phpmyadmin: CVE-2015-8669

libraries/config/messages.inc.php in phpMyAdmin 4.0.x before 4.0.10.12,
4.4.x before 4.4.15.2, and 4.5.x before 4.5.3.1 allows remote attackers
to obtain sensitive information via a crafted request, which reveals
the full path in an error message.

This patch is from https://github.com/phpmyadmin/phpmyadmin/commit/c4d649325b25139d7c097e56e2e46cc7187fae45

Signed-off-by: Jian Liu <jian.liu@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>

1 files changed, 18 insertions, 0 deletions

diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2015-8669.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2015-8669.patch
new file mode 100644
index 0000000000..65fff6455e
--- /dev/null
+++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2015-8669.patch
@@ -0,0 +1,18 @@
+[Security] Path disclosure, see PMASA-2015-6
+
+Upstream-Status: Bacport
+
+Signed-off-by: Marc Delisle <marc@infomarc.info>
+
+diff -Nur phpMyAdmin-4.5.0.2-all-languages.orig/libraries/config/messages.inc.php phpMyAdmin-4.5.0.2-all-languages/libraries/config/messages.inc.php
+--- phpMyAdmin-4.5.0.2-all-languages.orig/libraries/config/messages.inc.php	2016-01-20 15:11:15.410106888 +0800
++++ phpMyAdmin-4.5.0.2-all-languages/libraries/config/messages.inc.php	2016-01-20 15:14:05.758108076 +0800
+@@ -11,7 +11,7 @@
+  */
+ 
+ if (!function_exists('__')) {
+-    PMA_fatalError('Bad invocation!');
++    exit();
+ }
+ 
+ $strConfigAllowArbitraryServer_desc = __(