Debian Bug report logs - #605603
wordpress: Author level SQL injection vulnerability fixed in 3.0.2

version graph

Package: wordpress; Maintainer for wordpress is Craig Small <csmall@debian.org>; Source for wordpress is src:wordpress.

Reported by: Dominic Hargreaves <dom@earth.li>

Date: Wed, 1 Dec 2010 18:12:02 UTC

Severity: grave

Tags: patch, security

Found in version wordpress/3.0.1-2

Fixed in versions wordpress/3.0.2-1, wordpress/2.5.1-11+lenny4

Done: Giuseppe Iuculano <iuculano@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#605603; Package wordpress. (Wed, 01 Dec 2010 18:12:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Giuseppe Iuculano <iuculano@debian.org>. (Wed, 01 Dec 2010 18:12:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: wordpress: Author level SQL injection vulnerability fixed in 3.0.2
Date: Wed, 01 Dec 2010 18:09:28 +0000
Package: wordpress
Version: 3.0.1-2
Severity: grave
Tags: security
Justification: user security hole

3.0.2 includes an update which appears to fix an SQL injection attack:

<http://codex.wordpress.org/Version_3.0.2>
<http://core.trac.wordpress.org/changeset/16625>

This looks worthy of an update for squeeze. Note that the other updates
in 3.0.2 also include various security hardening issues so it may be
most appropriate to upload 3.0.2 itself for squeeze.




Added tag(s) patch. Request was from Hideki Yamane <henrich@debian.or.jp> to control@bugs.debian.org. (Thu, 02 Dec 2010 12:06:04 GMT) Full text and rfc822 format available.

Message sent on to Dominic Hargreaves <dom@earth.li>:
Bug#605603. (Thu, 02 Dec 2010 12:06:12 GMT) Full text and rfc822 format available.

Message #10 received at 605603-submitter@bugs.debian.org (full text, mbox):

From: Hideki Yamane <henrich@debian.or.jp>
To: 605603-submitter@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: wordpress: Author level SQL injection vulnerability fixed in 3.0.2
Date: Thu, 2 Dec 2010 21:03:00 +0900
tags 605603 patch
thanks

Hi,

>This looks worthy of an update for squeeze. Note that the other updates
>in 3.0.2 also include various security hardening issues so it may be
>most appropriate to upload 3.0.2 itself for squeeze.

 However, you know, we are in freeze and 3.0.1 and 3.0.2 diff is about 2000 
 lines. In generally, it's too much changes at this time. I hope there is 
 someone who can check its worth and benefit and negotiate with release team.


 Anyway, proposed smallest patch to 3.0.1 is below. Please check it.


diff -Nru wordpress-3.0.1/debian/changelog wordpress-3.0.1/debian/changelog
--- wordpress-3.0.1/debian/changelog    2010-09-02 17:34:46.000000000 +0900
+++ wordpress-3.0.1/debian/changelog    2010-12-02 15:08:22.000000000 +0900
@@ -1,3 +1,11 @@
+wordpress (3.0.1-2.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * add debian/patches/fix_SQLinjection_r16625.patch from upstream SVN
+    to fix vulnerability (Closes: #605603)
+
+ -- Hideki Yamane <henrich@debian.org>  Thu, 02 Dec 2010 15:06:20 +0900
+
 wordpress (3.0.1-2) unstable; urgency=low

   * [e8a913f] Remove swfupload.swf from the binary package, as it cannot
diff -Nru wordpress-3.0.1/debian/patches/fix_SQLinjection_r16625.patch
wordpress-3.0.1/debian/patches/fix_SQLinjection_r16625.patch
--- wordpress-3.0.1/debian/patches/fix_SQLinjection_r16625.patch        1970-01-01 09:00:00.000000000 +0900
+++ wordpress-3.0.1/debian/patches/fix_SQLinjection_r16625.patch        2010-12-02 15:06:03.000000000 +0900
@@ -0,0 +1,13 @@
+Index: wordpress-3.0.1/wp-includes/comment.php
+===================================================================
+--- wordpress-3.0.1.orig/wp-includes/comment.php       2010-12-02 15:05:30.619404571 +0900
++++ wordpress-3.0.1/wp-includes/comment.php    2010-12-02 15:05:59.092116965 +0900
+@@ -1654,7 +1654,7 @@
+               trackback($tb_ping, $post_title, $excerpt, $post_id);
+               $pinged[] = $tb_ping;
+           } else {
+-              $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, '$tb_ping', ''))
WHERE ID = %d", $post_id) );
++              $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, %s, '')) WHERE ID
= %d", $tb_ping, $post_id) );
+           }
+         }
+       }
diff -Nru wordpress-3.0.1/debian/patches/series wordpress-3.0.1/debian/patches/series
--- wordpress-3.0.1/debian/patches/series       2010-09-02 17:34:46.000000000 +0900
+++ wordpress-3.0.1/debian/patches/series       2010-12-02 15:05:22.000000000 +0900
@@ -7,3 +7,4 @@
 010disabling_update_note.patch
 manifest.patch
 mu.patch
+fix_SQLinjection_r16625.patch




Information stored :
Bug#605603; Package wordpress. (Thu, 02 Dec 2010 15:21:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and filed, but not forwarded. (Thu, 02 Dec 2010 15:21:09 GMT) Full text and rfc822 format available.

