databases/adminer: Update 5.3.0 => 5.4.1, deprecate

Changelogs:
https://github.com/vrana/adminer/releases/tag/v5.4.0
https://github.com/vrana/adminer/releases/tag/v5.4.1

- Patch crypto keys to be generated using OS-provided PRNG rather than
  a timestamp.
- Patch passwords to be encrypted with aes256-gcm rather than xxtea.
- Add 5 additonal plugins.
- Also mark this expired due to an obvious reason, these issues that
  patched here will likely never be fixed upstream.
- And there are 3 CVEs (not affected code in port however, because
  related parts isn't included), which have been unfixed for an extended
  period:
    https://nvd.nist.gov/vuln/detail/CVE-2023-45195
    https://nvd.nist.gov/vuln/detail/CVE-2023-45196
    https://nvd.nist.gov/vuln/detail/CVE-2023-45197

PR:	290365
This commit is contained in:
Paavo-Einari Kaipila
2025-11-14 14:45:34 +03:00
committed by Vladimir Druzenko
parent 4488884ee0
commit ecd5b3f323
5 changed files with 111 additions and 17 deletions
+18 -8
View File
@@ -1,11 +1,9 @@
PORTNAME= adminer
DISTVERSION= 5.3.0
PORTREVISION= 2
DISTVERSION= 5.4.1
CATEGORIES= databases www
MASTER_SITES= https://github.com/vrana/${PORTNAME}/releases/download/v${DISTVERSION}/
PKGNAMEPREFIX= ${PHP_PKGNAMEPREFIX}
DISTFILES= ${PORTNAME}-${DISTVERSION}.php ${PORTNAME}-${DISTVERSION}.zip
EXTRACT_ONLY= ${PORTNAME}-${DISTVERSION}.zip
DISTFILES= ${PORTNAME}-${DISTVERSION}.zip
MAINTAINER= pkaipila@gmail.com
COMMENT= Full-featured database management tool in a single PHP file
@@ -13,8 +11,16 @@ WWW= https://www.adminer.org
LICENSE= APACHE20
DEPRECATED= Project's poor security practices
EXPIRATION_DATE=2026-06-31
USES= cpe php:build,flavors
USE_PHP= phar session zlib
USE_GITHUB= nodefault
_FORCED_TAG= 1.2
_PEMATON_TAG= 99912d508a1b39db27910ef6c6dd07bab9368670
GH_TUPLE= MirLach:adminer-forced-server:${_FORCED_TAG}:forcedserver \
vrana:adminer-plugins-pematon:${_PEMATON_TAG}:pematon
USE_PHP= phar session tokenizer zlib
NO_ARCH= yes
@@ -33,13 +39,17 @@ PGSQL_USE= PHP=pgsql
SQLITE_USE= PHP=sqlite3
do-build:
${CP} ${DISTDIR}/${PORTNAME}-${DISTVERSION}.php ${WRKSRC}/${PORTNAME}.php
${MV} ${WRKDIR}/adminer-forced-server-${_FORCED_TAG}/adminer-plugins/forced-server.php \
${WRKDIR}/adminer-plugins-pematon-${_PEMATON_TAG}/*.php \
${WRKSRC}/plugins
@(cd ${WRKSRC} && ${LOCALBASE}/bin/php ${WRKSRC}/compile.php)
${MV} ${WRKSRC}/${PORTNAME}-${DISTVERSION}.php ${WRKSRC}/${PORTNAME}.php
${CP} ${FILESDIR}/makephar.php ${WRKSRC}
${LOCALBASE}/bin/php -d phar.readonly=0 ${WRKSRC}/makephar.php
do-install:
${MKDIR} ${STAGEDIR}${WWWDIR}
${INSTALL_DATA} ${WRKSRC}/index.php ${STAGEDIR}${WWWDIR}
${INSTALL_DATA} ${FILESDIR}/adminer-plugins-example.php ${STAGEDIR}${WWWDIR}
${INSTALL_SCRIPT} ${WRKSRC}/index.php ${STAGEDIR}${WWWDIR}
${INSTALL_SCRIPT} ${FILESDIR}/adminer-plugins-example.php ${STAGEDIR}${WWWDIR}
.include <bsd.port.mk>
+5 -5
View File
@@ -1,5 +1,5 @@
TIMESTAMP = 1754700167
SHA256 (adminer-5.3.0.php) = 7dcc196e941b18b74635afe1740dcd86970ab08b8eba0f00f149925aea3972ed
SIZE (adminer-5.3.0.php) = 504560
SHA256 (adminer-5.3.0.zip) = ec49d9d1faf1f22e835c73b913feb993e87e5ae7e54e8f1e0583515409a1eca8
SIZE (adminer-5.3.0.zip) = 873271
TIMESTAMP = 1763089532
SHA256 (MirLach-adminer-forced-server-1.2_GH0.tar.gz) = 8f00a802ed5e6f323a28d46edac026926dc294f5e50e393c6a3827aba0c0a886
SIZE (MirLach-adminer-forced-server-1.2_GH0.tar.gz) = 5685
