Bug 11218 - wordpress new security issues fixed in 3.6.1
: wordpress new security issues fixed in 3.6.1
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/566978/
: MGA2TOO MGA2-32-OK MGA2-64-OK MGA3-32...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-09-12 00:44 CEST by David Walser
Modified: 2013-09-19 11:54 CEST (History)
5 users (show)

See Also:
Source RPM: wordpress-3.6-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-09-12 00:44:11 CEST
Upstream has released 3.6.1 today (September 11):
http://wordpress.org/news/2013/09/wordpress-3-6-1/

CVEs have been requested for the security issues it fixes:
http://openwall.com/lists/oss-security/2013/09/11/10

Mageia 2 and Mageia 3 are also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-09-12 12:38:01 CEST
======================================================
Name: CVE-2013-4338
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4338
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130612
Category: 
Reference: CONFIRM:http://codex.wordpress.org/Version_3.6.1
Reference: CONFIRM:http://core.trac.wordpress.org/changeset/25325
Reference: CONFIRM:http://wordpress.org/news/2013/09/wordpress-3-6-1/

wp-includes/functions.php in WordPress before 3.6.1 does not properly
determine whether data has been serialized, which allows remote
attackers to execute arbitrary code by triggering erroneous PHP
unserialize operations.



======================================================
Name: CVE-2013-4339
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4339
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130612
Category: 
Reference: CONFIRM:http://codex.wordpress.org/Version_3.6.1
Reference: CONFIRM:http://core.trac.wordpress.org/changeset/25323
Reference: CONFIRM:http://core.trac.wordpress.org/changeset/25324
Reference: CONFIRM:http://wordpress.org/news/2013/09/wordpress-3-6-1/

WordPress before 3.6.1 does not properly validate URLs before use in
an HTTP redirect, which allows remote attackers to bypass intended
redirection restrictions via a crafted string.



======================================================
Name: CVE-2013-4340
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4340
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130612
Category: 
Reference: CONFIRM:http://codex.wordpress.org/Version_3.6.1
Reference: CONFIRM:http://core.trac.wordpress.org/changeset/25321
Reference: CONFIRM:http://wordpress.org/news/2013/09/wordpress-3-6-1/

wp-admin/includes/post.php in WordPress before 3.6.1 allows remote
authenticated users to spoof the authorship of a post by leveraging
the Author role and providing a modified user_ID parameter.



======================================================
Name: CVE-2013-5738
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5738
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130911
Category: 
Reference: CONFIRM:http://codex.wordpress.org/Version_3.6.1
Reference: CONFIRM:http://core.trac.wordpress.org/changeset/25322
Reference: CONFIRM:http://wordpress.org/news/2013/09/wordpress-3-6-1/

The get_allowed_mime_types function in wp-includes/functions.php in
WordPress before 3.6.1 does not require the unfiltered_html capability
for uploads of .htm and .html files, which might make it easier for
remote authenticated users to conduct cross-site scripting (XSS)
attacks via a crafted file.



======================================================
Name: CVE-2013-5739
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5739
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130911
Category: 
Reference: CONFIRM:http://codex.wordpress.org/Version_3.6.1
Reference: CONFIRM:http://core.trac.wordpress.org/changeset/25322
Reference: CONFIRM:http://wordpress.org/news/2013/09/wordpress-3-6-1/

The default configuration of WordPress before 3.6.1 does not prevent
uploads of .swf and .exe files, which might make it easier for remote
authenticated users to conduct cross-site scripting (XSS) attacks via
a crafted file, related to the get_allowed_mime_types function in
wp-includes/functions.php.
Comment 2 David Walser 2013-09-12 13:43:07 CEST
Strange, the last two weren't mentioned here:
http://openwall.com/lists/oss-security/2013/09/12/1
Comment 3 David Walser 2013-09-13 17:13:50 CEST
Fixed in Cauldron in wordpress-3.6.1-1.mga4.
Comment 4 David Walser 2013-09-16 23:16:52 CEST
Debian has issued an advisory for this on September 14:
http://www.debian.org/security/2013/dsa-2757
Comment 5 Oden Eriksson 2013-09-17 08:50:26 CEST
3.6.1 has been submitted to 2 and 3
Comment 6 David Walser 2013-09-17 16:41:15 CEST
Advisory:
========================

Updated wordpress package fixes security vulnerabilities:

wp-includes/functions.php in WordPress before 3.6.1 does not properly
determine whether data has been serialized, which allows remote
attackers to execute arbitrary code by triggering erroneous PHP
unserialize operations (CVE-2013-4338).

