)); ++ $lang = $GLOBALS['available_languages'][$GLOBALS['lang']][2]; ++ $dir = $GLOBALS['text_dir']; ++ $type = $GLOBALS['strError']; ++ $error = $error_message; + + // on fatal errors it cannot hurt to always delete the current session + if (isset($GLOBALS['session_name']) && isset($_COOKIE[$GLOBALS['session_name']])) { + PMA_removeCookie($GLOBALS['session_name']); + } + ++ require('./libraries/error.inc.php'); ++ + exit; + } + diff --git a/databases/phpmyadmin/patches/patch-CVE-2010-4480-3 b/databases/phpmyadmin/patches/patch-CVE-2010-4480-3 new file mode 100644 index 00000000000..0a222961037 --- /dev/null +++ b/databases/phpmyadmin/patches/patch-CVE-2010-4480-3 @@ -0,0 +1,66 @@ +$NetBSD: patch-CVE-2010-4480-3,v 1.1 2011/01/27 13:45:55 tron Exp $ + +Fix for CVE-2010-4480 taken from the phpMyAdmin GIT repository: + +http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=b01a58118f973f98ab99a4bb28d340af49fa251f + +--- /dev/null 2011-01-27 13:21:56.000000000 +0000 ++++ libraries/error.inc.php 2011-01-27 13:21:56.000000000 +0000 +@@ -0,0 +1,57 @@ ++<?php ++/* vim: set expandtab sw=4 ts=4 sts=4: */ ++/** ++ * phpMyAdmin fatal error display page ++ * ++ * @package phpMyAdmin ++ */ ++ ++if (! defined('PHPMYADMIN')) { ++ exit; ++} ++ ++header('Content-Type: text/html; charset=utf-8'); ++?> ++<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> ++<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php echo $lang; ?>" dir="<?php echo $dir; ?>"> ++<head> ++ <link rel="icon" href="./favicon.ico" type="image/x-icon" /> ++ <link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" /> ++ <title>phpMyAdmin</title> ++ <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> ++ <style type="text/css"> ++ <!-- ++ html { ++ padding: 0; ++ margin: 0; ++ } ++ body { ++ font-family: sans-serif; ++ font-size: small; ++ color: #000000; ++ background-color: #F5F5F5; ++ margin: 1em; ++ } ++ h1 { ++ margin: 0; ++ padding: 0.3em; ++ font-size: 1.4em; ++ font-weight: bold; ++ color: #ffffff; ++ background-color: #ff0000; ++ } ++ p { ++ margin: 0; ++ padding: 0.5em; ++ border: 0.1em solid red; ++ background-color: #ffeeee; ++ } ++ //--> ++ </style> ++</head> ++<body> ++<h1>phpMyAdmin - <?php echo $error_header; ?></h1> ++<p><?php echo PMA_sanitize($error_message); ?></p> ++</body> ++</html> ++ diff --git a/databases/phpmyadmin/patches/patch-CVE-2010-4481 b/databases/phpmyadmin/patches/patch-CVE-2010-4481 new file mode 100644 index 00000000000..954125c735b --- /dev/null +++ b/databases/phpmyadmin/patches/patch-CVE-2010-4481 @@ -0,0 +1,16 @@ +$NetBSD: patch-CVE-2010-4481,v 1.1 2011/01/27 13:45:55 tron Exp $ + +Fix for CVE-2010-4481 taken from the phpMyAdmin GIT repository: + +http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=373a6626ade37c0fee1dfc7c757ca55c7652874b + +--- phpinfo.php.orig 2010-11-29 17:18:35.000000000 +0000 ++++ phpinfo.php 2011-01-27 13:33:04.000000000 +0000 +@@ -8,7 +8,6 @@ + /** + * Gets core libraries and defines some variables + */ +-define('PMA_MINIMUM_COMMON', true); + require_once './libraries/common.inc.php'; + + |