phpmyadmin: fix CVE-2025-24529/CVE-2025-24530

CVE-2025-24529: An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the Insert tab. Refer: https://nvd.nist.gov/vuln/detail/CVE-2025-24529 CVE-2025-24530: An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS. Refer: https://nvd.nist.gov/vuln/detail/CVE-2025-24530 Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Changqing Li <changqing.li@windriver.com> 2025-02-07 14:29:55 +0800
committer: Armin Kuster <akuster808@gmail.com> 2025-02-09 07:58:44 -0800
commit: 880df90c865b57d38f1ff836fe8900c94434322f (patch)
tree: db4d54773169b160624cc53738613f264b8de48b
parent: b7dc1e8eb72b01595a60367f8fd375625268b8a2 (diff)
download: meta-openembedded-880df90c865b57d38f1ff836fe8900c94434322f.tar.gz
3 files changed, 81 insertions, 1 deletions
diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2025-24529.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2025-24529.patch
new file mode 100644
index 0000000000..4b862649dd
--- /dev/null
+++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2025-24529.patch
@@ -0,0 +1,36 @@
+From a8e215c314a98008aab6f3147a409911be73108e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Maur=C3=ADcio=20Meneghini=20Fauth?= <mauricio@mfauth.net>
+Date: Sun, 12 Jan 2025 22:39:06 -0300
+Subject: [PATCH 1/2] Fix XSS vulnerability on Insert page
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Signed-off-by: Maurício Meneghini Fauth <mauricio@mfauth.net>
+CVE: CVE-2025-24529
+Upstream-Status: Backport [https://github.com/phpmyadmin/phpmyadmin/commit/7355ddff8d1da9453cf43c09a45666157b16103d]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libraries/classes/InsertEdit.php | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/libraries/classes/InsertEdit.php b/libraries/classes/InsertEdit.php
+index abc3c5f..4bde765 100644
+--- a/libraries/classes/InsertEdit.php
+++ b/libraries/classes/InsertEdit.php
+@@ -2166,8 +2166,8 @@ class InsertEdit
+         } elseif ($trueType === 'binary' || $trueType === 'varbinary') {
+             $special_chars = bin2hex($column['Default']);
+         } elseif (substr($trueType, -4) === 'text') {
+-            $textDefault = substr($column['Default'], 1, -1);
+-            $special_chars = stripcslashes($textDefault !== false ? $textDefault : $column['Default']);
+            $textDefault = (string) substr($column['Default'], 1, -1);
+            $special_chars = htmlspecialchars(stripcslashes($textDefault !== '' ? $textDefault : $column['Default']));
+         } else {
+             $special_chars = htmlspecialchars($column['Default']);
+         }
+-- 
+2.34.1
diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2025-24530.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2025-24530.patch
new file mode 100644
index 0000000000..4e36dbba80
--- /dev/null
+++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2025-24530.patch
@@ -0,0 +1,42 @@
+From 76e8b760487139bbfba08b8a6f7fdad40a93ac57 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Maur=C3=ADcio=20Meneghini=20Fauth?= <mauricio@mfauth.net>
+Date: Tue, 15 Oct 2024 12:27:22 -0300
+Subject: [PATCH 2/2] Fix unescaped table name when checking tables
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Signed-off-by: Maurício Meneghini Fauth <mauricio@mfauth.net>
+CVE: CVE-2025-24530
+Upstream-Status: Backport [https://github.com/phpmyadmin/phpmyadmin/commit/23c13a81709728089ff031e5b1c29b5e91baa6a7]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libraries/classes/Table/Maintenance.php | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/libraries/classes/Table/Maintenance.php b/libraries/classes/Table/Maintenance.php
