oss-sec mailing list archives
Re: WordPress 3.9.2 release - needs CVE's
From: Andrew Nacin <nacin () wordpress org>
Date: Thu, 7 Aug 2014 00:00:06 -0400
Thanks Kurt, this was next on my to-do list. On Wed, Aug 6, 2014 at 11:42 PM, Kurt Seifried <kseifried () redhat com> wrote:
This release fixes a possible denial of service issue in PHP's XML processing, reported by Nir Goldshlager of the Salesforce.com Product Security Team. It was fixed by Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team. This is the first time our two projects have coordinated on joint security releases.
Sigh. XML sucks and I somehow doubt many others are doing this right, either. PHP + libxml makes it pretty much impossible to parse an XML file safely. The issue was internal entity expansion (quadratic, not exponential). Not XXE and potentially not all that bad depending on server configuration. Per their security advisory, Drupal submitted a CVE request for this as well. This is actually a vulnerability in an external library ( http://scripts.incutio.com/xmlrpc/). We use the library as-is, while they forked it. (Well, they took the class and broke it into individual functions — the code was the same and our patches differed only in coding standards.) Not sure how this should be handled. For WordPress, this affected versions 1.5 - 3.9.1 (except 3.7.4 / 3.8.4 -- these were branch releases today in addition to 3.9.2). https://core.trac.wordpress.org/changeset/29405/branches/3.9 - -Fixes a possible but unlikely code execution when processing widgets
(WordPress is not affected by default), discovered by Alex Concha of the WordPress security team.
This is an unsafe serialization vulnerability. Affected versions 3.9 and 3.9.1. https://core.trac.wordpress.org/changeset/29389
- -Prevents information disclosure via XML entity attacks in the external GetID3 library, reported by Ivan Novikov of ONSec.
This is an XXE in GetID3, http://getid3.sourceforge.net/. Upstream CVE-2014-2053. Affected WordPress versions 3.6 - 3.9.1 (except 3.7.4 / 3.8.4) https://core.trac.wordpress.org/changeset/29390
- -Adds protections against brute attacks against CSRF tokens, reported by David Tomaschik of the Google Security Team.
Same reporter, same same line of code, but two separate issues here. One, when building CSRF tokens, the individual pieces were not separated by delimiter, so $action + $user_id could have been post_1 + user 23 or post 12 + user 3. Second issue: Nonces were not being compared in a time-constant manner. Neither are easy to exploit. Affected WordPress versions 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) https://core.trac.wordpress.org/changeset/29384 https://core.trac.wordpress.org/changeset/29408 - -Contains some additional security hardening, like preventing
cross-site scripting that could be triggered only by administrators.
XSS: https://core.trac.wordpress.org/changeset/29398 Affected WordPress versions 2.5 - 3.9.1 (except 3.7.4 / 3.8.4)
Current thread:
- WordPress 3.9.2 release - needs CVE's Kurt Seifried (Aug 06)
- Re: WordPress 3.9.2 release - needs CVE's Andrew Nacin (Aug 06)
- Re: WordPress 3.9.2 release - needs CVE's cve-assign (Aug 12)
- Re: WordPress 3.9.2 release - needs CVE's Andrew Nacin (Aug 13)
- Re: WordPress 3.9.2 release - needs CVE's cve-assign (Aug 13)
- Re: WordPress 3.9.2 release - needs CVE's cve-assign (Aug 12)
- GetID3 CVE-2014-2053 XXE issue [was Re: [oss-security] WordPress 3.9.2 release - needs CVE's] Murray McAllister (Aug 14)
- Re: WordPress 3.9.2 release - needs CVE's Andrew Nacin (Aug 06)