databases/adminer: Update 5.3.0 => 5.4.1, deprecate
Changelogs: https://github.com/vrana/adminer/releases/tag/v5.4.0 https://github.com/vrana/adminer/releases/tag/v5.4.1 - Patch crypto keys to be generated using OS-provided PRNG rather than a timestamp. - Patch passwords to be encrypted with aes256-gcm rather than xxtea. - Add 5 additonal plugins. - Also mark this expired due to an obvious reason, these issues that patched here will likely never be fixed upstream. - And there are 3 CVEs (not affected code in port however, because related parts isn't included), which have been unfixed for an extended period: https://nvd.nist.gov/vuln/detail/CVE-2023-45195 https://nvd.nist.gov/vuln/detail/CVE-2023-45196 https://nvd.nist.gov/vuln/detail/CVE-2023-45197 PR: 290365
This commit is contained in:
committed by
Vladimir Druzenko
parent
4488884ee0
commit
ecd5b3f323
@@ -1,11 +1,9 @@
|
||||
PORTNAME= adminer
|
||||
DISTVERSION= 5.3.0
|
||||
PORTREVISION= 2
|
||||
DISTVERSION= 5.4.1
|
||||
CATEGORIES= databases www
|
||||
MASTER_SITES= https://github.com/vrana/${PORTNAME}/releases/download/v${DISTVERSION}/
|
||||
PKGNAMEPREFIX= ${PHP_PKGNAMEPREFIX}
|
||||
DISTFILES= ${PORTNAME}-${DISTVERSION}.php ${PORTNAME}-${DISTVERSION}.zip
|
||||
EXTRACT_ONLY= ${PORTNAME}-${DISTVERSION}.zip
|
||||
DISTFILES= ${PORTNAME}-${DISTVERSION}.zip
|
||||
|
||||
MAINTAINER= pkaipila@gmail.com
|
||||
COMMENT= Full-featured database management tool in a single PHP file
|
||||
@@ -13,8 +11,16 @@ WWW= https://www.adminer.org
|
||||
|
||||
LICENSE= APACHE20
|
||||
|
||||
DEPRECATED= Project's poor security practices
|
||||
EXPIRATION_DATE=2026-06-31
|
||||
|
||||
USES= cpe php:build,flavors
|
||||
USE_PHP= phar session zlib
|
||||
USE_GITHUB= nodefault
|
||||
_FORCED_TAG= 1.2
|
||||
_PEMATON_TAG= 99912d508a1b39db27910ef6c6dd07bab9368670
|
||||
GH_TUPLE= MirLach:adminer-forced-server:${_FORCED_TAG}:forcedserver \
|
||||
vrana:adminer-plugins-pematon:${_PEMATON_TAG}:pematon
|
||||
USE_PHP= phar session tokenizer zlib
|
||||
|
||||
NO_ARCH= yes
|
||||
|
||||
@@ -33,13 +39,17 @@ PGSQL_USE= PHP=pgsql
|
||||
SQLITE_USE= PHP=sqlite3
|
||||
|
||||
do-build:
|
||||
${CP} ${DISTDIR}/${PORTNAME}-${DISTVERSION}.php ${WRKSRC}/${PORTNAME}.php
|
||||
${MV} ${WRKDIR}/adminer-forced-server-${_FORCED_TAG}/adminer-plugins/forced-server.php \
|
||||
${WRKDIR}/adminer-plugins-pematon-${_PEMATON_TAG}/*.php \
|
||||