+index 9ed72ef..0247c6e 100644
+--- a/libraries/classes/Table/Maintenance.php
+++ b/libraries/classes/Table/Maintenance.php
+@@ -7,6 +7,7 @@ namespace PhpMyAdmin\Table;
+ use PhpMyAdmin\DatabaseInterface;
+ use PhpMyAdmin\Index;
+ use PhpMyAdmin\Util;
+use function htmlspecialchars;
+ use function implode;
+ use function sprintf;
+ 
+@@ -91,7 +92,7 @@ final class Maintenance
+                 continue;
+             }
+ 
+-            $indexesProblems .= sprintf(__('Problems with indexes of table `%s`'), $table);
+            $indexesProblems .= htmlspecialchars(sprintf(__('Problems with indexes of table `%s`'), $table));
+             $indexesProblems .= $check;
+         }
+ 
+-- 
+2.34.1
diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_5.1.3.bb b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_5.1.3.bb
index 3f19194391..85a18dfd1e 100644
--- a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_5.1.3.bb
+++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_5.1.3.bb
@@ -10,10 +10,12 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
 SRC_URI = "https://files.phpmyadmin.net/phpMyAdmin/${PV}/phpMyAdmin-${PV}-all-languages.tar.xz \
           file://apache.conf \
           file://CVE-2023-25727.patch \
+           file://CVE-2025-24529.patch \
+           file://CVE-2025-24530.patch \
 "
 SRC_URI[sha256sum] = "c562feddc0f8ff5e69629113f273a0d024a65fb928c48e89ce614744d478296f"
+ 
 UPSTREAM_CHECK_URI = "https://www.phpmyadmin.net/downloads/"
 UPSTREAM_CHECK_REGEX = "phpMyAdmin-(?P<pver>\d+(\.\d+)+)-all-languages.tar.xz"
author	Changqing Li <changqing.li@windriver.com>	2025-02-07 14:29:55 +0800
committer	Armin Kuster <akuster808@gmail.com>	2025-02-09 07:58:44 -0800
commit	880df90c865b57d38f1ff836fe8900c94434322f (patch)
tree	db4d54773169b160624cc53738613f264b8de48b
parent	b7dc1e8eb72b01595a60367f8fd375625268b8a2 (diff)
download	meta-openembedded-880df90c865b57d38f1ff836fe8900c94434322f.tar.gz

diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2025-24529.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2025-24529.patch new file mode 100644 index 0000000000..4b862649dd --- /dev/null +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2025-24529.patch
@@ -0,0 +1,36 @@
		1	From a8e215c314a98008aab6f3147a409911be73108e Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Maur=C3=ADcio=20Meneghini=20Fauth?= <mauricio@mfauth.net>
		3	Date: Sun, 12 Jan 2025 22:39:06 -0300
		4	Subject: [PATCH 1/2] Fix XSS vulnerability on Insert page
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	Signed-off-by: Maurício Meneghini Fauth <mauricio@mfauth.net>
		10
		11	CVE: CVE-2025-24529
		12	Upstream-Status: Backport [https://github.com/phpmyadmin/phpmyadmin/commit/7355ddff8d1da9453cf43c09a45666157b16103d]
		13
		14	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		15	---
		16	libraries/classes/InsertEdit.php \| 4 ++--
		17	1 file changed, 2 insertions(+), 2 deletions(-)
		18
		19	diff --git a/libraries/classes/InsertEdit.php b/libraries/classes/InsertEdit.php
		20	index abc3c5f..4bde765 100644
		21	--- a/libraries/classes/InsertEdit.php
		22	+++ b/libraries/classes/InsertEdit.php
		23	@@ -2166,8 +2166,8 @@ class InsertEdit
		24	} elseif ($trueType === 'binary' \|\| $trueType === 'varbinary') {
		25	$special_chars = bin2hex($column['Default']);
		26	} elseif (substr($trueType, -4) === 'text') {
