wordpress: CVE-2018-12895

Debian Bug report logs - #902876
wordpress: CVE-2018-12895

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: wordpress: CVE-2018-12895

Date: Mon, 02 Jul 2018 19:28:17 +0200

Source: wordpress
Version: 4.9.5+dfsg1-1
Severity: important
Tags: security upstream

Hi,

The following vulnerability was published for wordpress.

CVE-2018-12895[0]:
| WordPress through 4.9.6 allows Author users to execute arbitrary code
| by leveraging directory traversal in the wp-admin/post.php thumb
| parameter, which is passed to the PHP unlink function and can delete
| the wp-config.php file. This is related to missing filename validation
| in the wp-includes/post.php wp_delete_attachment function. The attacker
| must have capabilities for files and posts that are normally available
| only to the Author, Editor, and Administrator roles. The attack
| methodology is to delete wp-config.php and then launch a new
| installation process to increase the attacker's privileges.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-12895
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12895
[1] https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 902876@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 902876@bugs.debian.org

Subject: Re: Bug#902876: wordpress: CVE-2018-12895

Date: Tue, 3 Jul 2018 12:34:39 +1000

[Message part 1 (text/plain, inline)]

Hi,
  I was waiting for a WordPress update but for whatever reason it's not
coming.

The impact is less for Debian packages as most of the files are not
writable by the www-data user. A standard installation has to be writable
for the automatic updates.

However plugin and themes are generally writable, so there is still an
impact.

The HitFix looks okay. I will look into it further and if still ok use that
one.

 - Craig

-- 
Craig Small             https://dropbear.xyz/     csmall at : dropbear.xyz
Debian GNU/Linux        https://www.debian.org/   csmall at : debian.org
Mastodon: @smallsees@social.dropbear.xyz             Twitter: @smallsees
GPG fingerprint:      5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

[Message part 2 (text/html, inline)]

Message #15 received at 902876@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 902876@bugs.debian.org

Subject: Re: Bug#902876: wordpress: CVE-2018-12895

Date: Sat, 7 Jul 2018 22:35:44 +1000

[Message part 1 (text/plain, inline)]

Looks like they made a release, 4.9.7 with the fix. Uploading soon.

The relevant patch (for backports) is
https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd


On Tue, 3 Jul 2018 at 12:34 Craig Small <csmall@debian.org> wrote:

>
> Hi,
>   I was waiting for a WordPress update but for whatever reason it's not
> coming.
>
> The impact is less for Debian packages as most of the files are not
> writable by the www-data user. A standard installation has to be writable
> for the automatic updates.
>
> However plugin and themes are generally writable, so there is still an
> impact.
>
> The HitFix looks okay. I will look into it further and if still ok use
> that one.
>
>  - Craig
>
> --
> Craig Small             https://dropbear.xyz/     csmall at : dropbear.xyz
> Debian GNU/Linux        https://www.debian.org/   csmall at : debian.org
> Mastodon: @smallsees@social.dropbear.xyz             Twitter: @smallsees
> GPG fingerprint:      5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5
>
-- 
Craig Small             https://dropbear.xyz/     csmall at : dropbear.xyz
Debian GNU/Linux        https://www.debian.org/   csmall at : debian.org
Mastodon: @smallsees@social.dropbear.xyz             Twitter: @smallsees
GPG fingerprint:      5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

[Message part 2 (text/html, inline)]

Message #20 received at 902876-close@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 902876-close@bugs.debian.org