${WRKSRC}/plugins
|
||||
@(cd ${WRKSRC} && ${LOCALBASE}/bin/php ${WRKSRC}/compile.php)
|
||||
${MV} ${WRKSRC}/${PORTNAME}-${DISTVERSION}.php ${WRKSRC}/${PORTNAME}.php
|
||||
${CP} ${FILESDIR}/makephar.php ${WRKSRC}
|
||||
${LOCALBASE}/bin/php -d phar.readonly=0 ${WRKSRC}/makephar.php
|
||||
|
||||
do-install:
|
||||
${MKDIR} ${STAGEDIR}${WWWDIR}
|
||||
${INSTALL_DATA} ${WRKSRC}/index.php ${STAGEDIR}${WWWDIR}
|
||||
${INSTALL_DATA} ${FILESDIR}/adminer-plugins-example.php ${STAGEDIR}${WWWDIR}
|
||||
${INSTALL_SCRIPT} ${WRKSRC}/index.php ${STAGEDIR}${WWWDIR}
|
||||
${INSTALL_SCRIPT} ${FILESDIR}/adminer-plugins-example.php ${STAGEDIR}${WWWDIR}
|
||||
|
||||
.include <bsd.port.mk>
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
TIMESTAMP = 1754700167
|
||||
SHA256 (adminer-5.3.0.php) = 7dcc196e941b18b74635afe1740dcd86970ab08b8eba0f00f149925aea3972ed
|
||||
SIZE (adminer-5.3.0.php) = 504560
|
||||
SHA256 (adminer-5.3.0.zip) = ec49d9d1faf1f22e835c73b913feb993e87e5ae7e54e8f1e0583515409a1eca8
|
||||
SIZE (adminer-5.3.0.zip) = 873271
|
||||
TIMESTAMP = 1763089532
|
||||
SHA256 (MirLach-adminer-forced-server-1.2_GH0.tar.gz) = 8f00a802ed5e6f323a28d46edac026926dc294f5e50e393c6a3827aba0c0a886
|
||||
SIZE (MirLach-adminer-forced-server-1.2_GH0.tar.gz) = 5685
|
||||
SHA256 (vrana-adminer-plugins-pematon-99912d508a1b39db27910ef6c6dd07bab9368670_GH0.tar.gz) = a38e075f1c70fa4acdbe54ebedf52e7901e89739ff277d7a340f87923aaa6cbd
|
||||
SIZE (vrana-adminer-plugins-pematon-99912d508a1b39db27910ef6c6dd07bab9368670_GH0.tar.gz) = 8128
|
||||
|
||||
@@ -15,14 +15,16 @@ $stub = <<<STUB
|
||||
<?php
|
||||
/******************************************************************************
|
||||
*
|
||||
* All Adminer plugins are now included in this
|
||||
* Adminer plugins are now included in this
|
||||
* FreeBSD ports edition, no need to download
|
||||
* them separately.
|
||||
* https://www.adminer.org/en/plugins/
|
||||
*
|
||||
* copyright Paavo-Einari Kaipila (FreeBSD ports edition)
|
||||
* copyright Jakub Vrana (original Adminer)
|
||||
*
|
||||
* copyright Jakub Vrana (Adminer)
|
||||
* copyright MirLach (ForcedServer plugin)
|
||||
* copyright Pematon (Collations, JsonPreview, LoginServers and SimpleMenu plugins)
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
@@ -68,7 +70,7 @@ foreach(new DirectoryIterator(__DIR__ . '/plugins') as $file)
|
||||
* in Adminer editor.
