Debian Bug report logs -
#923583
wordpress: CVE-2019-8943
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Craig Small <csmall@debian.org>:
Bug#923583; Package src:wordpress.
(Sat, 02 Mar 2019 13:15:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Craig Small <csmall@debian.org>.
(Sat, 02 Mar 2019 13:15:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: wordpress
Version: 5.0.3+dfsg1-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for wordpress, filling for
tracking. This is the left open issue in 5.0.3 from [1].
CVE-2019-8943[0]:
| WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An
| attacker (who has privileges to crop an image) can write the output
| image to an arbitrary directory via a filename containing two image
| extensions and ../ sequences, such as a filename ending with the
| .jpg?/../../file.jpg substring.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-8943
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8943
[1] https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#923583; Package src:wordpress.
(Tue, 16 Apr 2019 11:48:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Craig Small <csmall@debian.org>:
Extra info received and forwarded to list.
(Tue, 16 Apr 2019 11:48:05 GMT) (full text, mbox, link).
Message #10 received at 923583@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
The RCE part was fixed in WordPress 5.0.1 but the path traversal is still a
problem.
So the problem is that for the WordPress core, the way to exploit the path
traversal was taken away (but not the path traversal itself). The author
still states that some plugins or themes may still use this method
incorrectly, leading to a path traversal.
The Ripstech blog post simplifies it, but I can see[1] that the
get_attached_file() in wp-includes/post.php still has the same code. It
just adds the upload directory on instead of sanitizing it.
1:
https://core.trac.wordpress.org/browser/trunk/src/wp-includes/post.php#L452
[Message part 2 (text/html, inline)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:13:41 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon
