Date: Thu, 7 Aug 2014 00:00:06 -0400 From: Andrew Nacin <nacin@...dpress.org> To: Open Source Security <oss-security@...ts.openwall.com> Subject: Re: WordPress 3.9.2 release - needs CVE's Thanks Kurt, this was next on my to-do list. On Wed, Aug 6, 2014 at 11:42 PM, Kurt Seifried <kseifried@...hat.com> wrote: > > This release fixes a possible denial of service issue in PHP's XML > processing, reported by Nir Goldshlager of the Salesforce.com Product > Security Team. It was fixed by Michael Adams and Andrew Nacin of the > WordPress security team and David Rothstein of the Drupal security > team. This is the first time our two projects have coordinated on > joint security releases. Sigh. XML sucks and I somehow doubt many others are doing this right, either. PHP + libxml makes it pretty much impossible to parse an XML file safely. The issue was internal entity expansion (quadratic, not exponential). Not XXE and potentially not all that bad depending on server configuration. Per their security advisory, Drupal submitted a CVE request for this as well. This is actually a vulnerability in an external library ( http://scripts.incutio.com/xmlrpc/). We use the library as-is, while they forked it. (Well, they took the class and broke it into individual functions — the code was the same and our patches differed only in coding standards.) Not sure how this should be handled. For WordPress, this affected versions 1.5 - 3.9.1 (except 3.7.4 / 3.8.4 -- these were branch releases today in addition to 3.9.2). https://core.trac.wordpress.org/changeset/29405/branches/3.9 - -Fixes a possible but unlikely code execution when processing widgets > (WordPress is not affected by default), discovered by Alex Concha of > the WordPress security team. > This is an unsafe serialization vulnerability. Affected versions 3.9 and 3.9.1. https://core.trac.wordpress.org/changeset/29389 > - -Prevents information disclosure via XML entity attacks in the > external GetID3 library, reported by Ivan Novikov of ONSec. > This is an XXE in GetID3, http://getid3.sourceforge.net/. Upstream CVE-2014-2053. Affected WordPress versions 3.6 - 3.9.1 (except 3.7.4 / 3.8.4) https://core.trac.wordpress.org/changeset/29390 > - -Adds protections against brute attacks against CSRF tokens, reported > by David Tomaschik of the Google Security Team. Same reporter, same same line of code, but two separate issues here. One, when building CSRF tokens, the individual pieces were not separated by delimiter, so $action + $user_id could have been post_1 + user 23 or post 12 + user 3. Second issue: Nonces were not being compared in a time-constant manner. Neither are easy to exploit. Affected WordPress versions 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) https://core.trac.wordpress.org/changeset/29384 https://core.trac.wordpress.org/changeset/29408 - -Contains some additional security hardening, like preventing > cross-site scripting that could be triggered only by administrators. > XSS: https://core.trac.wordpress.org/changeset/29398 Affected WordPress versions 2.5 - 3.9.1 (except 3.7.4 / 3.8.4)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