Debian Bug report logs - #504234
CVE-2008-4796: missing input sanitising in embedded copy of Snoopy.class.php

version graph

Package: wordpress; Maintainer for wordpress is Craig Small <csmall@debian.org>; Source for wordpress is src:wordpress.

Reported by: Raphael Geissert <atomo64@gmail.com>

Date: Sun, 2 Nov 2008 01:21:01 UTC

Severity: grave

Tags: patch, security

Found in versions wordpress/2.5.1-8, wordpress/2.0.10-1

Fixed in version wordpress/2.5.1-9

Done: Andrea De Iacovo <andrea.de.iacovo@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Andrea De Iacovo <andrea.de.iacovo@gmail.com>:
Bug#504234; Package wordpress. (Sun, 02 Nov 2008 01:21:04 GMT) Full text and rfc822 format available.

Message #3 received at submit@bugs.debian.org (full text, mbox):

From: Raphael Geissert <atomo64@gmail.com>
To: submit@bugs.debian.org
Subject: CVE-2008-4796: missing input sanitising in embedded copy of Snoopy.class.php
Date: Sat, 1 Nov 2008 19:16:30 -0600
[Message part 1 (text/plain, inline)]
Package: wordpress
Severity: grave
Version: 2.5.1-8
Tags: security, patch

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was published for 
snoopy, which affects the embedded copy shipped in wordpress[0].

CVE-2008-4796[1]:
> The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3
> and earlier allows remote attackers to execute arbitrary commands via
> shell metacharacters in https URLs.  NOTE: some of these details are
> obtained from third party information.

The patch for Snoopy.class.php can be found at [2]. However, it would be 
better if wordpress just depended on libphp-snoopy (available in lenny) and 
the include/require calls changed to use the copy provided by that package, 
to avoid shipping yet another embedded code copy.

If you fix the vulnerability please also make sure to include the CVE id in 
the changelog entry.

[0] usr/share/wordpress/wp-includes/class-snoopy.php
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4796
     http://security-tracker.debian.net/tracker/CVE-2008-4796
[2] http://klecker.debian.org/~white/libphp-snoopy/CVE-2008-4796.patch

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
[signature.asc (application/pgp-signature, inline)]

Bug marked as found in version 2.0.10-1. Request was from Raphael Geissert <atomo64@gmail.com> to control@bugs.debian.org. (Sun, 02 Nov 2008 01:27:06 GMT) Full text and rfc822 format available.

Reply sent to Andrea De Iacovo <andrea.de.iacovo@gmail.com>:
You have taken responsibility. (Mon, 03 Nov 2008 10:39:35 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <atomo64@gmail.com>:
Bug acknowledged by developer. (Mon, 03 Nov 2008 10:39:37 GMT) Full text and rfc822 format available.

Message #10 received at 504234-close@bugs.debian.org (full text, mbox):

From: Andrea De Iacovo <andrea.de.iacovo@gmail.com>
To: 504234-close@bugs.debian.org
Subject: Bug#504234: fixed in wordpress 2.5.1-9
Date: Mon, 03 Nov 2008 09:47:17 +0000
Source: wordpress
Source-Version: 2.5.1-9

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive:

wordpress_2.5.1-9.diff.gz
  to pool/main/w/wordpress/wordpress_2.5.1-9.diff.gz
wordpress_2.5.1-9.dsc
  to pool/main/w/wordpress/wordpress_2.5.1-9.dsc
wordpress_2.5.1-9_all.deb
  to pool/main/w/wordpress/wordpress_2.5.1-9_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 504234@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andrea De Iacovo <andrea.de.iacovo@gmail.com> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 03 Nov 2008 08:39:16 +0100
Source: wordpress
Binary: wordpress
Architecture: source all
Version: 2.5.1-9
Distribution: unstable
Urgency: high
Maintainer: Andrea De Iacovo <andrea.de.iacovo@gmail.com>
Changed-By: Andrea De Iacovo <andrea.de.iacovo@gmail.com>
Description: 
 wordpress  - weblog manager
Closes: 443948 504234
Changes: 
 wordpress (2.5.1-9) unstable; urgency=high
 .
   * Wordpress now depends on libphp-snoopy (Closes: #443948)
   * libphp-snoopy dependance solves grave security issue (Closes: #504234)
     Thanks to the new version of snoopy class the user input is now sanitized
     so it's not possibile to inject malicius code anymore (CVE-2008-4796)
   * setup-mysql modified to fix permissions on /srv/www
Checksums-Sha1: 
 191699775eacd2b5d257c56e1c5fe747dce44471 1311 wordpress_2.5.1-9.dsc
 33b102833c7c48f85bcc25c397e2aa6cd665c727 695982 wordpress_2.5.1-9.diff.gz
 a487be0f73271d6c9ff6e8c6b7964f96645c15fa 1030386 wordpress_2.5.1-9_all.deb
Checksums-Sha256: 
 50c1d06f5336c394e98512384f7c236eca15d49bf561552b25eff52743e36eb9 1311 wordpress_2.5.1-9.dsc
 6b08731f5b79eb8d57c82ff3aa4ca1d351731ba5e8ba594892a50b1aa4ed1784 695982 wordpress_2.5.1-9.diff.gz
 5b1a0754b224d64ff47c37fb941f7cd04990d8f3ca80af4f1ccfb16eaac2eb9d 1030386 wordpress_2.5.1-9_all.deb
Files: 
 8168e70fe8fc0d4d04533a48559a7b1d 1311 web optional wordpress_2.5.1-9.dsc
 37327fdaea834472322866ae64eeb088 695982 web optional wordpress_2.5.1-9.diff.gz
 6b725c0ded42091500807d1ba11eb9a3 1030386 web optional wordpress_2.5.1-9_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJJDsdXAAoJEGz0hbPcukPfOfwH/ia7QCrORHnCCw4NhPHyXQmV
VEZXe9uJUJavcx0iHamgRT3otwgth1o6ejViBK8TIG7+8sWZ1693GqY1Kg2plI1t
C/HqGSyfjUEVgRmkPKpAlu8FdvScWZl3yoCVShdk6O+QT9a0kscK0daAutfrVebT
vDIacEmYar0GVozvdsAq2kqSmsJvBNvmDppUGpGGT71DuDl7laHynCefcPILaOvJ
juwfp1zY4ygsPAklHRZ+TMTD7dEkEmDorvGkAal+2LcHoR7t4TCXZ2DBsg+ADezy
+M1hHeBTCiIMevSFSTH4MDGwMoBJpijUELvp7C6w8BVn7ShyZN7T4zXmnieVnco=
=awCk
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Feb 2009 08:02:20 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 07:13:30 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.