Date: Fri, 14 Nov 2025 12:39:21 -0500 From: "Dan Langille" <dan@langille.org> To: "Vladimir Druzenko" <vvd@freebsd.org>, ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org Subject: Re: git: ecd5b3f3237d - main - databases/adminer: Update 5.3.0 => 5.4.1, deprecate Message-ID: <f23e9aa2-b07f-4fb6-8ac9-8fe782728337@app.fastmail.com> In-Reply-To: <202511141159.5AEBx7YA055858@gitrepo.freebsd.org>
index | next in thread | previous in thread | raw e-mail
On Fri, Nov 14, 2025, at 6:59 AM, Vladimir Druzenko wrote: > The branch main has been updated by vvd: > > URL: > https://cgit.FreeBSD.org/ports/commit/?id=ecd5b3f3237d3cb36694edb8f870ef25c4e50cd6 > > commit ecd5b3f3237d3cb36694edb8f870ef25c4e50cd6 > Author: Paavo-Einari Kaipila <pkaipila@gmail.com> > AuthorDate: 2025-11-14 11:45:34 +0000 > Commit: Vladimir Druzenko <vvd@FreeBSD.org> > CommitDate: 2025-11-14 11:45:34 +0000 > > databases/adminer: Update 5.3.0 => 5.4.1, deprecate > > Changelogs: > https://github.com/vrana/adminer/releases/tag/v5.4.0 > https://github.com/vrana/adminer/releases/tag/v5.4.1 > > - Patch crypto keys to be generated using OS-provided PRNG rather than > a timestamp. > - Patch passwords to be encrypted with aes256-gcm rather than xxtea. > - Add 5 additonal plugins. > - Also mark this expired due to an obvious reason, these issues that > patched here will likely never be fixed upstream. > - And there are 3 CVEs (not affected code in port however, because > related parts isn't included), which have been unfixed for an extended > period: > https://nvd.nist.gov/vuln/detail/CVE-2023-45195 > https://nvd.nist.gov/vuln/detail/CVE-2023-45196 > https://nvd.nist.gov/vuln/detail/CVE-2023-45197 > > PR: 290365 > --- > databases/adminer/Makefile | 26 +++++--- > databases/adminer/distinfo | 10 ++-- > databases/adminer/files/makephar.php | 11 ++-- > .../files/patch-adminer_include_functions.inc.php | 11 ++++ > .../files/patch-adminer_include_xxtea.inc.php | 70 ++++++++++++++++++++++ > 5 files changed, 111 insertions(+), 17 deletions(-) > > diff --git a/databases/adminer/Makefile b/databases/adminer/Makefile > index 8b637dc367a2..182d66cf8c1a 100644 > --- a/databases/adminer/Makefile > +++ b/databases/adminer/Makefile > @@ -1,11 +1,9 @@ > PORTNAME= adminer > -DISTVERSION= 5.3.0 > -PORTREVISION= 2 > +DISTVERSION= 5.4.1 > CATEGORIES= databases www > > MASTER_SITES= https://github.com/vrana/${PORTNAME}/releases/download/v${DISTVERSION}/ > PKGNAMEPREFIX= ${PHP_PKGNAMEPREFIX} > -DISTFILES= ${PORTNAME}-${DISTVERSION}.php > ${PORTNAME}-${DISTVERSION}.zip > -EXTRACT_ONLY= ${PORTNAME}-${DISTVERSION}.zip > +DISTFILES= ${PORTNAME}-${DISTVERSION}.zip > > MAINTAINER= pkaipila@gmail.com > COMMENT= Full-featured database management tool in a single PHP file > @@ -13,8 +11,16 @@ WWW= https://www.adminer.org > > LICENSE= APACHE20 > > +DEPRECATED= Project's poor security practices > +EXPIRATION_DATE=2026-06-31 Obligatory Indiana Jones reference: bad dates. https://www.youtube.com/watch?v=DrfKxqZyPWU > + > USES= cpe php:build,flavors > -USE_PHP= phar session zlib > +USE_GITHUB= nodefault > +_FORCED_TAG= 1.2 > +_PEMATON_TAG= 99912d508a1b39db27910ef6c6dd07bab9368670 > +GH_TUPLE= MirLach:adminer-forced-server:${_FORCED_TAG}:forcedserver \ > + vrana:adminer-plugins-pematon:${_PEMATON_TAG}:pematon > +USE_PHP= phar session tokenizer zlib > > NO_ARCH= yes > > @@ -33,13 +39,17 @@ PGSQL_USE= PHP=pgsql > SQLITE_USE= PHP=sqlite3 > > do-build: > - ${CP} ${DISTDIR}/${PORTNAME}-${DISTVERSION}.php > ${WRKSRC}/${PORTNAME}.php > + ${MV} > ${WRKDIR}/adminer-forced-server-${_FORCED_TAG}/adminer-plugins/forced-server.php > \ > + ${WRKDIR}/adminer-plugins-pematon-${_PEMATON_TAG}/*.php \ > + ${WRKSRC}/plugins > + @(cd ${WRKSRC} && ${LOCALBASE}/bin/php ${WRKSRC}/compile.php) > + ${MV} ${WRKSRC}/${PORTNAME}-${DISTVERSION}.php > ${WRKSRC}/${PORTNAME}.php > ${CP} ${FILESDIR}/makephar.php ${WRKSRC} > ${LOCALBASE}/bin/php -d phar.readonly=0 ${WRKSRC}/makephar.php > > do-install: > ${MKDIR} ${STAGEDIR}${WWWDIR} > - ${INSTALL_DATA} ${WRKSRC}/index.php ${STAGEDIR}${WWWDIR} > - ${INSTALL_DATA} ${FILESDIR}/adminer-plugins-example.php ${STAGEDIR}${WWWDIR} > + ${INSTALL_SCRIPT} ${WRKSRC}/index.php ${STAGEDIR}${WWWDIR} > + ${INSTALL_SCRIPT} ${FILESDIR}/adminer-plugins-example.php ${STAGEDIR}${WWWDIR} > > .include <bsd.port.mk> > diff --git a/databases/adminer/distinfo b/databases/adminer/distinfo > index 8f067ad01e51..039e80167be7 100644 > --- a/databases/adminer/distinfo > +++ b/databases/adminer/distinfo > @@ -1,5 +1,5 @@ > -TIMESTAMP = 1754700167 > -SHA256 (adminer-5.3.0.php) = > 7dcc196e941b18b74635afe1740dcd86970ab08b8eba0f00f149925aea3972ed > -SIZE (adminer-5.3.0.php) = 504560 > -SHA256 (adminer-5.3.0.zip) = > ec49d9d1faf1f22e835c73b913feb993e87e5ae7e54e8f1e0583515409a1eca8 > -SIZE (adminer-5.3.0.zip) = 873271 > +TIMESTAMP = 1763089532 > +SHA256 (MirLach-adminer-forced-server-1.2_GH0.tar.gz) = > 8f00a802ed5e6f323a28d46edac026926dc294f5e50e393c6a3827aba0c0a886 > +SIZE (MirLach-adminer-forced-server-1.2_GH0.tar.gz) = 5685 > +SHA256 > (vrana-adminer-plugins-pematon-99912d508a1b39db27910ef6c6dd07bab9368670_GH0.tar.gz) > = a38e075f1c70fa4acdbe54ebedf52e7901e89739ff277d7a340f87923aaa6cbd > +SIZE > (vrana-adminer-plugins-pematon-99912d508a1b39db27910ef6c6dd07bab9368670_GH0.tar.gz) > = 8128 > diff --git a/databases/adminer/files/makephar.php > b/databases/adminer/files/makephar.php > index ad54a3cfe4cb..b8fdadf1dfbc 100644 > --- a/databases/adminer/files/makephar.php > +++ b/databases/adminer/files/makephar.php > @@ -15,14 +15,16 @@ $stub = <<<STUB > <?php > > /****************************************************************************** > * > - * All Adminer plugins are now included in this > + * Adminer plugins are now included in this > * FreeBSD ports edition, no need to download > * them separately. > * https://www.adminer.org/en/plugins/ > * > * copyright Paavo-Einari Kaipila (FreeBSD ports edition) > - * copyright Jakub Vrana (original Adminer) > - * > + * copyright Jakub Vrana (Adminer) > + * copyright MirLach (ForcedServer plugin) > + * copyright Pematon (Collations, JsonPreview, > LoginServers and SimpleMenu plugins) > + * > * Licensed under the Apache License, Version 2.0 (the "License"); > * you may not use this file except in compliance with the License. > * You may obtain a copy of the License at > @@ -68,7 +70,7 @@ foreach(new DirectoryIterator(__DIR__ . '/plugins') > as $file) > * in Adminer editor. > */ > && !str_starts_with($fileName, 