Subject: Bug#902876: fixed in wordpress 4.9.7+dfsg1-1

Date: Sat, 07 Jul 2018 13:07:48 +0000

Source: wordpress
Source-Version: 4.9.7+dfsg1-1

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 902876@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 07 Jul 2018 22:29:18 +1000
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentysixteen wordpress-theme-twentyfifteen wordpress-theme-twentyseventeen
Architecture: source all
Version: 4.9.7+dfsg1-1
Distribution: unstable
Urgency: high
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
 wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
 wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files
 wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files
Closes: 902876
Changes:
 wordpress (4.9.7+dfsg1-1) unstable; urgency=high
 .
   * New upstream source
   * Fix directory traversal in thumb parameter
     CVE-2018-12895 Closes: #902876
Checksums-Sha1:
 182a3281f1a8a75987020fd14cbe9272773df350 2518 wordpress_4.9.7+dfsg1-1.dsc
 f28f0ba94822c1cbbeade7dc06ad2198b6e9fca7 6847328 wordpress_4.9.7+dfsg1.orig.tar.xz
 8e23a31547ad30c652f2316d995654c8c4baf676 6779172 wordpress_4.9.7+dfsg1-1.debian.tar.xz
 3b4c7faaf97e760e28cb038bc67b23a1886cfa38 4382020 wordpress-l10n_4.9.7+dfsg1-1_all.deb
 d72429b0cb56e13fa7a0c03b96be7110553af2a4 701500 wordpress-theme-twentyfifteen_4.9.7+dfsg1-1_all.deb
 fa70325269d35d60046c3902ec017b7581cabf78 942256 wordpress-theme-twentyseventeen_4.9.7+dfsg1-1_all.deb
 320c1f4347ff4e621f5f1cfb9e28cef0f08cec29 589972 wordpress-theme-twentysixteen_4.9.7+dfsg1-1_all.deb
 ee1e8ee36d48aaafbe8c442881e37bc503e9fd1f 4584280 wordpress_4.9.7+dfsg1-1_all.deb
 596853867e7b57b2b98e57f5aff7565ebc363df2 7459 wordpress_4.9.7+dfsg1-1_amd64.buildinfo
Checksums-Sha256:
 293479d1e6c64238dcfd9ef9f4c74bdffad645b86988f70827c983180416ffdd 2518 wordpress_4.9.7+dfsg1-1.dsc
 f968828bed61befdc6839de9ef40ad52f22a3f4d6de5d6b15fb9ea8ab91a4e69 6847328 wordpress_4.9.7+dfsg1.orig.tar.xz
 55ec528f787c916cc04ceb42eee1584d4db7211494f5541dfd1e217eb76ee8ba 6779172 wordpress_4.9.7+dfsg1-1.debian.tar.xz
 854d43d004b6d4d715404ca0a7bf85cd1d037cd612f8a3b62c16e29b37f13bcb 4382020 wordpress-l10n_4.9.7+dfsg1-1_all.deb
 785ede3de2690b07f45e21f4b42212ff8ea74e71400cd57e5c220eccd976074d 701500 wordpress-theme-twentyfifteen_4.9.7+dfsg1-1_all.deb
 fb154b84374d288ec2d0f778ceb04be704a89996272dbe2e7c334c352825b6b8 942256 wordpress-theme-twentyseventeen_4.9.7+dfsg1-1_all.deb
 fb48c4879f6385a73b06eab3f660daa9cce0521a2fe05c22f0d4ce2a1a9d181d 589972 wordpress-theme-twentysixteen_4.9.7+dfsg1-1_all.deb
 acd1f256c7e3d2ca2c9b53f2b13addb19221ef60e97755259c2748ff9468a09c 4584280 wordpress_4.9.7+dfsg1-1_all.deb
 5a10e90c2d9e7b60a76b8d49d01405e8736c6654fda0fe24c22ac0e0a557a223 7459 wordpress_4.9.7+dfsg1-1_amd64.buildinfo
Files:
 f3952551b6114cdc9bc5f9b5935f04fe 2518 web optional wordpress_4.9.7+dfsg1-1.dsc
 ff7789d2bb313927538eef65ee5ac2d8 6847328 web optional wordpress_4.9.7+dfsg1.orig.tar.xz
 9501f9777a81fa4f6eee8542b93dd482 6779172 web optional wordpress_4.9.7+dfsg1-1.debian.tar.xz
 0cfc77a6ef6c4dc3df327e06e15ed4c9 4382020 localization optional wordpress-l10n_4.9.7+dfsg1-1_all.deb
 367adc4a5b8ccabe44b1a63679c1bc39 701500 web optional wordpress-theme-twentyfifteen_4.9.7+dfsg1-1_all.deb
 8f1780b6392da24f85411dd48aaa6d8e 942256 web optional wordpress-theme-twentyseventeen_4.9.7+dfsg1-1_all.deb
 ed10f9d10452e7c82a1e59af29df86f1 589972 web optional wordpress-theme-twentysixteen_4.9.7+dfsg1-1_all.deb
 7fc42d49e9b065c609359f3c6e0d7211 4584280 web optional wordpress_4.9.7+dfsg1-1_all.deb
 f816a8ba15ee35eb147392e42887b0cd 7459 web optional wordpress_4.9.7+dfsg1-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAltAtLMACgkQAiFmwP88
hOMcOA/+ObA3dJqVewqgw9EG+jbs6iYMr1WTRnzmw6EGfsuqzoZcL/18haYIjPXC
CnItpro4ZxTSoDXb/ta4hYoa5EmXKrL6zXTwA6dDwWbu1TrEvLswHrOBWjAtxpfM
eVjCoNwl5awzlUhJqhBUwHBlcgcuS2rZMm5110G3l0VTEXDf9gz3Wa7J9iXNzdkQ
Ux2F1Am0LBRm7ldSzMGJc+0et1a93jAkF36lBFiq2hMjNTDr7c9vDL4sxofbFBad
0HFfeUmgDEdufHl7twoTUfQhG5O6jacjrur40eqJrZcP1YLvnyoKrLaU3DeuhfQI
vcSCJf0LNW61KyxYhPXpt6guhiAhWqt06HVrc83g0pi+bmBuRP8rlKxc6r2dxLn3
5HGU2hj9HmVNj2Au4Ugdxtu0ZV2J8CEAjF32IvYL3ULFN0iIRvld4fJuxnmoriWW
XvKYRN0aR/94YLjfggTJBhfOxVgOEFqZ/nVZv0sNasu5LqHSRtoD9nGSuKSus97v
WWRz0jY5mzm7NgTU3tga6JjuVQETi+MZeSUXlML9Idw8f2OZ3XVoljff7ssGyWeD
hf7m6qM+F6YZtoUaiwpT8fyjDRO5aezFQhxgB06ylDFxPGFyb9d91RutQ7Nd8Ihn
bHYoQcVd/4XRhRNjY7MOC65iAkyDduP4Qffa6j+Y2plRYQYeU4g=
=x4RP
-----END PGP SIGNATURE-----

