Debian Bug report logs - #722537
wordpress: CVE-2013-4338 CVE-2013-4339 CVE-2013-4340

version graph

Package: wordpress; Maintainer for wordpress is Craig Small <csmall@debian.org>; Source for wordpress is src:wordpress.

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 12 Sep 2013 05:30:02 UTC

Severity: grave

Tags: fixed-upstream, patch, security, upstream

Found in version wordpress/3.5.1+dfsg-2

Fixed in versions 3.6.1+dfsg-1, wordpress/3.6.1+dfsg-1~deb6u1

Done: Yves-Alexis Perez <corsac@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#722537; Package wordpress. (Thu, 12 Sep 2013 05:30:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Giuseppe Iuculano <iuculano@debian.org>. (Thu, 12 Sep 2013 05:30:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: wordpress: CVE-2013-4338 CVE-2013-4339 CVE-2013-4340
Date: Thu, 12 Sep 2013 07:27:35 +0200
Package: wordpress
Severity: grave
Tags: security upstream patch fixed-upstream

Hi,

the following vulnerabilities were published for wordpress.

CVE-2013-4338[0]:
Unsafe PHP unserialization

CVE-2013-4339[1]:
Open Redirect / Insufficient Input Validation

CVE-2013-4340[2]:
Privilege Escalation

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4338
[0] http://security-tracker.debian.org/tracker/CVE-2013-4338
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4339
    http://security-tracker.debian.org/tracker/CVE-2013-4339
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4340
    http://security-tracker.debian.org/tracker/CVE-2013-4340

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore



Marked as found in versions wordpress/3.5.1+dfsg-2. Request was from Raphaël Hertzog <hertzog@debian.org> to control@bugs.debian.org. (Thu, 12 Sep 2013 21:45:08 GMT) Full text and rfc822 format available.

Reply sent to Raphael Hertzog <hertzog@debian.org>:
You have taken responsibility. (Thu, 12 Sep 2013 21:54:05 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 12 Sep 2013 21:54:05 GMT) Full text and rfc822 format available.

Message #12 received at 722537-done@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>, 722537-done@bugs.debian.org
Subject: Re: Bug#722537: wordpress: CVE-2013-4338 CVE-2013-4339 CVE-2013-4340
Date: Thu, 12 Sep 2013 23:52:07 +0200
Version: 3.6.1+dfsg-1

On Thu, 12 Sep 2013, Salvatore Bonaccorso wrote:
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

I had prepared an upload before seeing this bug so the changelog entry
doesn't reference it and I'm closing it manually. Squeeze and wheezy
are also affected though.

> Please adjust the affected versions in the BTS as needed.

Done.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Discover the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/



Added tag(s) pending. Request was from Yves-Alexis Perez <corsac@debian.org> to control@bugs.debian.org. (Fri, 13 Sep 2013 21:12:12 GMT) Full text and rfc822 format available.

Message sent on to Salvatore Bonaccorso <carnil@debian.org>:
Bug#722537. (Fri, 13 Sep 2013 21:12:16 GMT) Full text and rfc822 format available.

Message #17 received at 722537-submitter@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: 722537-submitter@bugs.debian.org
Subject: Bug#722537 marked as pending
Date: Fri, 13 Sep 2013 21:09:38 +0000
tag 722537 pending
thanks

Hello,

Bug #722537 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=collab-maint/wordpress.git;a=commitdiff;h=6496a33

---
commit 6496a33c1dfe723e736bf51bbc25d9a5edb110ae
Author: Yves-Alexis Perez <corsac@debian.org>
Date:   Fri Sep 13 22:18:29 2013 +0200

    Add changelog entry for Squeeze upload.
    
    * Non-maintainer upload by the Security Team.
    * Import wordpress from Jessie to fix all the security issues present in
      Squeeze.
      - update to Wordpress 3.6.1                                 closes: #722537
        + CVE-2013-4338: unsafe PHP unserialization can causes arbitrary code
        execution.
        + CVE-2013-4339: unproper input validation in URL parsing can lead to
        arbitrary redirection.
        + CVE-2013-4340: privilege escalation allowing an user with an author
        role to create an entry appearing as written by another user.
        + CVE-2013-5738: authenticated users can conduct cross-site scripting
        attacks (XSS) using crafted html file uploads.
        + CVE-2013-5739: default Wordpress configuration doesn't prevent upload
        for .swf and .exe files, making it easier for authenticated users to
        conduct XSS attacks.

diff --git a/debian/changelog b/debian/changelog
index 45995a5..00ac201 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,23 @@
+wordpress (3.6.1+dfsg-1~deb6u1) UNRELEASED; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Import wordpress from Jessie to fix all the security issues present in
+    Squeeze.
+    - update to Wordpress 3.6.1                                 closes: #722537
+      + CVE-2013-4338: unsafe PHP unserialization can causes arbitrary code
+      execution.
+      + CVE-2013-4339: unproper input validation in URL parsing can lead to
+      arbitrary redirection.
+      + CVE-2013-4340: privilege escalation allowing an user with an author
+      role to create an entry appearing as written by another user.
+      + CVE-2013-5738: authenticated users can conduct cross-site scripting
+      attacks (XSS) using crafted html file uploads.
+      + CVE-2013-5739: default Wordpress configuration doesn't prevent upload
+      for .swf and .exe files, making it easier for authenticated users to
+      conduct XSS attacks.
+
+ -- Yves-Alexis Perez <corsac@debian.org>  Fri, 13 Sep 2013 21:47:46 +0200
+
 wordpress (3.6.1+dfsg-1) unstable; urgency=high
 
   * New upstream security release.



Message sent on to Salvatore Bonaccorso <carnil@debian.org>:
Bug#722537. (Sat, 14 Sep 2013 09:21:06 GMT) Full text and rfc822 format available.

Message #20 received at 722537-submitter@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: 722537-submitter@bugs.debian.org
Subject: Bug#722537 marked as pending
Date: Sat, 14 Sep 2013 09:17:56 +0000
tag 722537 pending
thanks

Hello,

Bug #722537 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=collab-maint/wordpress.git;a=commitdiff;h=a8fbc2c

---
commit a8fbc2c80e478c47229a69fb6fccf246c3752e21
Author: Yves-Alexis Perez <corsac@debian.org>
Date:   Fri Sep 13 22:18:29 2013 +0200

    Add changelog entry for Squeeze upload.
    
    * Non-maintainer upload by the Security Team.
    * Import wordpress from Jessie to fix all the security issues present in
      Squeeze.
      - update to Wordpress 3.6.1                                 closes: #722537
        + CVE-2013-4338: unsafe PHP unserialization can causes arbitrary code
        execution.
        + CVE-2013-4339: unproper input validation in URL parsing can lead to
        arbitrary redirection.
        + CVE-2013-4340: privilege escalation allowing an user with an author
        role to create an entry appearing as written by another user.
        + CVE-2013-5738: authenticated users can conduct cross-site scripting
        attacks (XSS) using crafted html file uploads.
        + CVE-2013-5739: default Wordpress configuration doesn't prevent upload
        for .swf and .exe files, making it easier for authenticated users to
        conduct XSS attacks.

diff --git a/debian/changelog b/debian/changelog
index 45995a5..300cea6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,22 @@
+wordpress (3.6.1+dfsg-1~deb6u1) UNRELEASED; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Import Wordpress 3.6.1 from Jessie to fix all the security issues present
+    in Squeeze:                                                 closes: #722537
+    - CVE-2013-4338: unsafe PHP unserialization can causes arbitrary code
+    execution.
+    - CVE-2013-4339: unproper input validation in URL parsing can lead to
+    arbitrary redirection.
+    - CVE-2013-4340: privilege escalation allowing an user with an author role
+    to create an entry appearing as written by another user.
+    - CVE-2013-5738: authenticated users can conduct cross-site scripting
+    attacks (XSS) using crafted html file uploads.
+    - CVE-2013-5739: default Wordpress configuration doesn't prevent upload
+    for .swf and .exe files, making it easier for authenticated users to
+    conduct XSS attacks.
+
+ -- Yves-Alexis Perez <corsac@debian.org>  Fri, 13 Sep 2013 21:47:46 +0200
+
 wordpress (3.6.1+dfsg-1) unstable; urgency=high
 
   * New upstream security release.



Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#722537; Package wordpress. (Thu, 17 Oct 2013 13:54:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steven Chamberlain <steven@pyro.eu.org>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Thu, 17 Oct 2013 13:54:04 GMT) Full text and rfc822 format available.

Message #25 received at 722537@bugs.debian.org (full text, mbox):

From: Steven Chamberlain <steven@pyro.eu.org>
To: 722537@bugs.debian.org
Subject: Re: Bug#722537,wordpress: CVE-2013-4338 CVE-2013-4339 CVE-2013-4340
Date: Thu, 17 Oct 2013 14:50:58 +0100
> CVE-2013-4338[0]:
> Unsafe PHP unserialization
https://core.trac.wordpress.org/changeset/25325

It is very vague how that was a security bug.

The code change doesn't actually make the default mode of
is_serialized() any stricter, that is unchanged.  Rather, it implements
a new, more-relaxed check that can be used to prevent something being
stored in MySQL which, after being truncated due to another bug,
something else might be able to wrongly deserialise later...  it's a
very poor way to fix what is really unsafe coding all over the place.
It mitigates this specific exploit though.

The original researcher explains the original vulnerability here:
http://vagosec.org/2013/09/wordpress-php-object-injection/

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org



Reply sent to Yves-Alexis Perez <corsac@debian.org>:
You have taken responsibility. (Sat, 08 Feb 2014 23:21:05 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 08 Feb 2014 23:21:05 GMT) Full text and rfc822 format available.