'editor') > - && > preg_match('/class\s(A[a-zA-Z0-9]+)\sextends\sAdminer/', $contents, $m) > + && > preg_match('/class\s(A[a-zA-Z0-9]+)\s(extends\sAdminer|\{)/', > $contents, $m) > ) { > $plugins[$pharFile] = $contents; > $classMap[$m[1]] = $file->getFileName(); > @@ -110,6 +112,7 @@ foreach($plugins as $file => $contents) > $contents > ); > } > +$phar->compressFiles(Phar::GZ); > > $phar->addFromString( > 'adminer.php', > diff --git > a/databases/adminer/files/patch-adminer_include_functions.inc.php > b/databases/adminer/files/patch-adminer_include_functions.inc.php > new file mode 100644 > index 000000000000..fa627837460a > --- /dev/null > +++ b/databases/adminer/files/patch-adminer_include_functions.inc.php > @@ -0,0 +1,11 @@ > +--- adminer/include/functions.inc.php.orig 2025-10-19 12:05 UTC > ++++ adminer/include/functions.inc.php > +@@ -761,7 +761,7 @@ > + * @return string 32 hexadecimal characters > + */ > + function rand_string(): string { > +- return md5(uniqid(strval(mt_rand()), true)); > ++ return bin2hex(random_bytes(32)); > + } > + > + /** Format value to use in select > diff --git > a/databases/adminer/files/patch-adminer_include_xxtea.inc.php > b/databases/adminer/files/patch-adminer_include_xxtea.inc.php > new file mode 100644 > index 000000000000..86b20cb3ea7f > --- /dev/null > +++ b/databases/adminer/files/patch-adminer_include_xxtea.inc.php > @@ -0,0 +1,70 @@ > +--- adminer/include/xxtea.inc.php.orig 2025-11-14 10:44:16 UTC > ++++ adminer/include/xxtea.inc.php > +@@ -45,6 +45,11 @@ > + return int32((($z >> 5 & 0x7FFFFFF) ^ $y << 2) + (($y >> 3 & > 0x1FFFFFFF) ^ $z << 4)) ^ int32(($sum ^ $y) + ($k ^ $z)); > + } > + > ++const AES256_NAME = 'aes-256-gcm'; > ++const AES256_KEY_BYTES = 32; > ++const AES256_NONCE_BYTES = 12; > ++const AES256_TAG_BYTES = 16; > ++ > + /** Cipher > + * @param string $str plain-text password > + * @return string binary cipher > +@@ -53,6 +58,20 @@ > + if ($str == "") { > + return ""; > + } > ++ $key = hash_hkdf('sha256', $key, AES256_KEY_BYTES, AES256_NAME); > ++ $nonce = random_bytes(AES256_NONCE_BYTES); > ++ $cipherText = openssl_encrypt( > ++ $str, > ++ AES256_NAME, > ++ $key, > ++ OPENSSL_RAW_DATA, > ++ $nonce, > ++ $tag, > ++ '', > ++ AES256_TAG_BYTES > ++ ); > ++ return $nonce . $tag . $cipherText; > ++/* > + $key = array_values(unpack("V*", pack("H*", md5($key)))); > + $v = str2long($str, true); > + $n = count($v) - 1; > +@@ -75,6 +94,7 @@ > + $v[$n] = $z; > + } > + return long2str($v, false); > ++*/ > + } > + > + /** Decipher > +@@ -88,6 +108,20 @@ > + if (!$key) { > + return false; > + } > ++ $key = hash_hkdf('sha256', $key, AES256_KEY_BYTES, AES256_NAME); > ++ $nonce = substr($str, 0, AES256_NONCE_BYTES); > ++ $tag = substr($str, AES256_NONCE_BYTES, AES256_TAG_BYTES); > ++ $cipherText = substr($str, AES256_NONCE_BYTES + AES256_TAG_BYTES); > ++ return openssl_decrypt( > ++ $cipherText, > ++ AES256_NAME, > ++ $key, > ++ OPENSSL_RAW_DATA, > ++ $nonce, > ++ $tag, > ++ '' > ++ ); > ++/* > + $key = array_values(unpack("V*", pack("H*", md5($key)))); > + $v = str2long($str, false); > + $n = count($v) - 1; > +@@ -110,4 +144,5 @@ > + $sum = int32($sum - 0x9E3779B9); > + } > + return long2str($v, true); > ++*/ > + } -- Dan Langille dan@langille.orghome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f23e9aa2-b07f-4fb6-8ac9-8fe782728337>