Bug#989121: unblock: adminer/4.7.9-2

Alexandre Rossi Wed, 26 May 2021 02:27:46 -0700

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock


Hi,

Please unblock package adminer. Per the security team advice, the updated
version contains a fix for:

    CVE-2021-29625: XSS in doc_link

diff -Nru adminer-4.7.9/debian/changelog adminer-4.7.9/debian/changelog
--- adminer-4.7.9/debian/changelog      2021-02-08 09:30:28.000000000 +0100
+++ adminer-4.7.9/debian/changelog      2021-05-26 09:13:52.000000000 +0200
@@ -1,3 +1,9 @@
+adminer (4.7.9-2) unstable; urgency=medium
+
+  * fix CVE-2021-29625: XSS in doc_link (Closes: #988886)
+
+ -- Alexandre Rossi <alexandre.ro...@gmail.com>  Wed, 26 May 2021 09:13:52 
+0200
+
 adminer (4.7.9-1) unstable; urgency=medium
 
   * New upstream version 4.7.9
diff -Nru adminer-4.7.9/debian/patches/CVE-2021-29625.patch 
adminer-4.7.9/debian/patches/CVE-2021-29625.patch
--- adminer-4.7.9/debian/patches/CVE-2021-29625.patch   1970-01-01 
01:00:00.000000000 +0100
+++ adminer-4.7.9/debian/patches/CVE-2021-29625.patch   2021-05-26 
09:08:59.000000000 +0200
@@ -0,0 +1,18 @@
+From: 4043092ec2c0de2258d60a99d0c5958637d051a7
+Author: Jakub Vrana <ja...@vrana.cz>
+Date:   Fri May 14 06:39:01 2021 +0200
+Subject: Escape link in doc_link (bug #797)
+
+diff --git a/adminer/include/editing.inc.php b/adminer/include/editing.inc.php
+index 88d66d44..5556b014 100644
+--- a/adminer/include/editing.inc.php
++++ b/adminer/include/editing.inc.php
+@@ -542,7 +542,7 @@ function doc_link($paths, $text = "<sup>?</sup>") {
+               $urls['sql'] = "https://mariadb.com/kb/en/library/";;
+               $paths['sql'] = (isset($paths['mariadb']) ? $paths['mariadb'] : 
str_replace(".html", "/", $paths['sql']));
+       }
+-      return ($paths[$jush] ? "<a href='$urls[$jush]$paths[$jush]'" . 
target_blank() . ">$text</a>" : "");
++      return ($paths[$jush] ? "<a href='" . h($urls[$jush] . $paths[$jush]) . 
"'" . target_blank() . ">$text</a>" : "");
+ }
+ 
+ /** Wrap gzencode() for usage in ob_start()
diff -Nru adminer-4.7.9/debian/patches/series 
adminer-4.7.9/debian/patches/series
--- adminer-4.7.9/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ adminer-4.7.9/debian/patches/series 2021-05-26 09:08:59.000000000 +0200
@@ -0,0 +1 @@
+CVE-2021-29625.patch

unblock adminer/4.7.9-2

-- System Information:
Debian Release: 10.9
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-16-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), 
LANGUAGE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#989121: unblock: adminer/4.7.9-2

Reply via email to