Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Please unblock package phpmyadmin
There is one additional patch fixing PMASA-2017-8 (no CVE assigned yet).
The debdiff is attached.
unblock phpmyadmin/4:4.6.6-2
- -- System Information:
Debian Release: 9.0
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=cs_CZ.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEh+Zzr4P2w6DDRMjD9KoinU1YwkUFAljc/kIACgkQ9KoinU1Y
wkWRGg//QpgI6FySKh8koFvZ6vWWoW0NXfV2lzZBDF5oqMYtXNa8MGezGXGaTzX3
MO3hi5myaCzqFUAUfkfu3FIffBSxhlt0/a6hv+440TeG/vSMgwTf2NRkvygp8BYH
lSFCa0cJPeCLLynYG+alWktDeq77cOWwJ+l/szUxAWl+IeGR1e6M8kCJbYnbJx+z
fMT6wQRH0b/KQKf9zwAYaujH+NE/9bAUWkSq/6bBQ00jXareMS9vtszVCLJdY9Yu
ReIO4WdtCT6zRe0WSsVjn/Iv7UPKHioq6KQiyaYOqVQlLLMXW6SQXvRCb3DdITtj
cL9CrfpE9fZIEhGOFwSXICkpEOYcinM9NsTeLdiBiwllRd8iOrkROKq3ARKvEWkK
GM0HF+pxA91OWKjibFGj8LKHGSAf/KqmoVcAOu4khjFUXDUxG7V2TEoJtQKtB/YS
xpsft+NHbKeZp4/ULv3zfN6z7/q5EYpNA/B7MUqC2dmEqg8CwL2c86ERuWaxDkog
PrawD+vZQUtuZTmA4KpQ9lRt60FoiH7Y9QefTZh2Z2FtkD8ygrybRoDkHjCmTH1x
WSF0uFggHEAeJ89dLiniNOXTgX4oufl6vbPpTS2x88Y5gIYJd0CZUo6vp50QGQ7e
j6s4qsVTKJp3Ey6CUYdC/hllK/8hp4FeHDnz1if1c+opErRfjRs=
=3MnM
-----END PGP SIGNATURE-----
diff -Nru phpmyadmin-4.6.6/debian/changelog phpmyadmin-4.6.6/debian/changelog
--- phpmyadmin-4.6.6/debian/changelog 2017-01-24 09:14:39.000000000 +0100
+++ phpmyadmin-4.6.6/debian/changelog 2017-03-30 14:40:46.000000000 +0200
@@ -1,3 +1,10 @@
+phpmyadmin (4:4.6.6-2) unstable; urgency=high
+
+ * Apply upstream patch to fix not working
+ $cfg['Servers'][$i]['AllowNoPassword'] (PMASA-2017-8).
+
+ -- Michal Čihař <ni...@debian.org> Thu, 30 Mar 2017 14:40:46 +0200
+
phpmyadmin (4:4.6.6-1) unstable; urgency=medium
* New upstream release.
diff -Nru phpmyadmin-4.6.6/debian/patches/series
phpmyadmin-4.6.6/debian/patches/series
--- phpmyadmin-4.6.6/debian/patches/series 2017-01-24 09:14:39.000000000
+0100
+++ phpmyadmin-4.6.6/debian/patches/series 2017-03-30 14:38:48.000000000
+0200
@@ -1 +1,2 @@
+Truncate-only-long-passwords.patch
debian.patch
diff -Nru phpmyadmin-4.6.6/debian/patches/Truncate-only-long-passwords.patch
phpmyadmin-4.6.6/debian/patches/Truncate-only-long-passwords.patch
--- phpmyadmin-4.6.6/debian/patches/Truncate-only-long-passwords.patch
1970-01-01 01:00:00.000000000 +0100
+++ phpmyadmin-4.6.6/debian/patches/Truncate-only-long-passwords.patch
2017-03-30 14:39:02.000000000 +0200
@@ -0,0 +1,27 @@
+From 7232271a379396ca1d4b083af051262057003c41 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <mic...@cihar.com>
+Date: Mon, 27 Mar 2017 15:55:35 +0200
+Subject: [PATCH 1/1] Truncate only long passwords
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This avoids problems with certain PHP versions returning false when
+first parameter to substr is ''.
+
+Signed-off-by: Michal Čihař <mic...@cihar.com>
+---
+ libraries/common.inc.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/libraries/common.inc.php
++++ b/libraries/common.inc.php
+@@ -739,7 +739,7 @@
+ . ' ' . $cfg['Server']['auth_type']
+ );
+ }
+- if (isset($_REQUEST['pma_password'])) {
++ if (isset($_REQUEST['pma_password']) &&
strlen($_REQUEST['pma_password']) > 256) {
+ $_REQUEST['pma_password'] = substr($_REQUEST['pma_password'], 0,
256);
+ }
+ $fqnAuthClass = 'PMA\libraries\plugins\auth\\' . $auth_class;
