Re: CVE-request: WordPress 3.1.1

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/17/2012 03:35 AM, Henri Salo wrote:
> I previously requested CVE-identifiers for two WordPress 3.1.1
> issues (2011), which are still not assigned.
>
> > 1) Certain unspecified input is not properly sanitised before
> > being returned to the user. This can be exploited to execute
> > arbitrary HTML and script code in a user's browser session in
> > context of an affected site. http://osvdb.org/show/osvdb/72141
>
> Hanno Böck said in http://seclists.org/oss-sec/2012/q1/151 that
> CVE-2012-0287 is for this issue.
>
> ====================================================== Name:
> CVE-2012-0287 Status: Candidate URL:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0287 Phase:
> Assigned (20120103) Category: Reference:
> MISC:http://oldmanlab.blogspot.com/2012/01/wordpress-33-xss-vulnerability.html
Reference: CONFIRM:https://wordpress.org/news/2012/01/wordpress-3-3-1/
> Reference: SECTRACK:1026542 Reference:
> URL:http://www.securitytracker.com/id?1026542
>
> Cross-site scripting (XSS) vulnerability in wp-comments-post.php
> in WordPress 3.3.x before 3.3.1, when Internet Explorer is used,
> allows remote attackers to inject arbitrary web script or HTML via
> the query string in a POST operation that is not properly handled
> by the "Duplicate comment detected" feature.
>
>
> Current Votes: None (candidate not yet proposed) 
> ======================================================
>
> It seems to be assigned for 3.3.1 and not for 3.1.1. Sorry for my
> mistake also in last emails.
>
> > 2) The "make_clickable()" function in wp-includes/formatting.php
> > does not properly check the URL length in comments before passing
> > it to the PCRE library, which can be exploited to cause a crash. 
> > http://osvdb.org/show/osvdb/72142
> >
> > http://wordpress.org/news/2011/04/wordpress-3-1-1/ 
> > http://secunia.com/advisories/44038/ 
> > http://seclists.org/cert/2011/63
>
> Still no CVE.
>
> > I even contacted WordPress administrators and asked if this does
> > have CVE, but they haven't replied for some reason.
>
> Still no answer.
>
> Can we now assign CVE-identifiers for 3.1.1 issues, thanks? List of
> issues in 3.1.1 can be found from here
> http://core.trac.wordpress.org/query?status=closed&resolution=fixed&milestone=3.1.1&group=resolution&order=priority
> and related news article in here
> http://wordpress.org/news/2011/04/wordpress-3-1-1/
>
> - Henri Salo

Can you make a clean list of security issues and the versions
affected? Thanks.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPjkzDAAoJEBYNRVNeJnmT/38P/j++BHPUsrJmNF6eu5rJdEu5
fBFp0M1h+bEkaAC/BeRq4P4eHxsJYYTK+SwXnZpEd7lsJyZcmvTgU/kBmW97Ropx
0vnAeno/dsxe2ghJtQCC03vi32QCv4IkGVK+j4v0yqJvHS99p6aH+hHOu64MNZ+y
AywKw6pvpSpA3JjJAzZQj9LU7Rtjyhab0cPnlb2LuWwgWsZhVsJipDmHkAmuwdRo
iXuTm4yYroTescVKyt6LFrmEr0Xg9jmz/tD78ebfIm5WtK8/0a5DNWIUTSc30xnR
IIuik7umg+bRI3/ujL+ocy6j+hWDiYAniPgA5xbEb3NPw9D6XnJyuUK8Or5ypeWb
R5rFNcUxnN2SWVZnRIScUBZAaV0jFMlWwoWfUJLDYZLDSNspQwmNw1mq9wzz1TAu
5XY1X1EJimvu8tDlHKWkT6mNNxesevwfXVhPbyyz7TBFHjsWtGN6EI3WWP8I+q7x
WzpW3c9PZ7bCuhH7qQDeQZjZUYAZr/+ABnFJneSSB9ivZGR+qUCHNOe7JDhb1tFQ
+aWxZk8vBgS/axuDJmHMbvFFq14I1jSWkjTuN8dzvTywi0Mmoy5U/tgPSCdXnL/S
iJnUmQBwq2KDCdLAuo4jvoEeFyVMEea52NHeWmSS9iqiYhJr6PG26Vh5ViGAi3zk
6HJPopg1Gohg7N+OG9ar
=gpwu
-----END PGP SIGNATURE-----