Message #30 received at 722537-close@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: 722537-close@bugs.debian.org
Subject: Bug#722537: fixed in wordpress 3.6.1+dfsg-1~deb6u1
Date: Sat, 08 Feb 2014 23:17:27 +0000
Source: wordpress
Source-Version: 3.6.1+dfsg-1~deb6u1

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 722537@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yves-Alexis Perez <corsac@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 14 Sep 2013 10:30:29 +0200
Source: wordpress
Binary: wordpress wordpress-l10n
Architecture: source all
Version: 3.6.1+dfsg-1~deb6u1
Distribution: squeeze-security
Urgency: high
Maintainer: Giuseppe Iuculano <iuculano@debian.org>
Changed-By: Yves-Alexis Perez <corsac@debian.org>
Description: 
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
Closes: 722537
Changes: 
 wordpress (3.6.1+dfsg-1~deb6u1) squeeze-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Import Wordpress 3.6.1 from Jessie to fix all the security issues present
     in Squeeze:                                                 closes: #722537
     - CVE-2013-4338: unsafe PHP unserialization can causes arbitrary code
     execution.
     - CVE-2013-4339: unproper input validation in URL parsing can lead to
     arbitrary redirection.
     - CVE-2013-4340: privilege escalation allowing an user with an author role
     to create an entry appearing as written by another user.
     - CVE-2013-5738: authenticated users can conduct cross-site scripting
     attacks (XSS) using crafted html file uploads.
     - CVE-2013-5739: default Wordpress configuration doesn't prevent upload
     for .swf and .exe files, making it easier for authenticated users to
     conduct XSS attacks.
Checksums-Sha1: 
 040a70f20d0cf0f2970d9f63f10cee5cfd9486aa 1780 wordpress_3.6.1+dfsg-1~deb6u1.dsc
 997fd2158cd14bd29a5598a81c780db34f7173f7 3214412 wordpress_3.6.1+dfsg.orig.tar.xz
 e35710cc448855680625f2494257779551d152e8 11013851 wordpress_3.6.1+dfsg-1~deb6u1.debian.tar.gz
 8b7a39162d8e978029c4f9a6c0ec6079868939ff 3989552 wordpress_3.6.1+dfsg-1~deb6u1_all.deb
 866298b8e5dc7ab890b9a087779f2e17cfba7869 8859512 wordpress-l10n_3.6.1+dfsg-1~deb6u1_all.deb
Checksums-Sha256: 
 4da43dff7a3390e81b1f8fdab6a352d05ce76cd57ff9505ab7d069d099fe217b 1780 wordpress_3.6.1+dfsg-1~deb6u1.dsc
 20714525a688eadd649e2e497b4cd300870445867e1f8b3305b49da5ca55b50d 3214412 wordpress_3.6.1+dfsg.orig.tar.xz
 901c76616e68290d6a7d6b6f163549a13818d7705a3f81a5895165d163bf4a36 11013851 wordpress_3.6.1+dfsg-1~deb6u1.debian.tar.gz
 4ab6406703fc6715c5fabd03297c91eb0fc891047b901206a95c5ebebe14255e 3989552 wordpress_3.6.1+dfsg-1~deb6u1_all.deb
 6ccd3ff5259953fa791eb9a65c451821b9034a48bd6876fc147e17ec97b6ab81 8859512 wordpress-l10n_3.6.1+dfsg-1~deb6u1_all.deb
Files: 
 3de8613f1ab97dcbecbdf7a84f9cdada 1780 web optional wordpress_3.6.1+dfsg-1~deb6u1.dsc
 4fbd2c241f5d7075b115dfba1b130bfa 3214412 web optional wordpress_3.6.1+dfsg.orig.tar.xz
 ca958a33d1472d748eae52a79196df28 11013851 web optional wordpress_3.6.1+dfsg-1~deb6u1.debian.tar.gz
 3c2875f0b029dd6ce76b39897f548efc 3989552 web optional wordpress_3.6.1+dfsg-1~deb6u1_all.deb
 b55cd30ea279c0b1e1ea4653acf37391 8859512 localization optional wordpress-l10n_3.6.1+dfsg-1~deb6u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.21 (GNU/Linux)

iQEcBAEBCgAGBQJSNB+wAAoJEG3bU/KmdcClzo4IAI9UtZkS10Tjjoe3ehtt23AM
7RLhZtTVAfwEWL/lvrpipE8Vajaef79eXH07F5PwXD9kATu6rU/10/ONUf3PCgXD
8Lw/+Rembm3aPacLnfz21t15Js6uQTWvdDn/JzcT/8MLsMrWI80jpgoVstqixpGL
gxRuRKNsZFirShDF4lSGLM3lEnRF1k0I9D3SlvcUJChuSKNhdLx7Q1YK2Hqx6JkB
V1fBnYq7RGLX8jyx6W/JuRQ7zd9JWeiwIBgDx0Hhbb2as2SSc0PuwI+o9YRW7vgz
Sze7jVqD/VgxounhEmEZ/fBLVVT6MtAjXH5LMlGcbHIINzsPJVjBjr+4Oa/d/is=
=r28f
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 09 Mar 2014 07:28:47 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 08:53:05 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.