[Bug 2013402] Re: [SRU] add PHP 8 on Apache2 conf & require PHP 8 (LP: #1975892) & CVE-2023-25727 & fix Recommends:

Athos Ribeiro 2013402 at bugs.launchpad.net
Mon Apr 3 13:56:32 UTC 2023 

Hi William,

Thanks so much for working on these.

While a single debdiff will suffice here, could we split this in
multiple bugs? Then if each changelog entry can refer to a different LP
bug. This should make it easier for the SRU team to review this one
(each of the bugs should be filled with an SRU template). We can use LP:
#1975892 for the minimal version one.

Finally, we should make sure all these issues are also addressed in the
Ubuntu development version  as well (lunar) before we can SRU them.
While we are in a freeze, we still have time to upload these to lunar
since they are all bug fixes.

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2013402

Title:
  [SRU] add PHP 8 on Apache2 conf & require PHP 8 (LP: #1975892) &
  CVE-2023-25727 & fix Recommends:

Status in phpMyAdmin:
  Unknown
Status in phpMyAdmin 5.1 series:
  New
Status in phpmyadmin package in Ubuntu:
  New
Status in phpmyadmin package in Debian:
  Fix Released

Bug description:
  [ Impact ]

   * The PHP 8 support in Apache2 conf will allow users to have a correct PHP `include_path`
     and prevent issues like (https://github.com/phpmyadmin/phpmyadmin/issues/18299).
     This fix is already upstream Debian and released.

   * Forcing PHP 8 is required as users posted their concerns and invade Internet about this subject since then
      - See: https://github.com/phpmyadmin/phpmyadmin/issues/17503
      - See: https://github.com/phpmyadmin/phpmyadmin/issues/17523 (same as above but with the hate/heat enabled)
      - The packaging of symfony is made so it's impossible to run PHP < 8

   * Updating Recommends: will allow users to only have to do `apt install phpmyadmin`
     and not end up confused on why the webpage shows PHP source code.
     Internet is filled with users asking why there is PHP code displayed.
     This update is already upstream Debian and released.

   * And finally a CVE fix for CVE-2023-25727, PMASA-2023-1
     Already fixed upstream Debian and released.

  [ Test Plan ]

   * To reproduce the `include_path` bug
     - install phpmyadmin and `libapache2-mod-php`
     - browse http://localhost/phpmyadmin
     - See the working UI
     - set `php_admin_value open_basedir .` in an Apache2 conf file
       of your choice in `/etc/apache2/conf-enabled/`.
     - restart Apache2
     - refresh the page, error 500 reported at phpMyAdmin issue #18299
     - add the config block from my patch
     - restart Apache2
     - See the working UI

   * To reproduce the forced PHP 8 message, install deb sury's PHP 7.4
     or an Ubuntu jammy with PHP 7.4 installed and Apache2
     and the packages mentioned in https://bugs.launchpad.net/ubuntu/+source/symfony/+bug/1975892
     - Now that everything is installed, admire the error 500
     - Apply my patch on `libraries/common.inc.php`
     - Refresh, and see the HTML
     Alternative solution, change the `PHP_VERSION_ID < 80000` to `true` and see the HTML.

   * To reproduce the "Recommends:" user problem
     - new VM
     - apt install phpmyadmin
     - service apache2 start
     - browse http://localhost/phpmyadmin
     - PHP code !
     - Install `libapache2-mod-php` and restart Apache2
     - You can see the login page

   * About CVE-2023-25727
     - create a file named `"><img src=x onerror=alert(11)>.sql`
     - install phpmyadmin and a local database
     - login
     - drag and drop the file
     - view the uploads and click `Failed` to see the XSS
     - apply the patch on `js/dist/drag_drop_import.js` to try it
       The real patch applies to the source file that is build at build time

  [ Where problems could occur ]

   * If the Apache2 config was in a wrong syntax the server would not start
     If it did not work, the reproduction steps would not lead to no more 500 error.

   * If "Recommends:" was wrong you would be missing Apache2 by default.
     If the recommends allowed you to only have to install the package
     and you can see HTML and not PHP code, then it works.

   * Users could complain about the change for the PHP 8 version required,
     but that would mean they tweaked their distribution in a very weird way to have the symfony packages non buggy.

   * The CVE if not well applied the code would break when you test the
  drag and drop

  [ Other Info ]

   * Do not forget to install the mbstring extension if it's not already here, this could be your first error 500 reason.
   * All the source code was pushed to https://salsa.debian.org/phpmyadmin-team/phpmyadmin/-/commits/ubuntu/jammy

  Changelog:
    * Add PHP 8 support on apache2 conf
    * Require PHP >= 8.0 (Ref: LP: #1975892)
    * Recommend libapache2-mod-php and not apache2 to avoid
      displaying PHP code after the package install.
    * Add a patch for CVE-2023-25727, PMASA-2023-1

To manage notifications about this bug go to:
https://bugs.launchpad.net/phpmyadmin/+bug/2013402/+subscriptions

More information about the Ubuntu-sponsors mailing list