SHA256 (vrana-adminer-plugins-pematon-99912d508a1b39db27910ef6c6dd07bab9368670_GH0.tar.gz) = a38e075f1c70fa4acdbe54ebedf52e7901e89739ff277d7a340f87923aaa6cbd
SIZE (vrana-adminer-plugins-pematon-99912d508a1b39db27910ef6c6dd07bab9368670_GH0.tar.gz) = 8128
+7 -4
View File
@@ -15,14 +15,16 @@ $stub = <<<STUB
<?php
/******************************************************************************
*
* All Adminer plugins are now included in this
* Adminer plugins are now included in this
* FreeBSD ports edition, no need to download
* them separately.
* https://www.adminer.org/en/plugins/
*
* copyright Paavo-Einari Kaipila (FreeBSD ports edition)
* copyright Jakub Vrana (original Adminer)
*
* copyright Jakub Vrana (Adminer)
* copyright MirLach (ForcedServer plugin)
* copyright Pematon (Collations, JsonPreview, LoginServers and SimpleMenu plugins)
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
@@ -68,7 +70,7 @@ foreach(new DirectoryIterator(__DIR__ . '/plugins') as $file)
* in Adminer editor.
*/
&& !str_starts_with($fileName, 'editor')
&& preg_match('/class\s(A[a-zA-Z0-9]+)\sextends\sAdminer/', $contents, $m)
&& preg_match('/class\s(A[a-zA-Z0-9]+)\s(extends\sAdminer|\{)/', $contents, $m)
) {
$plugins[$pharFile] = $contents;
$classMap[$m[1]] = $file->getFileName();
@@ -110,6 +112,7 @@ foreach($plugins as $file => $contents)
$contents
);
}
$phar->compressFiles(Phar::GZ);
$phar->addFromString(
'adminer.php',
@@ -0,0 +1,11 @@
--- adminer/include/functions.inc.php.orig 2025-10-19 12:05 UTC
+++ adminer/include/functions.inc.php
@@ -761,7 +761,7 @@
* @return string 32 hexadecimal characters
*/
function rand_string(): string {
- return md5(uniqid(strval(mt_rand()), true));
+ return bin2hex(random_bytes(32));
}
/** Format value to use in select
@@ -0,0 +1,70 @@
--- adminer/include/xxtea.inc.php.orig 2025-11-14 10:44:16 UTC
+++ adminer/include/xxtea.inc.php
@@ -45,6 +45,11 @@
return int32((($z >> 5 & 0x7FFFFFF) ^ $y << 2) + (($y >> 3 & 0x1FFFFFFF) ^ $z << 4)) ^ int32(($sum ^ $y) + ($k ^ $z));
}
+const AES256_NAME = 'aes-256-gcm';
+const AES256_KEY_BYTES = 32;
+const AES256_NONCE_BYTES = 12;
+const AES256_TAG_BYTES = 16;
+
/** Cipher
* @param string $str plain-text password
* @return string binary cipher
@@ -53,6 +58,20 @@
if ($str == "") {
return "";
}
+ $key = hash_hkdf('sha256', $key, AES256_KEY_BYTES, AES256_NAME);
+ $nonce = random_bytes(AES256_NONCE_BYTES);
+ $cipherText = openssl_encrypt(
+ $str,
+ AES256_NAME,
+ $key,
+ OPENSSL_RAW_DATA,
+ $nonce,
+ $tag,
+ '',
+ AES256_TAG_BYTES
+ );
+ return $nonce . $tag . $cipherText;
+/*
$key = array_values(unpack("V*", pack("H*", md5($key))));
$v = str2long($str, true);
$n = count($v) - 1;
@@ -75,6 +94,7 @@
$v[$n] = $z;
}
return long2str($v, false);
+*/
}
/** Decipher
@@ -88,6 +108,20 @@
if (!$key) {
return false;
}
+ $key = hash_hkdf('sha256', $key, AES256_KEY_BYTES, AES256_NAME);
+ $nonce = substr($str, 0, AES256_NONCE_BYTES);
+ $tag = substr($str, AES256_NONCE_BYTES, AES256_TAG_BYTES);
+ $cipherText = substr($str, AES256_NONCE_BYTES + AES256_TAG_BYTES);
+ return openssl_decrypt(
+ $cipherText,
+ AES256_NAME,
+ $key,
+ OPENSSL_RAW_DATA,
+ $nonce,
+ $tag,
+ ''
+ );
+/*
$key = array_values(unpack("V*", pack("H*", md5($key))));
$v = str2long($str, false);
$n = count($v) - 1;
@@ -110,4 +144,5 @@
$sum = int32($sum - 0x9E3779B9);
}
return long2str($v, true);
+*/
}