From 880df90c865b57d38f1ff836fe8900c94434322f Mon Sep 17 00:00:00 2001
From: Changqing Li <changqing.li@windriver.com>
Date: Fri, 7 Feb 2025 14:29:55 +0800
Subject: phpmyadmin: fix CVE-2025-24529/CVE-2025-24530

CVE-2025-24529:
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS
vulnerability has been discovered for the Insert tab.
Refer: https://nvd.nist.gov/vuln/detail/CVE-2025-24529

CVE-2025-24530:
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS
vulnerability has been discovered for the check tables feature. A
crafted table or database name could be used for XSS.
Refer: https://nvd.nist.gov/vuln/detail/CVE-2025-24530

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../phpmyadmin/phpmyadmin/CVE-2025-24529.patch     | 36 +++++++++++++++++++
 .../phpmyadmin/phpmyadmin/CVE-2025-24530.patch     | 42 ++++++++++++++++++++++
 .../recipes-php/phpmyadmin/phpmyadmin_5.1.3.bb     |  4 ++-
 3 files changed, 81 insertions(+), 1 deletion(-)
 create mode 100644 meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2025-24529.patch
 create mode 100644 meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2025-24530.patch

diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2025-24529.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2025-24529.patch
new file mode 100644
index 0000000000..4b862649dd
--- /dev/null
+++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2025-24529.patch
@@ -0,0 +1,36 @@
+From a8e215c314a98008aab6f3147a409911be73108e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Maur=C3=ADcio=20Meneghini=20Fauth?= <mauricio@mfauth.net>
+Date: Sun, 12 Jan 2025 22:39:06 -0300
+Subject: [PATCH 1/2] Fix XSS vulnerability on Insert page
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Maurício Meneghini Fauth <mauricio@mfauth.net>
+
+CVE: CVE-2025-24529
+Upstream-Status: Backport [https://github.com/phpmyadmin/phpmyadmin/commit/7355ddff8d1da9453cf43c09a45666157b16103d]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libraries/classes/InsertEdit.php | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libraries/classes/InsertEdit.php b/libraries/classes/InsertEdit.php
+index abc3c5f..4bde765 100644
+--- a/libraries/classes/InsertEdit.php
++++ b/libraries/classes/InsertEdit.php
+@@ -2166,8 +2166,8 @@ class InsertEdit
+         } elseif ($trueType === 'binary' || $trueType === 'varbinary') {
+             $special_chars = bin2hex($column['Default']);
+         } elseif (substr($trueType, -4) === 'text') {
+-            $textDefault = substr($column['Default'], 1, -1);
+-            $special_chars = stripcslashes($textDefault !== false ? $textDefault : $column['Default']);
++            $textDefault = (string) substr($column['Default'], 1, -1);
++            $special_chars = htmlspecialchars(stripcslashes($textDefault !== '' ? $textDefault : $column['Default']));
+         } else {
+             $special_chars = htmlspecialchars($column['Default']);
+         }
+-- 
+2.34.1
+
diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2025-24530.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2025-24530.patch
new file mode 100644
index 0000000000..4e36dbba80
--- /dev/null
+++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2025-24530.patch
@@ -0,0 +1,42 @@
+From 76e8b760487139bbfba08b8a6f7fdad40a93ac57 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Maur=C3=ADcio=20Meneghini=20Fauth?= <mauricio@mfauth.net>
+Date: Tue, 15 Oct 2024 12:27:22 -0300
+Subject: [PATCH 2/2] Fix unescaped table name when checking tables
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Maurício Meneghini Fauth <mauricio@mfauth.net>
+
+CVE: CVE-2025-24530
+Upstream-Status: Backport [https://github.com/phpmyadmin/phpmyadmin/commit/23c13a81709728089ff031e5b1c29b5e91baa6a7]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libraries/classes/Table/Maintenance.php | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libraries/classes/Table/Maintenance.php b/libraries/classes/Table/Maintenance.php
+index 9ed72ef..0247c6e 100644
+--- a/libraries/classes/Table/Maintenance.php
++++ b/libraries/classes/Table/Maintenance.php
+@@ -7,6 +7,7 @@ namespace PhpMyAdmin\Table;
+ use PhpMyAdmin\DatabaseInterface;
+ use PhpMyAdmin\Index;
+ use PhpMyAdmin\Util;
++use function htmlspecialchars;
+ use function implode;
+ use function sprintf;
+ 
+@@ -91,7 +92,7 @@ final class Maintenance
+                 continue;
+             }
+ 
+-            $indexesProblems .= sprintf(__('Problems with indexes of table `%s`'), $table);
++            $indexesProblems .= htmlspecialchars(sprintf(__('Problems with indexes of table `%s`'), $table));
+             $indexesProblems .= $check;
+         }
+ 
+-- 
+2.34.1
+
diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_5.1.3.bb b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_5.1.3.bb
index 3f19194391..85a18dfd1e 100644
--- a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_5.1.3.bb
+++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_5.1.3.bb
@@ -10,10 +10,12 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
 SRC_URI = "https://files.phpmyadmin.net/phpMyAdmin/${PV}/phpMyAdmin-${PV}-all-languages.tar.xz \
            file://apache.conf \
            file://CVE-2023-25727.patch \
+           file://CVE-2025-24529.patch \
+           file://CVE-2025-24530.patch \
 "
 
 SRC_URI[sha256sum] = "c562feddc0f8ff5e69629113f273a0d024a65fb928c48e89ce614744d478296f"
-
+ 
 UPSTREAM_CHECK_URI = "https://www.phpmyadmin.net/downloads/"
 UPSTREAM_CHECK_REGEX = "phpMyAdmin-(?P<pver>\d+(\.\d+)+)-all-languages.tar.xz"
 
-- 
cgit v1.2.3-54-g00ecf