wordpress: CVE-2020-11025 CVE-2020-11026 CVE-2020-11027 CVE-2020-11028 CVE-2020-11029 CVE-2020-11030

Debian Bug report logs - #959391
wordpress: CVE-2020-11025 CVE-2020-11026 CVE-2020-11027 CVE-2020-11028 CVE-2020-11029 CVE-2020-11030

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: wordpress: CVE-2020-11025 CVE-2020-11026 CVE-2020-11027 CVE-2020-11028 CVE-2020-11029 CVE-2020-11030

Date: Fri, 01 May 2020 22:16:16 +0200

Source: wordpress
Version: 5.4+dfsg1-1
Severity: grave
Tags: security upstream
Justification: user security hole

Hi,

The following vulnerabilities were published for wordpress.

Fortunately this time additionally to [6], there are GHSA advisories
associated with each of this CVEs (advantage of hosting a project on
github I would say :)). Now they list some ranges of affected
versions, and I'm interested to track which are actually not affecting
buster and stretch. Could you check if those are actually acurate? For
example CVE-2020-11030 lists via the GHSA as affected versions 5.2 to
5.4, and patched in 5.4.1, 5.3.3 and 5.2.6. Is this correct so which
would mean buster and stretch are not affected?

CVE-2020-11025[0]:
| In affected versions of WordPress, a cross-site scripting (XSS)
| vulnerability in the navigation section of Customizer allows
| JavaScript code to be executed. Exploitation requires an authenticated
| user. This has been patched in version 5.4.1, along with all the
| previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5,
| 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27,
| 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).


CVE-2020-11026[1]:
| In affected versions of WordPress, files with a specially crafted name
| when uploaded to the Media section can lead to script execution upon
| accessing the file. This requires an authenticated user with
| privileges to upload files. This has been patched in version 5.4.1,
| along with all the previously affected versions via a minor release
| (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21,
| 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).


CVE-2020-11027[2]:
| In affected versions of WordPress, a password reset link emailed to a
| user does not expire upon changing the user password. Access would be
| needed to the email account of the user by a malicious party for
| successful execution. This has been patched in version 5.4.1, along
| with all the previously affected versions via a minor release (5.3.3,
| 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22,
| 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).


CVE-2020-11028[3]:
| In affected versions of WordPress, some private posts, which were
| previously public, can result in unauthenticated disclosure under a
| specific set of conditions. This has been patched in version 5.4.1,
| along with all the previously affected versions via a minor release
| (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21,
| 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).


CVE-2020-11029[4]:
| In affected versions of WordPress, a vulnerability in the stats()
| method of class-wp-object-cache.php can be exploited to execute cross-
| site scripting (XSS) attacks. This has been patched in version 5.4.1,
| along with all the previously affected versions via a minor release
| (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21,
| 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).


CVE-2020-11030[5]:
| In affected versions of WordPress, a special payload can be crafted
| that can lead to scripts getting executed within the search block of
| the block editor. This requires an authenticated user with the ability
| to add content. This has been patched in version 5.4.1, along with all
| the previously affected versions via a minor release (5.3.3, 5.2.6,
| 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23,
| 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-11025
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11025
[1] https://security-tracker.debian.org/tracker/CVE-2020-11026
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11026
[2] https://security-tracker.debian.org/tracker/CVE-2020-11027
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11027
[3] https://security-tracker.debian.org/tracker/CVE-2020-11028
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11028
[4] https://security-tracker.debian.org/tracker/CVE-2020-11029
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11029
[5] https://security-tracker.debian.org/tracker/CVE-2020-11030
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11030
[6] https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates

Regards,
Salvatore

Message #10 received at 959391@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 959391@bugs.debian.org

Subject: Re: Bug#959391: wordpress: CVE-2020-11025 CVE-2020-11026 CVE-2020-11027 CVE-2020-11028 CVE-2020-11029 CVE-2020-11030

Date: Sat, 2 May 2020 09:36:43 +1000

[Message part 1 (text/plain, inline)]

Hi Salvatore,
  Thanks for the bug report. I'll look into it today and yes its good we
finally have CVE IDs to work with.


On Sat, 2 May 2020 at 06:21, Salvatore Bonaccorso <carnil@debian.org> wrote:

> example CVE-2020-11030 lists via the GHSA as affected versions 5.2 to
> 5.4, and patched in 5.4.1, 5.3.3 and 5.2.6. Is this correct so which
> would mean buster and stretch are not affected?
>
[...]

> CVE-2020-11030:
> | to add content. This has been patched in version 5.4.1, along with all
> | the previously affected versions via a minor release (5.3.3, 5.2.6,
> | 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23,
> | 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
> The github entry is definitely confusing. "This affects 5.2-5.4" and
> "fixed in 5.0.9 and 4.7.17" (why fix something no affected?


So WordPress pull in changes into the old branches with a single commit[1]
which then references 6 SVN commits.  My gut feel is with 6 CVEs and 6
referenced commits it is a good chance 5.0.x is impacted by all 6, but
sometimes they have multiple commits for one bug, or one commit fixes
multiple bugs. The trick comes down to how understandable the SVN commits
are.  It's a bit of a jigsaw puzzle. So for CVE-2020-11030, the 5.0x fix is
probably [2] because it mentions the block editor and changes the search
file. It's not an exact science.