Message #25 received at 902876@bugs.debian.org (full text, mbox, reply):

From: Rodrigo Campos <rodrigo@sdfg.com.ar>

To: Craig Small <csmall@debian.org>, 902876@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#902876: wordpress: CVE-2018-12895

Date: Sat, 7 Jul 2018 16:29:39 +0100

On Sat, Jul 07, 2018 at 10:35:44PM +1000, Craig Small wrote:
> Looks like they made a release, 4.9.7 with the fix. Uploading soon.
> 
> The relevant patch (for backports) is
> https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd

I can only backport from packages in stable, so we need it applied there first :-)

Message #30 received at 902876@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: Rodrigo Campos <rodrigo@sdfg.com.ar>

Cc: 902876@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#902876: wordpress: CVE-2018-12895

Date: Mon, 9 Jul 2018 22:04:56 +1000

[Message part 1 (text/plain, inline)]

I have sent the debdiff for stretch to the security team. Once they are
happy about it, stretch will get that update.

 - Craig




On Sun, 8 Jul 2018 at 01:37 Rodrigo Campos <rodrigo@sdfg.com.ar> wrote:

> On Sat, Jul 07, 2018 at 10:35:44PM +1000, Craig Small wrote:
> > Looks like they made a release, 4.9.7 with the fix. Uploading soon.
> >
> > The relevant patch (for backports) is
> >
> https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd
>
> I can only backport from packages in stable, so we need it applied there
> first :-)
>
-- 
Craig Small             https://dropbear.xyz/     csmall at : dropbear.xyz
Debian GNU/Linux        https://www.debian.org/   csmall at : debian.org
Mastodon: @smallsees@social.dropbear.xyz             Twitter: @smallsees
GPG fingerprint:      5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

[Message part 2 (text/html, inline)]

Message #35 received at 902876@bugs.debian.org (full text, mbox, reply):

From: Rodrigo Campos <rodrigo@sdfg.com.ar>

To: Craig Small <csmall@debian.org>

Cc: 902876@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#902876: wordpress: CVE-2018-12895

Date: Mon, 9 Jul 2018 14:45:55 +0100

On Mon, Jul 09, 2018 at 10:04:56PM +1000, Craig Small wrote:
> I have sent the debdiff for stretch to the security team. Once they are
> happy about it, stretch will get that update.

Great, thanks a lot! :-)

Message #40 received at 902876-close@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 902876-close@bugs.debian.org