		27	- $textDefault = substr($column['Default'], 1, -1);
		28	- $special_chars = stripcslashes($textDefault !== false ? $textDefault : $column['Default']);
		29	+ $textDefault = (string) substr($column['Default'], 1, -1);
		30	+ $special_chars = htmlspecialchars(stripcslashes($textDefault !== '' ? $textDefault : $column['Default']));
		31	} else {
		32	$special_chars = htmlspecialchars($column['Default']);
		33	}
		34	--
		35	2.34.1
		36


diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2025-24530.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2025-24530.patch new file mode 100644 index 0000000000..4e36dbba80 --- /dev/null +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/CVE-2025-24530.patch
@@ -0,0 +1,42 @@
		1	From 76e8b760487139bbfba08b8a6f7fdad40a93ac57 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Maur=C3=ADcio=20Meneghini=20Fauth?= <mauricio@mfauth.net>
		3	Date: Tue, 15 Oct 2024 12:27:22 -0300
		4	Subject: [PATCH 2/2] Fix unescaped table name when checking tables
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	Signed-off-by: Maurício Meneghini Fauth <mauricio@mfauth.net>
		10
		11	CVE: CVE-2025-24530
		12	Upstream-Status: Backport [https://github.com/phpmyadmin/phpmyadmin/commit/23c13a81709728089ff031e5b1c29b5e91baa6a7]
		13
		14	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		15	---
		16	libraries/classes/Table/Maintenance.php \| 3 ++-
		17	1 file changed, 2 insertions(+), 1 deletion(-)
		18
		19	diff --git a/libraries/classes/Table/Maintenance.php b/libraries/classes/Table/Maintenance.php
		20	index 9ed72ef..0247c6e 100644
		21	--- a/libraries/classes/Table/Maintenance.php
		22	+++ b/libraries/classes/Table/Maintenance.php
		23	@@ -7,6 +7,7 @@ namespace PhpMyAdmin\Table;
		24	use PhpMyAdmin\DatabaseInterface;
		25	use PhpMyAdmin\Index;
		26	use PhpMyAdmin\Util;
		27	+use function htmlspecialchars;
		28	use function implode;
		29	use function sprintf;
		30
		31	@@ -91,7 +92,7 @@ final class Maintenance
		32	continue;
		33	}
		34
		35	- $indexesProblems .= sprintf(__('Problems with indexes of table `%s`'), $table);
		36	+ $indexesProblems .= htmlspecialchars(sprintf(__('Problems with indexes of table `%s`'), $table));
		37	$indexesProblems .= $check;
		38	}
		39
		40	--
		41	2.34.1
		42


diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_5.1.3.bb b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_5.1.3.bb index 3f19194391..85a18dfd1e 100644 --- a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_5.1.3.bb +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_5.1.3.bb
@@ -10,10 +10,12 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
10	SRC_URI = "https://files.phpmyadmin.net/phpMyAdmin/${PV}/phpMyAdmin-${PV}-all-languages.tar.xz \	10	SRC_URI = "https://files.phpmyadmin.net/phpMyAdmin/${PV}/phpMyAdmin-${PV}-all-languages.tar.xz \
11	file://apache.conf \	11	file://apache.conf \
12	file://CVE-2023-25727.patch \	12	file://CVE-2023-25727.patch \
		13	file://CVE-2025-24529.patch \
		14	file://CVE-2025-24530.patch \
13	"	15	"
14		16
15	SRC_URI[sha256sum] = "c562feddc0f8ff5e69629113f273a0d024a65fb928c48e89ce614744d478296f"	17	SRC_URI[sha256sum] = "c562feddc0f8ff5e69629113f273a0d024a65fb928c48e89ce614744d478296f"
16		18
17	UPSTREAM_CHECK_URI = "https://www.phpmyadmin.net/downloads/"	19	UPSTREAM_CHECK_URI = "https://www.phpmyadmin.net/downloads/"
18	UPSTREAM_CHECK_REGEX = "phpMyAdmin-(?P<pver>\d+(\.\d+)+)-all-languages.tar.xz"	20	UPSTREAM_CHECK_REGEX = "phpMyAdmin-(?P<pver>\d+(\.\d+)+)-all-languages.tar.xz"
19		21