Version in base suite: 5.21.4-1+deb12u1 Base version: libphp-adodb_5.21.4-1+deb12u1 Target version: libphp-adodb_5.21.4-1+deb12u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/libp/libphp-adodb/libphp-adodb_5.21.4-1+deb12u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/libp/libphp-adodb/libphp-adodb_5.21.4-1+deb12u2.dsc changelog | 8 +++ patches/CVE-2025-54119-2.patch | 47 ++++++++++++++++++++++ patches/CVE-2025-54119.patch | 87 +++++++++++++++++++++++++++++++++++++++++ patches/series | 2 4 files changed, 144 insertions(+) diff -Nru libphp-adodb-5.21.4/debian/changelog libphp-adodb-5.21.4/debian/changelog --- libphp-adodb-5.21.4/debian/changelog 2025-05-06 21:39:03.000000000 +0000 +++ libphp-adodb-5.21.4/debian/changelog 2025-09-17 08:02:21.000000000 +0000 @@ -1,3 +1,11 @@ +libphp-adodb (5.21.4-1+deb12u2) bookworm; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2025-54119: SQL injection in sqlite drivers (Closes: #1110464) + + Both sqlite and sqlite3 drivers have patched to fix the issue. + + -- Abhijith PA Wed, 17 Sep 2025 13:32:21 +0530 + libphp-adodb (5.21.4-1+deb12u1) bookworm; urgency=high * Non-maintainer upload. diff -Nru libphp-adodb-5.21.4/debian/patches/CVE-2025-54119-2.patch libphp-adodb-5.21.4/debian/patches/CVE-2025-54119-2.patch --- libphp-adodb-5.21.4/debian/patches/CVE-2025-54119-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ libphp-adodb-5.21.4/debian/patches/CVE-2025-54119-2.patch 2025-09-17 08:02:21.000000000 +0000 @@ -0,0 +1,47 @@ +From 5b8bd52cdcffefb4ecded1b399c98cfa516afe03 Mon Sep 17 00:00:00 2001 +From: Damien Regad +Date: Sat, 19 Jul 2025 18:37:59 +0200 +Subject: [PATCH] Prevent SQL injection in sqlite3 driver + +Use query parameters instead of injecting the table name in the SQL, in +the following methods: +- metaColumns() +- metaForeignKeys() +- metaIndexes() + +Thanks to Marco Nappi (@mrcnpp) for reporting this vulnerability. + +Fixes #1083, CVE-2025-54119, GHSA-vf2r-cxg9-p7rf +--- +--- a/drivers/adodb-sqlite.inc.php ++++ b/drivers/adodb-sqlite.inc.php +@@ -95,7 +95,9 @@ class ADODB_sqlite extends ADOConnection + if ($this->fetchMode !== false) { + $savem = $this->SetFetchMode(false); + } +- $rs = $this->Execute("PRAGMA table_info('$table')"); ++ ++ $rs = $this->execute("PRAGMA table_info(?)", array($table)); ++ + if (isset($savem)) { + $this->SetFetchMode($savem); + } +@@ -167,7 +169,6 @@ class ADODB_sqlite extends ADOConnection + return ($col) ? "adodb_date2($fmt,$col)" : "adodb_date($fmt)"; + } + +- + function _createFunctions() + { + @sqlite_create_function($this->_connectionID, 'adodb_date', 'adodb_date', 1); +@@ -319,8 +320,8 @@ class ADODB_sqlite extends ADOConnection + if ($this->fetchMode !