wordpress: CVE-2017-16510: Unsafe queries with wpdb->prepare

Debian Bug report logs - #880528
wordpress: CVE-2017-16510: Unsafe queries with wpdb->prepare

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: wordpress: Unsafe queries with wpdb->prepare

Date: Thu, 02 Nov 2017 06:40:04 +1100

Source: wordpress
Version: 4.8.2+dfsg-2
Severity: grave
Tags: upstream security
Justification: user security hole

WordPress versions 4.8.2 and earlier are affected by an issue where
$wpdb->prepare() can create unexpected and unsafe queries leading to
potential SQL injection (SQLi). WordPress core is not directly vulnerable
to this issue, but we’ve added hardening to prevent plugins and themes from
accidentally causing a vulnerability.

I have attempted to get a CVE id for it but the Mitre website is
throwing errors again on the submit button.


References:
https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/
https://wpvulndb.com/vulnerabilities/8941
https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d
https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.12.0-2-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), LANGUAGE=en_AU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Message #10 received at 880528-close@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 880528-close@bugs.debian.org

Subject: Bug#880528: fixed in wordpress 4.8.3+dfsg-1

Date: Thu, 02 Nov 2017 11:36:33 +0000

Source: wordpress
Source-Version: 4.8.3+dfsg-1

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 880528@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 02 Nov 2017 22:16:15 +1100
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentysixteen wordpress-theme-twentyfifteen wordpress-theme-twentyseventeen
Architecture: source all
Version: 4.8.3+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
 wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
 wordpress-theme-twentyseventeen - weblog manager - twentyseventeen theme files
 wordpress-theme-twentysixteen - weblog manager - twentysixteen theme files
Closes: 880528
Changes:
 wordpress (4.8.3+dfsg-1) unstable; urgency=high
 .
   * New upstream security release Closes: #880528
Checksums-Sha1:
 26fd195e7d192e05261ca1ecaeb718320aaf2e52 2539 wordpress_4.8.3+dfsg-1.dsc
 b136ec6f0f6f04cd424804b11b3a1ebb03aa5c94 6384456 wordpress_4.8.3+dfsg.orig.tar.xz
 f05e1c3d6244f332b97a5213efc8c7ddc5ba996a 6780324 wordpress_4.8.3+dfsg-1.debian.tar.xz
 8dd937fb7d7a7708c367c4cb1f0612548a4a5215 4381612 wordpress-l10n_4.8.3+dfsg-1_all.deb
 8ec26e43507d64e4942849b8e25acf8deb9d061c 700404 wordpress-theme-twentyfifteen_4.8.3+dfsg-1_all.deb
 a24beab20d9cdb6bd205c46e02d758014079b057 940476 wordpress-theme-twentyseventeen_4.8.3+dfsg-1_all.deb
 9328e6033c3095736709f7a1fc9839b9c5a279f6 589144 wordpress-theme-twentysixteen_4.8.3+dfsg-1_all.deb
 d351224f0773fe2eeff141185113497b5618442e 4137328 wordpress_4.8.3+dfsg-1_all.deb
 e4f946cf09f3db5d83ddfe4f9c9bb384a2b6b113 7231 wordpress_4.8.3+dfsg-1_amd64.buildinfo
Checksums-Sha256:
 6d683b5aba7cdf7f142ff1d58c031f6a81e3be1adde0863fb743d28fecb283a1 2539 wordpress_4.8.3+dfsg-1.dsc