Subject: Bug#902876: fixed in wordpress 4.7.5+dfsg-2+deb9u4

Date: Thu, 19 Jul 2018 19:17:40 +0000

Source: wordpress
Source-Version: 4.7.5+dfsg-2+deb9u4

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 902876@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 08 Jul 2018 22:06:46 +1000
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentysixteen wordpress-theme-twentyfifteen wordpress-theme-twentyseventeen
Architecture: source all
Version: 4.7.5+dfsg-2+deb9u4
Distribution: stretch-security
Urgency: high
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
 wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
 wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files
 wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files
Closes: 902876
Changes:
 wordpress (4.7.5+dfsg-2+deb9u4) stretch-security; urgency=high
 .
   * Backport security patch from 4.9.7 Closes: #902876
     - CVE-2018-12895 Fix directory traversal in thumb parameter
Checksums-Sha1:
 ffdcd6221f5aece954a355999eefcf159ab20607 2567 wordpress_4.7.5+dfsg-2+deb9u4.dsc
 980e8d70fefa952d001fc1f6dc1710af94ed3198 6791728 wordpress_4.7.5+dfsg-2+deb9u4.debian.tar.xz
 88ff239bd4c9efc8ff40ce5c63a1f91b383decc4 4383236 wordpress-l10n_4.7.5+dfsg-2+deb9u4_all.deb
 789fb550200be1af73184e2a6a068f21a1cb6834 700820 wordpress-theme-twentyfifteen_4.7.5+dfsg-2+deb9u4_all.deb
 0ab3fa413e1886c9bf424c3dc6ec72e8e58cfe00 940594 wordpress-theme-twentyseventeen_4.7.5+dfsg-2+deb9u4_all.deb
 6ab5fe838b1159372eb842b8c853b106b38addb3 589544 wordpress-theme-twentysixteen_4.7.5+dfsg-2+deb9u4_all.deb
 05275afaa138e2e4cba7012f137eccfd19b93902 4001532 wordpress_4.7.5+dfsg-2+deb9u4_all.deb
 eeccedf70d1f22c9eb36fdcf257e6aeeeaafcff8 7445 wordpress_4.7.5+dfsg-2+deb9u4_amd64.buildinfo
Checksums-Sha256:
 d464f662b3c9bee41ddf0a024663f39088fbc8132accc69f10c0dc4ebfdb4bd4 2567 wordpress_4.7.5+dfsg-2+deb9u4.dsc
 deb400c94e68826c1a048d5bb874978fb15e62e76c65e29039a1da72633f2a3d 6791728 wordpress_4.7.5+dfsg-2+deb9u4.debian.tar.xz
 3c8d7db2279c24782a84989f0e557e64323ca13e0dc5db963994b91d38afc210 4383236 wordpress-l10n_4.7.5+dfsg-2+deb9u4_all.deb
 9a8df48c72945ca8e437f82039231b25771ded4b6e2730709542c8cc6beb5d99 700820 wordpress-theme-twentyfifteen_4.7.5+dfsg-2+deb9u4_all.deb
 7bd5463a65bf8ada456db341eb77a985b0288759ea5dbc52cf7fdcf1f213f3b5 940594 wordpress-theme-twentyseventeen_4.7.5+dfsg-2+deb9u4_all.deb
 ef46993a6bd5c8e05bbc50e0d23fa1be9753fdd8410f8ad65c4cbeb72b251667 589544 wordpress-theme-twentysixteen_4.7.5+dfsg-2+deb9u4_all.deb
 4dc8787d34dae86e63f5da8dd96b2ded4a22371b500198d77b5086c030a41a74 4001532 wordpress_4.7.5+dfsg-2+deb9u4_all.deb
 733830341c68a7f6ad86c73916dfb33329f9d45e2fcac380cf450332745c28fc 7445 wordpress_4.7.5+dfsg-2+deb9u4_amd64.buildinfo
Files:
 0fed1949b5eed57ca50b793db4800db3 2567 web optional wordpress_4.7.5+dfsg-2+deb9u4.dsc
 acf6fcf707dfd603a99de11fe385a8ac 6791728 web optional wordpress_4.7.5+dfsg-2+deb9u4.debian.tar.xz
 8161de824a1371b810eb26d49e50fcd7 4383236 localization optional wordpress-l10n_4.7.5+dfsg-2+deb9u4_all.deb
 cbf8b718bde37d178fb521625c44f79b 700820 web optional wordpress-theme-twentyfifteen_4.7.5+dfsg-2+deb9u4_all.deb
 387a02757dffb6126e5b96411124a41e 940594 web optional wordpress-theme-twentyseventeen_4.7.5+dfsg-2+deb9u4_all.deb
 34df3abee212991a18e0631e2e983c74 589544 web optional wordpress-theme-twentysixteen_4.7.5+dfsg-2+deb9u4_all.deb
 74bf388730dac80a8109951cd6ac6452 4001532 web optional wordpress_4.7.5+dfsg-2+deb9u4_all.deb
 eb790d2b60f759b2a43465e52e25a08a 7445 web optional wordpress_4.7.5+dfsg-2+deb9u4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAltNysUACgkQAiFmwP88
hOMIxw/+Lx1q21UyWXWPx2KewDfibNy4kx8Gfv7cSnv5nt0JPjAhbM4gbdRDix9F
F4/XmM1G5n/hwYLOPcDGcavLlX33ramv8EDKhEnoOwYhl81Xc5w0qfBlr/3FOoIJ
mOWoab7M5HZmGC42kv9BnA08aqG4AQU/lgtbPUseVkLFTUNYOk5tNew4Djkeewel
u+El/FYi21N4/zPYf5eBUquH0nM4u/DJjuPhI+SrEAXSYbu3dnHPHncrVEz+kAe2
m5FaNB+4QUjNKV4UtI8ml8M8gGJABCaCfSw/IIAjcvCZ7wbGmWVaP8oy/M4Ha6jk
mgFvzT2STnAipvhcicf+5g3lhJNsYSMc+zAf/eEhpI2vpKvUHbUVROvUIcvfPWl1
3fI8F8brnqIvmMo/3OIWp9Ahp0A1oTbCiuMik6GmnZWugLRjQhxSDYvv9wPx3U7W
rKNCrN/hZvUM7bI3AH34qYaHPl/OIH7oiAXJKQF4uw5zHqoPBRjrjbC3UESzs/gC
NQQqKBQYouTV+2JyHj3tAaXOyiyhJcJezuGoLJE7DcKbXoEzXgsREEaLJ+O9vMfP
+9/dR1aHAFtDAwrlTzupsS40UYIDpGq5qMxKVdUALmHKw6BYqieBuj2MHPKLP1or
X1dT2JJksmYxI8nsKkjW1QI/w8lzBOw+ECL9XFWMtvC3fxOblSQ=
=tlmr
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.