Message #15 received at 605603-quiet@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Hideki Yamane <henrich@debian.or.jp>, 605603-quiet@bugs.debian.org
Cc: 605603-submitter@bugs.debian.org
Subject: Re: Bug#605603: wordpress: Author level SQL injection vulnerability fixed in 3.0.2
Date: Thu, 2 Dec 2010 15:17:26 +0000
[Message part 1 (text/plain, inline)]
On Thu, Dec 02, 2010 at 09:03:00PM +0900, Hideki Yamane wrote:
> tags 605603 patch
> thanks
> 
> Hi,
> 
> >This looks worthy of an update for squeeze. Note that the other updates
> >in 3.0.2 also include various security hardening issues so it may be
> >most appropriate to upload 3.0.2 itself for squeeze.
> 
>  However, you know, we are in freeze and 3.0.1 and 3.0.2 diff is about 2000 
>  lines. In generally, it's too much changes at this time. I hope there is 
>  someone who can check its worth and benefit and negotiate with release team.

Indeed. I haven't got time to do that right now.

>  Anyway, proposed smallest patch to 3.0.1 is below. Please check it.

Your patch doesn't apply; there is some cut and paste whitespace damage.
I've attached a new patch which I've verified builds cleanly (on our
slightly modified package which is deployed on lenny).

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
[605603.patch (text/x-diff, attachment)]

Message sent on to Dominic Hargreaves <dom@earth.li>:
Bug#605603. (Thu, 02 Dec 2010 15:21:11 GMT) Full text and rfc822 format available.

Reply sent to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility. (Tue, 07 Dec 2010 08:51:28 GMT) Full text and rfc822 format available.

Notification sent to Dominic Hargreaves <dom@earth.li>:
Bug acknowledged by developer. (Tue, 07 Dec 2010 08:51:28 GMT) Full text and rfc822 format available.

Message #23 received at 605603-close@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <iuculano@debian.org>
To: 605603-close@bugs.debian.org
Subject: Bug#605603: fixed in wordpress 3.0.2-1
Date: Tue, 07 Dec 2010 08:48:49 +0000
Source: wordpress
Source-Version: 3.0.2-1

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive:

wordpress-l10n_3.0.2-1_all.deb
  to main/w/wordpress/wordpress-l10n_3.0.2-1_all.deb
wordpress_3.0.2-1.debian.tar.gz
  to main/w/wordpress/wordpress_3.0.2-1.debian.tar.gz
wordpress_3.0.2-1.dsc
  to main/w/wordpress/wordpress_3.0.2-1.dsc
wordpress_3.0.2-1_all.deb
  to main/w/wordpress/wordpress_3.0.2-1_all.deb
wordpress_3.0.2.orig.tar.gz
  to main/w/wordpress/wordpress_3.0.2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 605603@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 07 Dec 2010 08:43:38 +0100
Source: wordpress
Binary: wordpress wordpress-l10n
Architecture: source all
Version: 3.0.2-1
Distribution: unstable
Urgency: high
Maintainer: Giuseppe Iuculano <iuculano@debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
Closes: 602732 605603 605880
Changes: 
 wordpress (3.0.2-1) unstable; urgency=high
 .
   [ Raphaƫl Hertzog ]
   * [9d6922c] Improve wp-config.php to support sites on subdomains and
     htaccess by providing directives ready to uncomment
 .
   [ Giuseppe Iuculano ]
   * [1dc32d3] Imported Upstream version 3.0.2 (Closes: #605880)
     - Author level SQL injection vulnerability fixed (Closes: #605603)
   * [b4f2869] Refreshed debian/patches/001readme.patch
   * [612c23f] Remove flv_player.swf from manifest.php (Closes: #602732)
Checksums-Sha1: 
 85c1e10ca76d5740f2d6639ceddfd7774f61fd92 1259 wordpress_3.0.2-1.dsc
 08a06c5338dfdd3ca76d99fbe32ade67eec8822b 2688999 wordpress_3.0.2.orig.tar.gz
 06906641bb12489c466a542f65c5f43124718f58 7031530 wordpress_3.0.2-1.debian.tar.gz
 f27c8d118c5999f6ac13a190ae255b3438dcfe55 2513492 wordpress_3.0.2-1_all.deb
 17455991f483e58e4ff045a32865cda3ed7dc1ea 5987796 wordpress-l10n_3.0.2-1_all.deb
Checksums-Sha256: 
 79adacaa35a31b9530db99d9c4056924b77778f43bd91f59ac5d49e366b82933 1259 wordpress_3.0.2-1.dsc
 cc6f8707a4b19d44845abec890f7767ef6e053cb71e5799ac9b3705425611d4f 2688999 wordpress_3.0.2.orig.tar.gz
 36e04aa0524c66c586d0f789ac6b7c1b6615823db86491c1ceb7a191025ead81 7031530 wordpress_3.0.2-1.debian.tar.gz
 6148ed038c45958e9b784a00ee9c40b71a0764d3bdc1cd1ae786c77e4f374d49 2513492 wordpress_3.0.2-1_all.deb
 7cbcd5ea79773ec0a2a6e31bdc591183657d05a6f587a59cf6fa9e8642d5cc15 5987796 wordpress-l10n_3.0.2-1_all.deb
Files: 
 3e135f322a367e5eced974a7200d2d24 1259 web optional wordpress_3.0.2-1.dsc
 9f8b305f72dbe96291ca0d13b21cb279 2688999 web optional wordpress_3.0.2.orig.tar.gz
 b4789d8f19cde22b6990e46cd10b6537 7031530 web optional wordpress_3.0.2-1.debian.tar.gz
 e3db07c2b96091714189b8c07ff2670a 2513492 web optional wordpress_3.0.2-1_all.deb
 fb0d522d9c33b7f0b6934d8e330f4b5b 5987796 localization optional wordpress-l10n_3.0.2-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkz95ukACgkQNxpp46476aokSgCggNJqRT677MfjK5toDW6bAc9l
JD4An04izhn82OF8moP/fG5miGuBWu+X
=AYAQ
-----END PGP SIGNATURE-----