WordPress before 3.6.1 does not properly validate URLs before use in
an HTTP redirect, which allows remote attackers to bypass intended
redirection restrictions via a crafted string (CVE-2013-4339).

wp-admin/includes/post.php in WordPress before 3.6.1 allows remote
authenticated users to spoof the authorship of a post by leveraging
the Author role and providing a modified user_ID parameter (CVE-2013-4340).

The get_allowed_mime_types function in wp-includes/functions.php in
WordPress before 3.6.1 does not require the unfiltered_html capability
for uploads of .htm and .html files, which might make it easier for
remote authenticated users to conduct cross-site scripting (XSS)
attacks via a crafted file (CVE-2013-5738).

The default configuration of WordPress before 3.6.1 does not prevent
uploads of .swf and .exe files, which might make it easier for remote
authenticated users to conduct cross-site scripting (XSS) attacks via
a crafted file, related to the get_allowed_mime_types function in
wp-includes/functions.php (CVE-2013-5739).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4338
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4339
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4340
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5738
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5739
http://wordpress.org/news/2013/09/wordpress-3-6-1/
http://www.debian.org/security/2013/dsa-2757
========================

Updated packages in core/updates_testing:
========================
wordpress-3.6.1-1.mga2
wordpress-3.6.1-1.mga3

from SRPMS:
wordpress-3.6.1-1.mga2.src.rpm
wordpress-3.6.1-1.mga3.src.rpm
Comment 7 Dave Hodgins 2013-09-18 03:34:44 CEST
Advisory 11218.adv committed to svn. Testing shortly.
Comment 8 Dave Hodgins 2013-09-18 03:38:58 CEST
Install fails both releases, both arches. From urpmi --debug wordpress

found package(s): wordpress-3.4.1-1.1.mga2.noarch wordpress-3.5.1-1.1.mga2.noarch wordpress-3.3.2-2.mga2.noarch wordpress-3.4.2-1.mga2.noarch wordpress-3.6.1-1.mga2.noarch wordpress-3.5.2-1.mga2.noarch
opening rpmdb (root=, write=)
chosen wordpress-3.6.1-1.mga2.noarch for wordpress|wordpress|wordpress|wordpress|wordpress|wordpress
selecting wordpress-3.6.1-1.mga2.noarch
requiring pear(ntlm_sasl_client.php),php-mysql for wordpress-3.6.1-1.mga2.noarch
no packages match pear(ntlm_sasl_client.php) (it is either in skip.list or already rejected)
unselecting wordpress-3.6.1-1.mga2.noarch
adding a reason to already rejected package wordpress-3.6.1-1.mga2.noarch: unsatisfied pear(ntlm_sasl_client.php)
A requested package cannot be installed:
wordpress-3.6.1-1.mga2.noarch (due to unsatisfied pear(ntlm_sasl_client.php))
Comment 9 Oden Eriksson 2013-09-18 09:35:37 CEST
fixed with php-phpmailer-5.2.7-0.20130917.1.mga2 + php-phpmailer-5.2.7-0.20130917.1.mga3 (just submitted)
Comment 10 claire robinson 2013-09-18 14:05:02 CEST
Wordpress tested OK mga2 32 & 64 with new php-phpmailer but unsure yet how to test php-phpmailer
Comment 11 David Walser 2013-09-18 15:25:37 CEST
Thanks Oden!

The only other thing that requires php-phpmailer is galette, but if you can test wordpress features that cause it to send an e-mail, that'd probably be sufficient to test that.

