phpmyadmin: fix CVE-2023-25727

In phpMyAdmin before 4.9.11 and 5.x before 5.2.1, an authenticated user can trigger XSS by uploading a crafted .sql file through the drag-and-drop interface. Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-25727 Upstream patch: https://github.com/phpmyadmin/phpmyadmin/commit/efa2406695551667f726497750d3db91fb6f662e Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com> Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Dragos-Marian Panait <dragos.panait@windriver.com> 2023-03-24 07:49:56 -0700
committer: Armin Kuster <akuster808@gmail.com> 2023-04-04 09:04:49 -0400
commit: 99047e44ce4ecdf57222b73eb9381ba9d554e2fa (patch)
tree: 5c39fc7262eec00fc3ef656308b3d7fcc8fb0f4a
parent: 496d23c0fcef9d69b6d657b751515fd76820ee48 (diff)
download: meta-openembedded-99047e44ce4ecdf57222b73eb9381ba9d554e2fa.tar.gz
2 files changed, 38 insertions, 0 deletions
diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2023-25727.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2023-25727.patch
new file mode 100644
index 0000000000..707334a517
--- /dev/null
+++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2023-25727.patch
@@ -0,0 +1,37 @@
+From 0842f11158699a979437125756b26eeabedab9ab Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Maur=C3=ADcio=20Meneghini=20Fauth?= <mauricio@fauth.dev>
+Date: Fri, 5 Aug 2022 20:18:16 -0300
+Subject: [PATCH] Fix not escaped title when using drag and drop upload
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Signed-off-by: Maurício Meneghini Fauth <mauricio@fauth.dev>
+Upstream-Status: Backport
+CVE: CVE-2023-25727
+Reference to upstream patch:
+https://github.com/phpmyadmin/phpmyadmin/commit/efa2406695551667f726497750d3db91fb6f662e
+Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com>
+---
+ js/src/drag_drop_import.js | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/js/src/drag_drop_import.js b/js/src/drag_drop_import.js
+index 55250c2..9b8710e 100644
+--- a/js/src/drag_drop_import.js
+++ b/js/src/drag_drop_import.js
+@@ -130,7 +130,7 @@ var DragDropImport = {
+                                 var filename = $this.parent('span').attr('data-filename');
+                                 $('body').append('<div class="pma_drop_result"><h2>' +
+                                 Messages.dropImportImportResultHeader + ' - ' +
+-                                filename + '<span class="close">x</span></h2>' + value.message + '</div>');
+                                Functions.escapeHtml(filename) + '<span class="close">x</span></h2>' + value.message + '</div>');
+                                 $('.pma_drop_result').draggable();  // to make this dialog draggable
+                             }
+                         });
+-- 
+2.39.1
diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_5.1.3.bb b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_5.1.3.bb
index 7ccc05ec3e..3f19194391 100644
--- a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_5.1.3.bb
+++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_5.1.3.bb
@@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
 SRC_URI = "https://files.phpmyadmin.net/phpMyAdmin/${PV}/phpMyAdmin-${PV}-all-languages.tar.xz \
           file://apache.conf \
+           file://CVE-2023-25727.patch \
 "
 SRC_URI[sha256sum] = "c562feddc0f8ff5e69629113f273a0d024a65fb928c48e89ce614744d478296f"
author	Dragos-Marian Panait <dragos.panait@windriver.com>	2023-03-24 07:49:56 -0700
committer	Armin Kuster <akuster808@gmail.com>	2023-04-04 09:04:49 -0400
commit	99047e44ce4ecdf57222b73eb9381ba9d554e2fa (patch)
tree	5c39fc7262eec00fc3ef656308b3d7fcc8fb0f4a
parent	496d23c0fcef9d69b6d657b751515fd76820ee48 (diff)
download	meta-openembedded-99047e44ce4ecdf57222b73eb9381ba9d554e2fa.tar.gz

diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2023-25727.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2023-25727.patch new file mode 100644 index 0000000000..707334a517 --- /dev/null +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2023-25727.patch
@@ -0,0 +1,37 @@
		1	From 0842f11158699a979437125756b26eeabedab9ab Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Maur=C3=ADcio=20Meneghini=20Fauth?= <mauricio@fauth.dev>
		3	Date: Fri, 5 Aug 2022 20:18:16 -0300
		4	Subject: [PATCH] Fix not escaped title when using drag and drop upload
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	Signed-off-by: Maurício Meneghini Fauth <mauricio@fauth.dev>
		10
		11	Upstream-Status: Backport
		12	CVE: CVE-2023-25727
		13
		14	Reference to upstream patch:
		15	https://github.com/phpmyadmin/phpmyadmin/commit/efa2406695551667f726497750d3db91fb6f662e
		16
		17	Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com>
		18	---
		19	js/src/drag_drop_import.js \| 2 +-
		20	1 file changed, 1 insertion(+), 1 deletion(-)
		21
		22	diff --git a/js/src/drag_drop_import.js b/js/src/drag_drop_import.js
		23	index 55250c2..9b8710e 100644
		24	--- a/js/src/drag_drop_import.js
		25	+++ b/js/src/drag_drop_import.js
		26	@@ -130,7 +130,7 @@ var DragDropImport = {
		27	var filename = $this.parent('span').attr('data-filename');
		28	$('body').append('<div class="pma_drop_result"><h2>' +
		29	Messages.dropImportImportResultHeader + ' - ' +
		30	- filename + '<span class="close">x</span></h2>' + value.message + '</div>');
		31	+ Functions.escapeHtml(filename) + '<span class="close">x</span></h2>' + value.message + '</div>');
		32	$('.pma_drop_result').draggable(); // to make this dialog draggable
		33	}
		34	});
		35	--
		36	2.39.1
		37


diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_5.1.3.bb b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_5.1.3.bb index 7ccc05ec3e..3f19194391 100644 --- a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_5.1.3.bb +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_5.1.3.bb
@@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
9		9
10	SRC_URI = "https://files.phpmyadmin.net/phpMyAdmin/${PV}/phpMyAdmin-${PV}-all-languages.tar.xz \	10	SRC_URI = "https://files.phpmyadmin.net/phpMyAdmin/${PV}/phpMyAdmin-${PV}-all-languages.tar.xz \
11	file://apache.conf \	11	file://apache.conf \
		12	file://CVE-2023-25727.patch \
12	"	13	"
13		14
14	SRC_URI[sha256sum] = "c562feddc0f8ff5e69629113f273a0d024a65fb928c48e89ce614744d478296f"	15	SRC_URI[sha256sum] = "c562feddc0f8ff5e69629113f273a0d024a65fb928c48e89ce614744d478296f"