== FALSE) { + $savem = $this->SetFetchMode(FALSE); + } +- $SQL=sprintf("SELECT name,sql FROM sqlite_master WHERE type='index' AND tbl_name='%s'", strtolower($table)); +- $rs = $this->Execute($SQL); ++ $SQL="SELECT name,sql FROM sqlite_master WHERE type='index' AND tbl_name=?"; ++ $rs = $this->Execute($SQL,[strtolower($table)]); + if (!is_object($rs)) { + if (isset($savem)) { + $this->SetFetchMode($savem); diff -Nru libphp-adodb-5.21.4/debian/patches/CVE-2025-54119.patch libphp-adodb-5.21.4/debian/patches/CVE-2025-54119.patch --- libphp-adodb-5.21.4/debian/patches/CVE-2025-54119.patch 1970-01-01 00:00:00.000000000 +0000 +++ libphp-adodb-5.21.4/debian/patches/CVE-2025-54119.patch 2025-09-17 07:58:24.000000000 +0000 @@ -0,0 +1,87 @@ +From 5b8bd52cdcffefb4ecded1b399c98cfa516afe03 Mon Sep 17 00:00:00 2001 +From: Damien Regad +Date: Sat, 19 Jul 2025 18:37:59 +0200 +Subject: [PATCH] Prevent SQL injection in sqlite3 driver + +Use query parameters instead of injecting the table name in the SQL, in +the following methods: +- metaColumns() +- metaForeignKeys() +- metaIndexes() + +Thanks to Marco Nappi (@mrcnpp) for reporting this vulnerability. + +Fixes #1083, CVE-2025-54119, GHSA-vf2r-cxg9-p7rf +--- + drivers/adodb-sqlite3.inc.php | 37 ++++++++++++++--------------------- + 1 file changed, 15 insertions(+), 22 deletions(-) + +--- a/drivers/adodb-sqlite3.inc.php ++++ b/drivers/adodb-sqlite3.inc.php +@@ -160,7 +160,9 @@ class ADODB_sqlite3 extends ADOConnectio + if ($this->fetchMode !== false) { + $savem = $this->SetFetchMode(false); + } +- $rs = $this->Execute("PRAGMA table_info('$table')"); ++ ++ $rs = $this->execute("PRAGMA table_info(?)", array($table)); ++ + if (isset($savem)) { + $this->SetFetchMode($savem); + } +@@ -214,9 +216,8 @@ class ADODB_sqlite3 extends ADOConnectio + ) + WHERE type != 'meta' + AND sql NOTNULL +- AND LOWER(name) ='" . strtolower($table) . "'"; +- +- $tableSql = $this->getOne($sql); ++ AND LOWER(name) = ?"; ++ $tableSql = $this->getOne($sql, [strtolower($table)]); + + $fkeyList = array(); + $ylist = preg_split("/,+/",$tableSql); +@@ -433,6 +434,7 @@ class ADODB_sqlite3 extends ADOConnectio + $savem = $this->SetFetchMode(FALSE); + } + ++ $table = strtolower($table); + $pragmaData = array(); + + /* +@@ -441,26 +443,17 @@ class ADODB_sqlite3 extends ADOConnectio + */ + if ($primary) + { +- $sql = sprintf('PRAGMA table_info([%s]);', +- strtolower($table) +- ); +- $pragmaData = $this->getAll($sql); ++ $sql = 'PRAGMA table_info(?)'; ++ $pragmaData = $this->getAll($sql, [$table]); + } + +- /* +- * Exclude the empty entry for the primary index +- */ +- $sqlite = "SELECT name,sql +- FROM sqlite_master +- WHERE type='index' +- AND sql IS NOT NULL +- AND LOWER(tbl_name)='%s'"; +- +- $SQL = sprintf($sqlite, +- strtolower($table) +- ); +- +- $rs = $this->execute($SQL); ++ // Exclude the empty entry for the primary index ++ $sql = "SELECT name,sql ++ FROM sqlite_master ++ WHERE type='index' ++ AND sql IS NOT NULL ++ AND LOWER(tbl_name)=?"; ++ $rs = $this->execute($sql, [$table]); + + if (!is_object($rs)) { + if (isset($savem)) { diff -Nru libphp-adodb-5.21.4/debian/patches/series libphp-adodb-5.21.4/debian/patches/series --- libphp-adodb-5.21.4/debian/patches/series 2025-05-06 21:39:03.000000000 +0000 +++ libphp-adodb-5.21.4/debian/patches/series 2025-09-17 08:02:21.000000000 +0000 @@ -1 +1,3 @@ 00-fix-sec-pgsql-sql-injection.patch +CVE-2025-54119.patch +CVE-2025-54119-2.patch