Adding an addendum to the advisory.

Advisory:
========================

Updated wordpress package fixes security vulnerabilities:

wp-includes/functions.php in WordPress before 3.6.1 does not properly
determine whether data has been serialized, which allows remote
attackers to execute arbitrary code by triggering erroneous PHP
unserialize operations (CVE-2013-4338).

WordPress before 3.6.1 does not properly validate URLs before use in
an HTTP redirect, which allows remote attackers to bypass intended
redirection restrictions via a crafted string (CVE-2013-4339).

wp-admin/includes/post.php in WordPress before 3.6.1 allows remote
authenticated users to spoof the authorship of a post by leveraging
the Author role and providing a modified user_ID parameter (CVE-2013-4340).

The get_allowed_mime_types function in wp-includes/functions.php in
WordPress before 3.6.1 does not require the unfiltered_html capability
for uploads of .htm and .html files, which might make it easier for
remote authenticated users to conduct cross-site scripting (XSS)
attacks via a crafted file (CVE-2013-5738).

The default configuration of WordPress before 3.6.1 does not prevent
uploads of .swf and .exe files, which might make it easier for remote
authenticated users to conduct cross-site scripting (XSS) attacks via
a crafted file, related to the get_allowed_mime_types function in
wp-includes/functions.php (CVE-2013-5739).

Additionally, php-phpmailer has been updated to a newer version required by
the updated wordpress.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4338
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4339
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4340
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5738
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5739
http://wordpress.org/news/2013/09/wordpress-3-6-1/
http://www.debian.org/security/2013/dsa-2757
========================

Updated packages in core/updates_testing:
========================
wordpress-3.6.1-1.mga2
php-phpmailer-5.2.7-0.20130917.1.mga2
wordpress-3.6.1-1.mga3
php-phpmailer-5.2.7-0.20130917.1.mga3

from SRPMS:
wordpress-3.6.1-1.mga2.src.rpm
php-phpmailer-5.2.7-0.20130917.1.mga2.src.rpm
wordpress-3.6.1-1.mga3.src.rpm
php-phpmailer-5.2.7-0.20130917.1.mga3.src.rpm
Comment 12 Dave Hodgins 2013-09-19 01:14:41 CEST
Updated 11218.adv committed to svn. Testing shortly.
Comment 13 Dave Hodgins 2013-09-19 01:57:52 CEST
Testing complete on Mageia 2 i586.

Created a blog page as the admin user, created a new user, as the
new user added a comment. Confirmed that the moderation email was
sent to the admin user.

Testing Mageia 2 x86_64 shortly.
Comment 14 Dave Hodgins 2013-09-19 02:16:15 CEST
Testing complete on Mageia 2 x86_64.

While testing, realized wordpress should have a requires on sendmail-command.
Otherwise sending the email fails with /var/log/httpd/error_log showing
sh: /usr/sbin/sendmail: No such file or directory

I'll open a bug report about the missing requires, after I finish testing
Mageia 3, which I'll do shortly.
Comment 15 Dave Hodgins 2013-09-19 02:49:22 CEST
Testing complete on Mageia 3 i586 and x86_64.

Someone from the sysadmin team please push 11218.adv to updates
Comment 16 Oden Eriksson 2013-09-19 11:08:02 CEST
(In reply to Dave Hodgins from comment #14)
> Testing complete on Mageia 2 x86_64.
> 
> While testing, realized wordpress should have a requires on sendmail-command.
> Otherwise sending the email fails with /var/log/httpd/error_log showing
> sh: /usr/sbin/sendmail: No such file or directory
> 
> I'll open a bug report about the missing requires, after I finish testing
> Mageia 3, which I'll do shortly.

Hmm, I wonder if it wouldn't be best to add a "Suggests: sendmail-command" for the lib(64)php5_common5 package?
Comment 17 Thomas Backlund 2013-09-19 11:54:03 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0285.html

Note You need to log in before you can comment on or make changes to this bug.