PMASA-2017-2

Announcement-ID: PMASA-2017-2

Date: 2017-01-24

Summary

php-gettext code execution

Description

The php-gettext library can suffer to code execution. However there is no way to trigger this inside phpMyAdmin.

Severity

We consider this to be minor.

Affected Versions

phpMyAdmin is not vulberable, we're just fixing bug in embedded library which can not be exploited within phpMyAdmin.

Solution

Upgrade to phpMyAdmin 4.6.6, 4.4.15.10, or 4.0.10.19 or newer or apply patch listed below.

References

The issue in phpMyAdmin codebase was spot by Michal Čihař, the original issue has been fixed in php-gettext in 2015 without issuing CVE.

Assigned CVE ids: CVE-2015-8980

CWE ids: CWE-661

Patches

The following commits have been made on the 4.6 branch to fix this issue:

The following commits have been made on the 4.4 branch to fix this issue:

The following commits have been made on the 4.0 branch to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.

Announcements