PMASA-2017-2

Announcement-ID: PMASA-2017-2

Date: 2017-01-24

Summary

php-gettext code execution

Description

The php-gettext library can suffer from a code execution vulnerability. However, there is no way to trigger this inside phpMyAdmin.

Severity

We consider this to be minor.

Affected Versions

phpMyAdmin is not vulnerable; we're just fixing a bug in an embedded library which can not be exploited within phpMyAdmin.

Solution

Upgrade to phpMyAdmin 4.6.6, 4.4.15.10, or 4.0.10.19 or newer or apply patch listed below.

References

The issue in phpMyAdmin codebase was spotted by Michal Čihař, the original issue has been fixed in php-gettext in 2015 without issuing CVE.

Assigned CVE ids: CVE-2015-8980

CWE ids: CWE-661

Patches

The following commits have been made on the 4.6 branch to fix this issue:

The following commits have been made on the 4.4 branch to fix this issue:

The following commits have been made on the 4.0 branch to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.

Announcements