 3f224d4b2e8c0574b130ee95a9838d6f79ba428bba5cffeadf031769c1777da2 6384456 wordpress_4.8.3+dfsg.orig.tar.xz
 c3c843c0b0428e5a99fac2e9b1e16a92379145188ed0af3cfb5d78b2c29f315e 6780324 wordpress_4.8.3+dfsg-1.debian.tar.xz
 b3a7873470da056dc8f878241f4e7506dd533d7335b414004cee74c6d8707e07 4381612 wordpress-l10n_4.8.3+dfsg-1_all.deb
 7948a01171465a7c42a120c002666fb319fc6635c609c01ac5b5766c521a93fa 700404 wordpress-theme-twentyfifteen_4.8.3+dfsg-1_all.deb
 d00a768886e3d8e1752774e4b8e12cd4dfeaba50785c70dbeaf934a9ca888f46 940476 wordpress-theme-twentyseventeen_4.8.3+dfsg-1_all.deb
 a51f36397a22afe17b63d58a8282ad5055a48434bac46bf34b3721b26a271fff 589144 wordpress-theme-twentysixteen_4.8.3+dfsg-1_all.deb
 0356bc89b7d28713b7e44d5a1c4e2d0343ad237f8ff9d2f27478cd0abc245e93 4137328 wordpress_4.8.3+dfsg-1_all.deb
 6f2596f8192115c7642c649d77f4dddbc17c83be3b53595dc4f6bafa6b1cbcd7 7231 wordpress_4.8.3+dfsg-1_amd64.buildinfo
Files:
 817e891bbcf46332f7455587067fed81 2539 web optional wordpress_4.8.3+dfsg-1.dsc
 20bbd6538c45487abafc9492ca5590b7 6384456 web optional wordpress_4.8.3+dfsg.orig.tar.xz
 eecddb02b4230e25c7c9a28230a9148f 6780324 web optional wordpress_4.8.3+dfsg-1.debian.tar.xz
 1fd45c51b3a431ee9bb6ced54c719989 4381612 localization optional wordpress-l10n_4.8.3+dfsg-1_all.deb
 0a86ea0950263a43cf9c329af0f534b6 700404 web optional wordpress-theme-twentyfifteen_4.8.3+dfsg-1_all.deb
 44714c2cab1d1ce9e6108592824602e5 940476 web optional wordpress-theme-twentyseventeen_4.8.3+dfsg-1_all.deb
 b43baf409e9f6b4e567fabee3dbed2e2 589144 web optional wordpress-theme-twentysixteen_4.8.3+dfsg-1_all.deb
 e89e2be55489e3bbc9570823cb36416c 4137328 web optional wordpress_4.8.3+dfsg-1_all.deb
 61c3cdf0660769a1f34015c9f1292eb3 7231 web optional wordpress_4.8.3+dfsg-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAln6/1YACgkQAiFmwP88
hONt/BAAj1klDb1avuZCUw6iUAm/7ZJjkWa75xSSx9ygXK48HyRkTohZKVUbneG9
QF2XoeHQQ5X5ivxZU8AFdoVIM3NtSD9N5DLWH148ouM3VvmifuYdDDUKfgajbXAw
Tta7wLpJoNrJrcGUJAimhPdM+1x4XgBsYcnwtwf3VLJdswsNrfLzO+d4sZnU0TWF
XiZAVaAbGYN+c3OPgMxKSHXCr3Otz7stoSgdEopmWxJ8qk+pI2jEBiOGLg+fOruK
6qzER5Rm3gXYN3jZv2zWw05P2PPZEhpN16IjMR3t/QIlOHwNVwmnLALAwU3RlLNH
WfRysK3irrMiFKROmLPDH5zAaecguP/xHLNUmjUxsDpX7xijmUe5uXN1aLYMeBUh
0kwR0MKDR7iji9h0YzI9vRTyWsiKtkAmbwZfqwFPpx4k/Qd5xayjvGMXrpiUrIb3
06JqZ37teDjwVljPg80yqhX/71Nq5Lz5x3ytk95F4Mnggh4ssvQMY0KWI8tzH0mQ
ZcdKjJIh+/dpSe9x+37qWW8GMgAm0XFimUEMo6bpihgF7kx0DcZJhSM6C6tLNtg+
6h0Y7WnIyt8iA0RsAgJzElios+ZlXCSSOV424s4jpRsDzEO2P/2Xv84UBNkqlBkI
Wom7b/iq5XAr6NQ8ck/c/SCC+UfQXd57h5iwIEJup9qX8OexQz8=
=yRjc
-----END PGP SIGNATURE-----

Message #15 received at 880528@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Craig Small <csmall@debian.org>, 880528@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#880528: wordpress: Unsafe queries with wpdb->prepare

Date: Thu, 2 Nov 2017 12:41:14 +0100

Hi Craig,

On Thu, Nov 02, 2017 at 06:40:04AM +1100, Craig Small wrote:
> I have attempted to get a CVE id for it but the Mitre website is
> throwing errors again on the submit button.

Did you try to resubmit the request later? Still get an error?

