Bug 245096 - databases/phpmyadmin: 4.9.5 is not a vulnerable version, but still marked vulnerable (matches < 5.0.2 entries)
Summary: databases/phpmyadmin: 4.9.5 is not a vulnerable version, but still marked vul...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Max Khon
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2020-03-27 10:26 UTC by peter.larsen
Modified: 2020-05-05 05:33 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (joneum)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description peter.larsen 2020-03-27 10:26:33 UTC
While vuxml.freebsd.org link defines everything below phpMyAdmin version 4.9.5 as vulnerable, pkg identifies 4.9.5 as vulnerable 

# pkg info | grep phpMyAdmin
phpMyAdmin-php72-4.9.5         Set of PHP-scripts to manage MySQL over the web


# pkg audit -F
vulnxml file up-to-date
phpMyAdmin-php72-4.9.5 is vulnerable:
phpMyAdmin -- SQL injection
WWW: https://vuxml.FreeBSD.org/freebsd/97fcc60a-6ec0-11ea-a84a-4c72b94353b5.html
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2020-03-27 10:36:07 UTC
Its the "phpMyAdmin{-php*} < 5.0.2" entries that are causing this:

phpMyAdmin 	< 	5.0.2
phpMyAdmin-php72 	< 	5.0.2
phpMyAdmin-php73 	< 	5.0.2
phpMyAdmin-php74 	< 	5.0.2

One would address this in the short term by removing the "< 5.0.2" entries for the *phpMyAdmin* (not phpmyadmin5) packages, as all 5.x versions live in the phpmyadmin5 port.

This is an issue, as at some point databases/phpmyadmin will be presumably updated to 5.x (when say, 4.x is deprecated), at which point the vuxml entries will be incorrect
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2020-03-27 10:42:15 UTC
Since there is a single <package> definition (see below), each (every) <range> is added for each (every) <name>

    <affects>
      <package>
        <name>phpMyAdmin</name>
        <name>phpMyAdmin-php72</name>
        <name>phpMyAdmin-php73</name>
        <name>phpMyAdmin-php74</name>
        <name>phpMyAdmin5</name>
        <name>phpMyAdmin5-php72</name>
        <name>phpMyAdmin5-php73</name>
        <name>phpMyAdmin5-php74</name>
        <range><lt>4.9.5</lt></range>
        <range><lt>5.0.2</lt></range>
      </package>
    </affects>

Two <package> blocks, one with phpmyadmin, the other with phpmyadmin5, each with their own ranges, should resolve the issue
Comment 3 commit-hook freebsd_committer 2020-05-05 05:33:30 UTC
A commit references this bug:

Author: fjoe
Date: Tue May  5 05:32:48 UTC 2020
New revision: 534026
URL: https://svnweb.freebsd.org/changeset/ports/534026

Log:
  Fix version range for 97fcc60a-6ec0-11ea-a84a-4c72b94353b5:
  phpMyAdmin 4.9.5 is not vulnerable

  PR:		245096

Changes:
  head/security/vuxml/vuln.xml