Bug#1104821: bookworm-pu: package libphp-adobd/5.21.4-1.1+deb12u1

[Leandro Cunha]

Hi Salvatore,

On Thu, May 8, 2025 at 12:50 AM Salvatore Bonaccorso <car...@debian.org> wrote:
>
> Hi,
>
> On Wed, May 07, 2025 at 02:19:48AM -0300, Leandro Cunha wrote:
> > Hi,
> >
> > I insisted on my intuition, which said that the versioning was wrong,
> > and checked with dpkg, which confirmed it. This has already been fixed
> > in my Salsa fork. Sorry.
> >
> > dpkg --compare-versions 5.21.14-0.1+deb12u1 lt 5.21.14-1
> > echo $?
> > 0 (true)
> > dpkg --compare-versions 5.21.14-1.1+deb12u1 lt 5.21.14-1
> > echo $?
> > 1 (false)
> >
> > lt: less than
> > Example: dpkg --compare-versions 1.0 lt 2.0 → true
> >
> > le: less than or equal
> > Example: dpkg --compare-versions 1.0 le 1.0 → true
> >
> > eq: equal
> > Example: dpkg --compare-versions 1.0 eq 1.0 → true
> >
> > ne: not equal
> > Example: dpkg --compare-versions 1.0 ne 2.0 → true
> >
> > ge: greater than or equal
> > Example: dpkg --compare-versions 2.0 ge 1.0 → true
> >
> > gt: greater than
> > Example: dpkg --compare-versions 2.0 gt 1.0 → true
>
> The base version in bookworm is 5.21.4-1, as such for the updatre
> please use 5.21.4-1+deb12u1 (not 5.21.4-1.1+deb12u1) (but retain the
> non-maintainer upload item in debian/changelog).
>
> Regards,
> Salvatore

Thanks for your answers. I just changed this in the fork and I need
someone to approve the submitted MR and create a branch with the name
bookworm, which is what is normally done in version control. As I
said, I have never done an NMU for the current stable version and this
would be the first time. I apologize for the mistakes.

I did the first build test like this 5.21.4-1+deb12u1 in a virtual
machine with bookworm (I use unstable/sid), but I saw an error from
Lintian that confused me too.

And I couldn't wait for a response for a long time, because there
would be a freeze this weekend as I saw on the list and that's why I
had to go ahead.

I believe it would be ready for approval.