Regards,
Salvatore

Message #20 received at 880528@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 880528@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#880528: wordpress: Unsafe queries with wpdb->prepare

Date: Thu, 02 Nov 2017 20:05:37 +0000

[Message part 1 (text/plain, inline)]

I did it 4 times. 4th time lucky!

The reply came in a few minutes ago.

On Thu, 2 Nov. 2017, 22:41 Salvatore Bonaccorso, <carnil@debian.org> wrote:

> Hi Craig,
>
> On Thu, Nov 02, 2017 at 06:40:04AM +1100, Craig Small wrote:
> > I have attempted to get a CVE id for it but the Mitre website is
> > throwing errors again on the submit button.
>
> Did you try to resubmit the request later? Still get an error?
>
> Regards,
> Salvatore
>
-- 
Craig Small             https://dropbear.xyz/     csmall at : enc.com.au
Debian GNU/Linux        https://www.debian.org/   csmall at : debian.org
Mastodon: @smallsees@social.dropbear.xyz             Twitter: @smallsees
GPG fingerprint:      5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

[Message part 2 (text/html, inline)]

Message #25 received at 880528@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Craig Small <csmall@debian.org>, 880528@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#880528: wordpress: Unsafe queries with wpdb->prepare

Date: Thu, 2 Nov 2017 22:15:40 +0100

Control: retitle -1 wordpress: CVE-2017-16510: Unsafe queries with wpdb->prepare

Hi Craig!

On Thu, Nov 02, 2017 at 08:05:37PM +0000, Craig Small wrote:
> I did it 4 times. 4th time lucky!
> 
> The reply came in a few minutes ago.

Thanks for doing so (it's strange, did several requests recently and
never encountered similar problems).

The issue has been assigned CVE-2017-16510

Regards,
Salvatore

Message #32 received at 880528@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: Craig Small <csmall@debian.org>, 880528@bugs.debian.org

Cc: Rodrigo Campos <rodrigo@sdfg.com.ar>

Subject: Re: Bug#880528: wordpress: Unsafe queries with wpdb->prepare

Date: Tue, 28 Nov 2017 13:17:55 +0000

On Thu, Nov 02, 2017 at 06:40:04AM +1100, Craig Small wrote:
> Source: wordpress
> Version: 4.8.2+dfsg-2
> Severity: grave
> Tags: upstream security
> Justification: user security hole
> 
> WordPress versions 4.8.2 and earlier are affected by an issue where
> $wpdb->prepare() can create unexpected and unsafe queries leading to
> potential SQL injection (SQLi). WordPress core is not directly vulnerable
> to this issue, but we’ve added hardening to prevent plugins and themes from
> accidentally causing a vulnerability.

Hi Craig,

I noticed that this is still affected on stable; do you have an update
on that? (Then again, perhaps it is not a serious as all that as it's
"only" hardenening against already-vulnerable plugins.)

Cheers,
Dominic.

Message #37 received at 880528-submitter@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 880528-submitter@bugs.debian.org

Subject: Bug#880528 marked as pending

Date: Thu, 04 Jan 2018 07:28:20 +0000

tag 880528 pending
thanks

Hello,

Bug #880528 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    https://anonscm.debian.org/cgit/collab-maint/wordpress.git/commit/?id=88c9ef8

---
commit 88c9ef8afe03dafa9499cf1065d35a0106fe8d71
Author: Craig Small <csmall@debian.org>
Date:   Thu Jan 4 18:26:37 2018 +1100

    Restore numbered placeholders
    
    Apply changeset 42058 to restored nuymbered placeholders in
    wpdb::prepare()
    
    Fixes CVE-2017-16510

diff --git a/debian/changelog b/debian/changelog
index b18edcf..aec750c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -16,8 +16,10 @@ wordpress (4.7.5+dfsg-2+deb9u2) stretch-security; urgency=high
       Ensure the attributes of enclosures are correctly escaped in
       RSS and Atom feeds
       Changeset 42274
+  * Also backport patch for $wpdb->prepare CVE-2017-16510
+    Closes: 880528
 
- -- Craig Small <csmall@debian.org>  Sat, 09 Dec 2017 18:13:16 +1100
+ -- Craig Small <csmall@debian.org>  Thu, 04 Jan 2018 18:19:44 +1100
 
 wordpress (4.7.5+dfsg-2+deb9u1) stretch-security; urgency=medium
 

Send a report that this bug log contains spam.