Ubuntu
wordpress package

SQL injection vulnerability in wp-includes/query.php in WordPress CVE-2007-6318

Bug #181416 reported by Emanuele Gentili
12
Affects Status Importance Assigned to Milestone
wordpress (Debian)
Fix Released
Unknown
wordpress (Ubuntu)
Invalid
Undecided
Kees Cook
Dapper
Invalid
Undecided
Emanuele Gentili
Edgy
Invalid
Undecided
Emanuele Gentili
Feisty
Fix Released
Undecided
Kees Cook
Gutsy
Fix Released
Undecided
Kees Cook
Hardy
Invalid
Undecided
Kees Cook

Bug Description

Binary package hint: wordpress

query.php mistakenly uses is_admin() to check for admin privileges Trac

Revision history for this message
Emanuele Gentili (emgent) wrote :
Revision history for this message
Emanuele Gentili (emgent) wrote :

debdiff ready.

Revision history for this message
Emanuele Gentili (emgent) wrote :

<email address hidden> Notified.

Response:

Thijs Kinkhorst <email address hidden>

Thanks for keeping us in the loop, I've noted this patch in our tracker
and it will probably be used for addressing the issue in Debian.

Thijs

Revision history for this message
Emanuele Gentili (emgent) wrote :

Please apply patch on <=gutsy
hardy use 2.3.2-1ubuntu1 and this version it'snt vulnerable.

Luca Falavigna (dktrkranz)
Changed in wordpress:
status: New → Fix Released
Revision history for this message
Emanuele Gentili (emgent) wrote :

dapper not affected.

Changed in wordpress:
status: New → Invalid
assignee: nobody → emgent
Revision history for this message
Emanuele Gentili (emgent) wrote :

Edgy not affected.

Changed in wordpress:
assignee: nobody → emgent
status: New → Invalid
Revision history for this message
Emanuele Gentili (emgent) wrote :
Changed in wordpress:
status: New → Fix Released
status: New → Fix Released
Emanuele Gentili (emgent)
Changed in wordpress:
status: Fix Released → Fix Committed
status: Fix Released → Fix Committed
status: Fix Released → Fix Committed
Bug Watch Updater (bug-watch-updater)
Changed in wordpress:
status: Unknown → New
Emanuele Gentili (emgent)
Changed in wordpress:
status: Fix Committed → Confirmed
status: Fix Committed → Confirmed
status: Fix Committed → Confirmed
Revision history for this message
Emanuele Gentili (emgent) wrote :

cleaned debdiff attached

Revision history for this message
Emanuele Gentili (emgent) wrote :

cleaned debdiff attached

Revision history for this message
Emanuele Gentili (emgent) wrote :
Revision history for this message
Emanuele Gentili (emgent) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I am unable to apply these debdiffs:

$ cat /tmp/gutsy_wordpress_2.2.2-1ubuntu1.2.debdiff | patch -p1
patching file debian/changelog
patch: **** malformed patch at line 15: wordpress (2.2.2-1ubuntu1.1) gutsy-security; urgency=low

$ cat /tmp/feisty_wordpress_2.1.3-1ubuntu1.1.debdiff | patch -p1
patching file debian/changelog
patch: **** malformed patch at line 15: wordpress (2.1.3-1ubuntu1) feisty; urgency=low

Can you regenerate the debdiffs and also update the changelog to use https://wiki.ubuntu.com/SecurityUpdateProcedures, point '5' of 'Preparing an Update'.

Thanks for your hard work on this!

Revision history for this message
Emanuele Gentili (emgent) wrote :

ok, debdiff to gutsy reviewed.
Now ready for upload

+wordpress (2.2.2-1ubuntu1.2) gutsy-security; urgency=low
+
+ * SECURITY UPDATE:
+ - SQL injection vulnerability in wp-includes/query.php
+ * References
+ - http://trac.wordpress.org/ticket/5487
+ - CVE-2007-6318 (LP: #181416)
+ * NON-Security fix
+ - blogroll fix in wp-admin/upgrade-functions.php
+ changed Planet Debian to Planet Ubuntu
+
+ -- Emanuele Gentili <email address hidden> Tue, 22 Jan 2008 18:34:21 +0100

added little fix to blogroll default items.

Revision history for this message
Emanuele Gentili (emgent) wrote :

ok, debdiff to feisty reviewed too.
Now ready for upload

+wordpress (2.1.3-1ubuntu1.1) feisty-security; urgency=low
+
+ * SECURITY UPDATE:
+ - SQL injection vulnerability in wp-includes/query.php
+ * References
+ - http://trac.wordpress.org/ticket/5487
+ - CVE-2007-6318 (LP: #181416)
+
+ -- Emanuele Gentili <email address hidden> Tue, 22 Jan 2008 19:48:59 +0100
+

Revision history for this message
Kees Cook (kees) wrote :

As stated, Hardy is not vulnerable.

Changed in wordpress:
assignee: nobody → keescook
status: Confirmed → Invalid
Revision history for this message
Kees Cook (kees) wrote :

The changelog says "SQL injection", but it is just an admin test failure to see unpublished posts. I've adjusted the changelog to follow the SUP more closely. The changes are building now and should be published shortly. Thanks for the fixed debdiffs!

Changed in wordpress:
assignee: nobody → keescook
status: Confirmed → Fix Committed
assignee: nobody → keescook
status: Confirmed → Fix Committed
Kees Cook (kees)
Changed in wordpress:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in wordpress:
status: New → Fix Released
Revision history for this message
Abel Cheung (abelcheung) wrote :

Of course, because the fix is completely irrelevent to CVS-2007-6318, which is not fixed even after WordPress 2.3.3. The fix is against another vuln instead:

http://xforce.iss.net/xforce/xfdb/39409

I don't know how wrong and how far does this advisory go though.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.