Bug 245096

Summary: databases/phpmyadmin: 4.9.5 is not a vulnerable version, but still marked vulnerable (matches < 5.0.2 entries)
Product: Ports & Packages Reporter: peter.larsen
Component: Individual Port(s)Assignee: Max Khon <fjoe>
Status: Closed FIXED    
Severity: Affects Some People CC: fjoe, james, linus.sundqvist, ports-secteam
Priority: --- Keywords: security
Version: LatestFlags: bugzilla: maintainer-feedback? (joneum)
Hardware: Any   
OS: Any   

Description peter.larsen 2020-03-27 10:26:33 UTC 
While vuxml.freebsd.org link defines everything below phpMyAdmin version 4.9.5 as vulnerable, pkg identifies 4.9.5 as vulnerable 

# pkg info | grep phpMyAdmin
phpMyAdmin-php72-4.9.5         Set of PHP-scripts to manage MySQL over the web


# pkg audit -F
vulnxml file up-to-date
phpMyAdmin-php72-4.9.5 is vulnerable:
phpMyAdmin -- SQL injection
WWW: https://vuxml.FreeBSD.org/freebsd/97fcc60a-6ec0-11ea-a84a-4c72b94353b5.html
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2020-03-27 10:36:07 UTC 
Its the "phpMyAdmin{-php*} < 5.0.2" entries that are causing this:

phpMyAdmin 	< 	5.0.2
phpMyAdmin-php72 	< 	5.0.2
phpMyAdmin-php73 	< 	5.0.2
phpMyAdmin-php74 	< 	5.0.2

One would address this in the short term by removing the "< 5.0.2" entries for the *phpMyAdmin* (not phpmyadmin5) packages, as all 5.x versions live in the phpmyadmin5 port.

This is an issue, as at some point databases/phpmyadmin will be presumably updated to 5.x (when say, 4.x is deprecated), at which point the vuxml entries will be incorrect
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2020-03-27 10:42:15 UTC 
Since there is a single <package> definition (see below), each (every) <range> is added for each (every) <name>

    <affects>
      <package>
        <name>phpMyAdmin</name>
        <name>phpMyAdmin-php72</name>
        <name>phpMyAdmin-php73</name>
        <name>phpMyAdmin-php74</name>
        <name>phpMyAdmin5</name>
        <name>phpMyAdmin5-php72</name>
        <name>phpMyAdmin5-php73</name>
        <name>phpMyAdmin5-php74</name>
        <range><lt>4.9.5</lt></range>
        <range><lt>5.0.2</lt></range>
      </package>
    </affects>

Two <package> blocks, one with phpmyadmin, the other with phpmyadmin5, each with their own ranges, should resolve the issue
Comment 3 commit-hook freebsd_committer freebsd_triage 2020-05-05 05:33:30 UTC 
A commit references this bug:

Author: fjoe
Date: Tue May  5 05:32:48 UTC 2020
New revision: 534026
URL: https://svnweb.freebsd.org/changeset/ports/534026

Log:
  Fix version range for 97fcc60a-6ec0-11ea-a84a-4c72b94353b5:
  phpMyAdmin 4.9.5 is not vulnerable

  PR:		245096

Changes:
  head/security/vuxml/vuln.xml