-- 
Cheers,
Leandro Cunha

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGdTzVoBEADOhoTqLaOTfcJN2x7nNASOADc24NjmyBdxUwilTr4UzIPB9ojF
fcRSLz6Lg3n4p7Ff/yF35kk4iSGHyJ13YecNkAtVrZNG+5XaHvjRm38+6jeXZKyD
Ir8lp54ddJ4+rtZQ398TTKxjD7O0FiLCoDKkPoTYO4Qh0VJf6PXWMBmw6wxeXWP1
KS/xo2ttEXHVt6wyRVfRZN9Y/NPAfzonJ1dIM6C+prHlZQT+p7N/B9OM3HRXReHk
olxYRTbId3Qh1utt+TgqWdZJQW676d9q8/Z7D7VZiXBlopn5dyDeHo8q4vdeWk8P
EZDIOVSbOmXzt88vpfXFIpmIJzd0GX/oTDG913qdFqCY9HPr9dkfUBKFERcdxgI4
pYyWQ2YmOsN1by6x8YZYt+fzED+FXGVdof/d22cFJpPGiOHG3DwJxVaRQOXrbRHj
PiyR8bcAYASRe4AleWVXu86vTzMnRbAi/u83IMmwuKrqrfFP0J42ZAfyV9rOHADg
4UDCm3PKxIgezDJTm8DtiJcWPQRjocIO+nVX1crAXB2ymBfLXvTq0miyGC3UU3He
fIPE6azg4tMq1R5U3OckpnNUtyD5MqM/r0lLXUzIpRb/HjgtNnN6cCNrnAcUTDqJ
BatrVw7RciqVb78bAh/Fa1SJ6r2o57VrcKJ1bGXXCvhtvd+cwP7XtavXLQARAQAB
tI5MZWFuZHJvIGRhIEN1bmhhIERvbWluZ3VlcyAoRGVmYXVsdCBHUEcga2V5IHVu
dGlsIGV4cGlyYXRpb24gZGF0ZSBmb3Igc2lnbmluZyBwYWNrYWdlcywgY29tbWl0
cywgZW1haWxzIGFuZCB0YWdzLikgPGxlYW5kcm9jdW5oYTAxNkBnbWFpbC5jb20+
iQJUBBMBCgA+FiEEcZtClYXQUpbsa0pDNunpLuertXkFAmdTzVoCGwMFCQeEzgAF
CwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQNunpLuertXnZ1w/9G9wjWMc0Xyi0
OsVVcUuwLrPBH/VhUIrs3SRX4NzIXyYWWGZp+DvI9tP7trQ7MBiYE/YFgDkXpDLk
TIUU9XQ51n/A+zArOtM/JefSKqjE+FoWFVTQe/UirqyZG/ahuVqwY3LeEaBo6ldA
CQpsGhYlUn+4XzBC82CegE174SXcGYX+P9Uq8DK1KhXDvLQ/HrF8OZnQfUzY/+qz
5IWNSlSyiiw15aImcrHDFr2tRRqHdf2azRVdyQJOurrf5jXgy/MqDeLJDUzwPMo+
AmvIzscT/1sUzsHxultXMIQDht5gWZkD/JxDICDZGd5DhdVD+ASqmu9zk5LPTsm/
oFK9i3xLlkj1IOv03DeyMdWVEfeBr/hB9Sn2XQPI7ya5BmbHMdLlfWFRJvWFOGKg
2Oh5r14JRWHqFOm5sIJgEtWaNgmcXt+T6C+486l+lPjxR9gTGOZwfoSyGJeH+44n
s12sWjQefW//+F1sXp+oPWn7D4DRUs+IhWFzoOuhqixVRg8INoCURNFjRNq2vmVO
N22iayN9N6s2atPbQTYug1pUhU9cSpk/ZxuoBIM+GIDCGcUWBeugqBBp++bmmJVW
sTWff3WMSD7jg39EOBf+9FRAlgD55A9aGGFvNfbTjTgfqb/k57Jy3EvIL1BPpTkr
RT4zSub9NPeTiS7q4YJy7XfGbdclN6O5Ag0EZ1PNWgEQAK7Ygv9zl7vnNNAkfrdB
OthvPQP+wjlNlHEOU1RO2ZYceOLu16XMM6FI/VOkB5DYvQLC0i15YUxkuTZO+eUp
kZT63WCpg8WAjo1L7u+UUJxDAL8VrBJMP7UZonDbEnMk5RXK0vqTwVzOpBcEkevK
62bMY0Q5t6J/+3RqQW7ik4sAD1F0W0qYmXzxh4gMvKI7ugByXW/3GfG0MQuregB5
6zb/AvMPRz21wK3CgUTrZBY6qHBbdQ7CP5i+BYSrK40fTRipWsQLzGmwQ9QoFwF2
mgr3i3dC1Wjm7/FAoy/yK8tWMhhhkRi94B/EkXH4T9SANMilokZM4+OxxOSpjUat
pNDYFNxEz1yCtQmn4AJjawphriqCXva/r62eDFJkI9v2XOo2/VpiTdoAMvphu0OK
+mpE0XwyB8oN1xtZKDQef04yhg7GgxL807F1rWu/q4yK98OueJn29jYRbr0WwnMm
13b7TYie9yxjdNDstchXvQ9/O7fcLUGAo75gyEFnaKqE9rirB/e2UGRDNMrVyA9h
KnMJfJdsY/Wb42hixnnhD5p9Ae464inHpamtyyJrAexPUBURH1PLKu9Tj8vU15GU
OGoSCbYFrjIMNeIoZX7O6UHsL+EIPIfg/OGDTDuS8dEeaB8PPaVfPHePlb1qdTzx
TNGLGGUCcHREnzx7gI698tXzABEBAAGJAjwEGAEKACYWIQRxm0KVhdBSluxrSkM2
6eku56u1eQUCZ1PNWgIbDAUJB4TOAAAKCRA26eku56u1eSH5D/0SL9D6+3CuwM30
uMzbpfOK/4ASxo4nRvFgdRK7IpVGMzH3tipd3t4nDmcn/xnXcIeI8OWXA0LTLMG9
Fq/nODY4VOSSiYiB0bA2/6xOivGrWJKFlvUoZEM55yKqqgaMFieJaUaa7n/CKJHR
37k8CKjDkPTAGE8sHqBRXUnbrpBjr1R/z69dgOxCTENUySNu54Olj8lQ7BXHYABt
Os6G/b96maR3o2tFNgV4AV1YS5PsKbEBw9TuBNyudAkSIzpGWSwF2wqSpQge5e0F
e7wmGLesv4PAg0lntOEqT/HJudUzKc6p8Uzc5WTjSfiQuRxh5vc5+dpg0syBRb+p
CwXEUAN13eAVsYoRnFahY8cAMDVf08AUhc9WhCd45SEYgFFe5ucKJ1lfVHM7YyF5
gTAg3bZ+wtV2bwAkUHq6Ylcro1qnsOQfv3WA3aGi72whwCejpekYiw+mhl37yUp/
obe49flFrx9IKwU6eLPpSqjrtrOjsyu0yMo6MGJ9sP7GepMUbJ2sVbFdFhUZzSId
Ud4wBDk3oNiBdrXRfUfSGmx5B+PAjlzdG3ng7ME8kmsMKR/Fkg55zR1QAWWiWMR3
2n0phaKUe2Nqgk59wZUlBCOEuqpy8jvTGHKt8YmoFKjI5U7awsBav9V1iLcfmwbQ
flAYwMljzb9tvbAZvuK8QJBeAndcLg==
=JKeL
-----END PGP PUBLIC KEY BLOCK-----