Reply sent to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility. (Wed, 29 Dec 2010 20:09:12 GMT) Full text and rfc822 format available.

Notification sent to Dominic Hargreaves <dom@earth.li>:
Bug acknowledged by developer. (Wed, 29 Dec 2010 20:09:12 GMT) Full text and rfc822 format available.

Message #28 received at 605603-close@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <iuculano@debian.org>
To: 605603-close@bugs.debian.org
Subject: Bug#605603: fixed in wordpress 2.5.1-11+lenny4
Date: Wed, 29 Dec 2010 20:06:51 +0000
Source: wordpress
Source-Version: 2.5.1-11+lenny4

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive:

wordpress_2.5.1-11+lenny4.diff.gz
  to main/w/wordpress/wordpress_2.5.1-11+lenny4.diff.gz
wordpress_2.5.1-11+lenny4.dsc
  to main/w/wordpress/wordpress_2.5.1-11+lenny4.dsc
wordpress_2.5.1-11+lenny4_all.deb
  to main/w/wordpress/wordpress_2.5.1-11+lenny4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 605603@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 09 Dec 2010 15:42:31 +0100
Source: wordpress
Binary: wordpress
Architecture: source all
Version: 2.5.1-11+lenny4
Distribution: stable-security
Urgency: high
Maintainer: Andrea De Iacovo <andrea.de.iacovo@gmail.com>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 wordpress  - weblog manager
Closes: 605603
Changes: 
 wordpress (2.5.1-11+lenny4) stable-security; urgency=high
 .
   * [6f61bff] Fix CVE-2010-4257: SQL injection vulnerability in the
     do_trackbacks function (Closes: #605603)
Checksums-Sha1: 
 0109b030b9cb9fbeb5c6ad666ed130e19c1bb3ac 1052 wordpress_2.5.1-11+lenny4.dsc
 78ba8002564c1862c05c64932375692e29baefba 703044 wordpress_2.5.1-11+lenny4.diff.gz
 f1a82e416e693b064bbaad362d2853680233f4bb 1031548 wordpress_2.5.1-11+lenny4_all.deb
Checksums-Sha256: 
 1de3ffe14e93a88b30bd2c5b48fc26be548926fbb69b770723dffa3ec6b9d66b 1052 wordpress_2.5.1-11+lenny4.dsc
 7b74480b2ab67b2add0d1d2ba1778f4ce94352059b574e19e5f8cd4c9716f1c9 703044 wordpress_2.5.1-11+lenny4.diff.gz
 858bee7a2ad3bd2255158e8dd27b09c9385fd64188348d7c28df84beccecd002 1031548 wordpress_2.5.1-11+lenny4_all.deb
Files: 
 008896d98126d16abca0fac532b43907 1052 web optional wordpress_2.5.1-11+lenny4.dsc
 c8d3545fdef98ba0a1e8c3a6fa7488d0 703044 web optional wordpress_2.5.1-11+lenny4.diff.gz
 9255a3b87a72b423fe8201eb6cb8ef20 1031548 web optional wordpress_2.5.1-11+lenny4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk0A7tIACgkQNxpp46476aoPqgCcCTtkSvxdc4UALmajiRRmmuX5
fEIAn0YBIanlgbMHlttm9rViSv9o+Jl7
=b56x
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 27 Jan 2011 07:30:59 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 06:33:33 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.