|
||||
*/
|
||||
&& !str_starts_with($fileName, 'editor')
|
||||
&& preg_match('/class\s(A[a-zA-Z0-9]+)\sextends\sAdminer/', $contents, $m)
|
||||
&& preg_match('/class\s(A[a-zA-Z0-9]+)\s(extends\sAdminer|\{)/', $contents, $m)
|
||||
) {
|
||||
$plugins[$pharFile] = $contents;
|
||||
$classMap[$m[1]] = $file->getFileName();
|
||||
@@ -110,6 +112,7 @@ foreach($plugins as $file => $contents)
|
||||
$contents
|
||||
);
|
||||
}
|
||||
$phar->compressFiles(Phar::GZ);
|
||||
|
||||
$phar->addFromString(
|
||||
'adminer.php',
|
||||
|
||||
@@ -0,0 +1,11 @@
|
||||
--- adminer/include/functions.inc.php.orig 2025-10-19 12:05 UTC
|
||||
+++ adminer/include/functions.inc.php
|
||||
@@ -761,7 +761,7 @@
|
||||
* @return string 32 hexadecimal characters
|
||||
*/
|
||||
function rand_string(): string {
|
||||
- return md5(uniqid(strval(mt_rand()), true));
|
||||
+ return bin2hex(random_bytes(32));
|
||||
}
|
||||
|
||||
/** Format value to use in select
|
||||
@@ -0,0 +1,70 @@
|
||||
--- adminer/include/xxtea.inc.php.orig 2025-11-14 10:44:16 UTC
|
||||
+++ adminer/include/xxtea.inc.php
|
||||
@@ -45,6 +45,11 @@
|
||||
return int32((($z >> 5 & 0x7FFFFFF) ^ $y << 2) + (($y >> 3 & 0x1FFFFFFF) ^ $z << 4)) ^ int32(($sum ^ $y) + ($k ^ $z));
|
||||
}
|
||||
|
||||
+const AES256_NAME = 'aes-256-gcm';
|
||||
+const AES256_KEY_BYTES = 32;
|
||||
+const AES256_NONCE_BYTES = 12;
|
||||
+const AES256_TAG_BYTES = 16;
|
||||
+
|
||||
/** Cipher
|
||||
* @param string $str plain-text password
|
||||
* @return string binary cipher
|
||||
@@ -53,6 +58,20 @@
|
||||
if ($str == "") {
|
||||
return "";
|
||||
}
|
||||
+ $key = hash_hkdf('sha256', $key, AES256_KEY_BYTES, AES256_NAME);
|
||||
+ $nonce = random_bytes(AES256_NONCE_BYTES);
|
||||
+ $cipherText = openssl_encrypt(
|
||||
+ $str,
|
||||
+ AES256_NAME,
|
||||
+ $key,
|
||||
+ OPENSSL_RAW_DATA,
|
||||
+ $nonce,
|
||||
+ $tag,
|
||||
+ '',
|
||||
+ AES256_TAG_BYTES
|
||||
+ );
|
||||
+ return $nonce . $tag . $cipherText;
|
||||
+/*
|
||||
$key = array_values(unpack("V*", pack("H*", md5($key))));
|
||||
$v = str2long($str, true);
|
||||
$n = count($v) - 1;
|
||||
@@ -75,6 +94,7 @@
|
||||
$v[$n] = $z;
|
||||
}
|
||||
return long2str($v, false);
|
||||
+*/
|
||||
}
|
||||
|
||||
/** Decipher
|
||||
@@ -88,6 +108,20 @@
|
||||
if (!$key) {
|
||||
return false;
|
||||
}
|
||||
+ $key = hash_hkdf('sha256', $key, AES256_KEY_BYTES, AES256_NAME);
|
||||
+ $nonce = substr($str, 0, AES256_NONCE_BYTES);
|
||||
+ $tag = substr($str, AES256_NONCE_BYTES, AES256_TAG_BYTES);
|
||||
+ $cipherText = substr($str, AES256_NONCE_BYTES + AES256_TAG_BYTES);
|
||||
+ return openssl_decrypt(
|
||||
+ $cipherText,
|
||||
+ AES256_NAME,
|
||||
+ $key,
|
||||
+ OPENSSL_RAW_DATA,
|
||||
+ $nonce,
|
||||
+ $tag,
|
||||
+ ''
|
||||
+ );
|
||||
+/*
|
||||
$key = array_values(unpack("V*", pack("H*", md5($key))));
|
||||
$v = str2long($str, false);
|
||||
$n = count($v) - 1;
|
||||
@@ -110,4 +144,5 @@
|
||||
$sum = int32($sum - 0x9E3779B9);
|
||||
}
|
||||
return long2str($v, true);
|
||||
+*/
|
||||
}
|
||||
Reference in New Issue
Block a user