diffstat for libphp-adodb-5.21.4 libphp-adodb-5.21.4

 changelog                                    |    7 +++++
 patches/00-fix-sec-pgsql-sql-injection.patch |   33 +++++++++++++++++++++++++++
 patches/series                               |    1 
 3 files changed, 41 insertions(+)

diff -Nru libphp-adodb-5.21.4/debian/changelog libphp-adodb-5.21.4/debian/changelog
--- libphp-adodb-5.21.4/debian/changelog	2022-03-12 11:11:01.000000000 -0300
+++ libphp-adodb-5.21.4/debian/changelog	2025-05-06 18:39:03.000000000 -0300
@@ -1,3 +1,10 @@
+libphp-adodb (5.21.4-1+deb12u1) bookworm; urgency=high
+
+  * Non-maintainer upload.
+    + Fix SQL injection in pg_insert_id(). (Closes: #1104548, CVE-2025-46337)
+
+ -- Leandro Cunha <leandrocunha...@gmail.com>  Tue, 06 May 2025 18:39:03 -0300
+
 libphp-adodb (5.21.4-1) unstable; urgency=medium
 
   * New upstream release. (Closes: #1004376)
diff -Nru libphp-adodb-5.21.4/debian/patches/00-fix-sec-pgsql-sql-injection.patch libphp-adodb-5.21.4/debian/patches/00-fix-sec-pgsql-sql-injection.patch
--- libphp-adodb-5.21.4/debian/patches/00-fix-sec-pgsql-sql-injection.patch	1969-12-31 21:00:00.000000000 -0300
+++ libphp-adodb-5.21.4/debian/patches/00-fix-sec-pgsql-sql-injection.patch	2025-05-04 11:35:10.000000000 -0300
@@ -0,0 +1,33 @@
+Description: Fix SQL injection in pg_insert_id()
+ Properly escape the $tablename and $fieldname parameters used to build
+ the sequence name.
+Forwarded: https://github.com/ADOdb/ADOdb/issues/1070
+Origin: https://github.com/ADOdb/ADOdb/commit/0774134f3311779495d16f74a35c872e353708c6.patch
+Bug-Debian: https://bugs.debian.org/1104548
+Author: Damien Regad <dre...@mantisbt.org>
+
+From 11107d6d6e5160b62e05dff8a3a2678cf0e3a426 Mon Sep 17 00:00:00 2001
+From: Damien Regad <dre...@mantisbt.org>
+Date: Sat, 26 Apr 2025 17:45:53 +0200
+Subject: [PATCH 1/2] Fix SQL injection in pg_insert_id()
+
+Properly escape the $tablename and $fieldname parameters used to build
+the sequence name.
+---
+ drivers/adodb-postgres64.inc.php | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/adodb-postgres64.inc.php b/drivers/adodb-postgres64.inc.php
+index b1d161d7c..5cbe77ed2 100644
+--- a/drivers/adodb-postgres64.inc.php
++++ b/drivers/adodb-postgres64.inc.php
+@@ -138,7 +138,8 @@ function IfNull( $field, $ifNull )
+ 	// get the last id - never tested
+ 	function pg_insert_id($tablename,$fieldname)
+ 	{
+-		$result=pg_query($this->_connectionID, 'SELECT last_value FROM '. $tablename .'_'. $fieldname .'_seq');
++		$sequence = pg_escape_identifier($this->_connectionID, $tablename .'_'. $fieldname .'_seq');
++		$result = pg_query($this->_connectionID, 'SELECT last_value FROM '. $sequence);
+ 		if ($result) {
+ 			$arr = @pg_fetch_row($result,0);
+ 			pg_free_result($result);
diff -Nru libphp-adodb-5.21.4/debian/patches/series libphp-adodb-5.21.4/debian/patches/series
--- libphp-adodb-5.21.4/debian/patches/series	1969-12-31 21:00:00.000000000 -0300
+++ libphp-adodb-5.21.4/debian/patches/series	2025-05-03 17:02:59.000000000 -0300
@@ -0,0 +1 @@
+00-fix-sec-pgsql-sql-injection.patch