oss-sec mailing list archives

Re: WordPress 3.9.2 release - needs CVE's

From: Andrew Nacin <nacin () wordpress org>
Date: Thu, 7 Aug 2014 00:00:06 -0400

Thanks Kurt, this was next on my to-do list.

On Wed, Aug 6, 2014 at 11:42 PM, Kurt Seifried <kseifried () redhat com> wrote:


This release fixes a possible denial of service issue in PHP's XML
processing, reported by Nir Goldshlager of the Salesforce.com Product
Security Team. It was fixed by Michael Adams and Andrew Nacin of the
WordPress security team and David Rothstein of the Drupal security
team. This is the first time our two projects have coordinated on
joint security releases.



Sigh. XML sucks and I somehow doubt many others are doing this right,
either. PHP + libxml makes it pretty much impossible to parse an XML file
safely. The issue was internal entity expansion (quadratic, not
exponential). Not XXE and potentially not all that bad depending on server
configuration.

Per their security advisory, Drupal submitted a CVE request for this as
well. This is actually a vulnerability in an external library (
http://scripts.incutio.com/xmlrpc/). We use the library as-is, while they
forked it. (Well, they took the class and broke it into individual
functions — the code was the same and our patches differed only in coding
standards.) Not sure how this should be handled.

For WordPress, this affected versions 1.5 - 3.9.1 (except 3.7.4 / 3.8.4 --
these were branch releases today in addition to 3.9.2).

https://core.trac.wordpress.org/changeset/29405/branches/3.9

- -Fixes a possible but unlikely code execution when processing widgets

(WordPress is not affected by default), discovered by Alex Concha of
the WordPress security team.


This is an unsafe serialization vulnerability. Affected versions 3.9 and
3.9.1.

https://core.trac.wordpress.org/changeset/29389

- -Prevents information disclosure via XML entity attacks in the
external GetID3 library, reported by Ivan Novikov of ONSec.


This is an XXE in GetID3, http://getid3.sourceforge.net/. Upstream
CVE-2014-2053.
Affected WordPress versions 3.6 - 3.9.1 (except 3.7.4 / 3.8.4)

https://core.trac.wordpress.org/changeset/29390

- -Adds protections against brute attacks against CSRF tokens, reported
by David Tomaschik of the Google Security Team.



Same reporter, same same line of code, but two separate issues here. One,
when building CSRF tokens, the individual pieces were not separated by
delimiter, so $action + $user_id could have been post_1 + user 23 or post
12 + user 3. Second issue: Nonces were not being compared in a
time-constant manner. Neither are easy to exploit.

Affected WordPress versions 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4)

https://core.trac.wordpress.org/changeset/29384
https://core.trac.wordpress.org/changeset/29408

- -Contains some additional security hardening, like preventing

cross-site scripting that could be triggered only by administrators.


XSS: https://core.trac.wordpress.org/changeset/29398

Affected WordPress versions 2.5 - 3.9.1 (except 3.7.4 / 3.8.4)

Current thread:

WordPress 3.9.2 release - needs CVE's Kurt Seifried (Aug 06)
- Re: WordPress 3.9.2 release - needs CVE's Andrew Nacin (Aug 06)
  - Re: WordPress 3.9.2 release - needs CVE's cve-assign (Aug 12)
    - Re: WordPress 3.9.2 release - needs CVE's Andrew Nacin (Aug 13)
    - Re: WordPress 3.9.2 release - needs CVE's cve-assign (Aug 13)
  - GetID3 CVE-2014-2053 XXE issue [was Re: [oss-security] WordPress 3.9.2 release - needs CVE's] Murray McAllister (Aug 14)