[Bug 2013402] Re: [SRU] add PHP 8 on Apache2 conf & require PHP 8 (LP: #1975892) & CVE-2023-25727 & fix Recommends:

Athos Ribeiro 2013402 at bugs.launchpad.net
Fri May 12 02:57:35 UTC 2023 

Hi William, sorry for the delay here. I got caught up in a work related
trip and let this one fall a bit behind.

I had a short discussion about this SRU with some other Ubuntu core-devs
and during that conversation, I was let know that the change requiring
PHP >= 8 could be frowned upon when proposed as an SRU since it could
introduce a regression for some very specific use cases.

Since those use cases are custom (odd/non-supported) setups, I believe
that by adjusting the SRU template we can indeed have a good case for an
SRU. Therefore, I went ahead and made some adjustments to the SRU
paperwork in LP: #2016016.

I then made some minor adjustments to the patch and filed
https://code.launchpad.net/~athos-
ribeiro/ubuntu/+source/phpmyadmin/+git/phpmyadmin/+merge/442711 so you
can review that  before we land it in mantic and start SRUing it along
with any of the other missing patches, when applicable.

Finally, in case you are interested, check out how I changed the SRU
paperwork in LP: #2016016. There is absolutely nothing wrong with the
initial paperwork file there. However, being very descriptive in the
test plan should make the whole SRU process smoother since the SRU
reviewers will want to have a deep understanding of the problem before
they accept the change.

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2013402

Title:
  [SRU] add PHP 8 on Apache2 conf & require PHP 8 (LP: #1975892) &
  CVE-2023-25727 & fix Recommends:

Status in phpMyAdmin:
  Unknown
Status in phpMyAdmin 5.1 series:
  New
Status in phpmyadmin package in Ubuntu:
  Fix Released
Status in phpmyadmin source package in Jammy:
  New
Status in phpmyadmin package in Debian:
  Fix Released

Bug description:
  [ Impact ]

   * The PHP 8 support in Apache2 conf will allow users to have a correct PHP `include_path`
     and prevent issues like (https://github.com/phpmyadmin/phpmyadmin/issues/18299).
     This fix is already upstream Debian and released.

   * Forcing PHP 8 is required as users posted their concerns and invade Internet about this subject since then
      - See: https://github.com/phpmyadmin/phpmyadmin/issues/17503
      - See: https://github.com/phpmyadmin/phpmyadmin/issues/17523 (same as above but with the hate/heat enabled)
      - The packaging of symfony is made so it's impossible to run PHP < 8

   * Updating Recommends: will allow users to only have to do `apt install phpmyadmin`
     and not end up confused on why the webpage shows PHP source code.
     Internet is filled with users asking why there is PHP code displayed.
     This update is already upstream Debian and released.

   * And finally a CVE fix for CVE-2023-25727, PMASA-2023-1
     Already fixed upstream Debian and released.

  [ Test Plan ]

   * To reproduce the `include_path` bug
     - install phpmyadmin and `libapache2-mod-php`
     - browse http://localhost/phpmyadmin
     - See the working UI
     - set `php_admin_value open_basedir .` in an Apache2 conf file
       of your choice in `/etc/apache2/conf-enabled/`.
     - restart Apache2
     - refresh the page, error 500 reported at phpMyAdmin issue #18299
     - add the config block from my patch
     - restart Apache2
     - See the working UI

   * To reproduce the forced PHP 8 message, install deb sury's PHP 7.4
     or an Ubuntu jammy with PHP 7.4 installed and Apache2
     and the packages mentioned in https://bugs.launchpad.net/ubuntu/+source/symfony/+bug/1975892
     - Now that everything is installed, admire the error 500
     - Apply my patch on `libraries/common.inc.php`
     - Refresh, and see the HTML
     Alternative solution, change the `PHP_VERSION_ID < 80000` to `true` and see the HTML.

   * To reproduce the "Recommends:" user problem
     - new VM
     - apt install phpmyadmin
     - service apache2 start
     - browse http://localhost/phpmyadmin
     - PHP code !
     - Install `libapache2-mod-php` and restart Apache2
     - You can see the login page

   * About CVE-2023-25727
     - create a file named `"><img src=x onerror=alert(11)>.sql`
     - install phpmyadmin and a local database
     - login
     - drag and drop the file
     - view the uploads and click `Failed` to see the XSS
     - apply the patch on `js/dist/drag_drop_import.js` to try it
       The real patch applies to the source file that is build at build time

  [ Where problems could occur ]

   * If the Apache2 config was in a wrong syntax the server would not start
     If it did not work, the reproduction steps would not lead to no more 500 error.

   * If "Recommends:" was wrong you would be missing Apache2 by default.
     If the recommends allowed you to only have to install the package
     and you can see HTML and not PHP code, then it works.

   * Users could complain about the change for the PHP 8 version required,
     but that would mean they tweaked their distribution in a very weird way to have the symfony packages non buggy.

   * The CVE if not well applied the code would break when you test the
  drag and drop

  [ Other Info ]

   * Do not forget to install the mbstring extension if it's not already here, this could be your first error 500 reason.
   * All the source code was pushed to https://salsa.debian.org/phpmyadmin-team/phpmyadmin/-/commits/ubuntu/jammy

  Changelog:
    * Add PHP 8 support on apache2 conf
    * Require PHP >= 8.0 (Ref: LP: #1975892)
    * Recommend libapache2-mod-php and not apache2 to avoid
      displaying PHP code after the package install.
    * Add a patch for CVE-2023-25727, PMASA-2023-1

To manage notifications about this bug go to:
https://bugs.launchpad.net/phpmyadmin/+bug/2013402/+subscriptions

More information about the Ubuntu-sponsors mailing list