The actual code fix is easy, I just pull in [1] into the Debian repository
for buster. It's the referencing and checking the version is impacted that
takes the time.

 - Craig


1:
https://github.com/WordPress/wordpress-develop/commit/e65e7a3bd96df6675a9a3caa54f5945885379f09
2: https://core.trac.wordpress.org/changeset/47636

[Message part 2 (text/html, inline)]

Message #15 received at 959391@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: 959391@bugs.debian.org

Subject: Re: Bug#959391: wordpress: CVE-2020-11025 CVE-2020-11026 CVE-2020-11027 CVE-2020-11028 CVE-2020-11029 CVE-2020-11030

Date: Sat, 2 May 2020 10:31:24 +1000

[Message part 1 (text/plain, inline)]

This is the analysis of the latest WordPress security bugs.
Is it awesome upstream already has CVE IDs and (almost) clear patches of
the fixes? Yes, it is!

Sid: 5.4
All vulnerabilities, use upstream 5.4.1

Bullseye: 5.3.2
https://github.com/WordPress/wordpress-develop/commit/42cbfc76f87add1853996730c587ea66aa8fdc28
SVN references: 47633 47634 47635 47636 47637 47638
https://core.trac.wordpress.org/changeset/47633  Customizer - CVE-2020-11025
https://core.trac.wordpress.org/changeset/47634 password update -
CVE-2020-11027
https://core.trac.wordpress.org/changeset/47635 single post on query -
CVE-2020-11028
https://core.trac.wordpress.org/changeset/47636 block editor escape -
CVE-2020-11030
https://core.trac.wordpress.org/changeset/47637 escaping around stats -
CVE-2020-11029
https://core.trac.wordpress.org/changeset/47638 sanitize file name -
CVE-2020-11026
All vulnerable, use aggregated GH commit

Buster: 5.0.4
https://github.com/WordPress/wordpress-develop/commit/e65e7a3bd96df6675a9a3caa54f5945885379f09
SVN references: 47633 47634 47635 47636 47637 47638
All vulnerable, use aggregated GH commit

Stretch: 4.7.5
https://github.com/WordPress/wordpress-develop/commit/f9be892b76512c0bf3826c07839dd7c406f13e06
SVN references: 47633 47634 47635 47637 47638
Does NOT reference 47636
4.7.5 code does not use blocks, equivalent code in get_search_form() uses
if statement so changing class variable gives default (follows else path)
https://github.com/WordPress/wordpress-develop/blob/c7f320da2b05b261fc94b63dccc2fc0787641cf9/src/wp-includes/general-template.php#L221
Not vulnerable to CVE-2020-11030, use aggregated GH commit for the rest

[Message part 2 (text/html, inline)]

Message #18 received at 959391-submitter@bugs.debian.org (full text, mbox, reply):

From: Craig Small <noreply@salsa.debian.org>

To: 959391-submitter@bugs.debian.org

Subject: Bug#959391 marked as pending in SOURCENAME

Date: Sat, 02 May 2020 04:21:50 +0000

Control: tag -1 pending

Hello,

Bug #959391 in SOURCENAME reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/debian/wordpress/-/commit/cd5c36bf6a87b3a9245121fb08e3a661c1d1c48e

------------------------------------------------------------------------
Security release, fixes 6 security bugs Closes: #959391

* Security release, fixes 6 security bugs Closes: #959391
  - CVE-2020-11025
    XSS vulnerability in the navigation section of Customizer allows
    JavaScript code to be executed.
  - CVE-2020-11026
    uploaded files to Media section to lead to script execution
  - CVE-2020-11027
    Password reset link does not expire
  - CVE-2020-11028
    Private posts can be found through searching by date
  - CVE-2020-11029
    XSS in stats() method in class-wp-object-cache
  - CVE-2020-11030
    Special payload can execute scripts in block editor
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/959391

Message #23 received at 959391-submitter@bugs.debian.org (full text, mbox, reply):

From: Craig Small <noreply@salsa.debian.org>

To: 959391-submitter@bugs.debian.org

Subject: Bug#959391 marked as pending in SOURCENAME

Date: Sat, 02 May 2020 04:21:50 +0000

Control: tag -1 pending

Hello,

Bug #959391 in SOURCENAME reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/debian/wordpress/-/commit/cd5c36bf6a87b3a9245121fb08e3a661c1d1c48e

------------------------------------------------------------------------
Security release, fixes 6 security bugs Closes: #959391

* Security release, fixes 6 security bugs Closes: #959391
  - CVE-2020-11025
    XSS vulnerability in the navigation section of Customizer allows
    JavaScript code to be executed.
  - CVE-2020-11026
    uploaded files to Media section to lead to script execution
  - CVE-2020-11027
    Password reset link does not expire
  - CVE-2020-11028
    Private posts can be found through searching by date
  - CVE-2020-11029
    XSS in stats() method in class-wp-object-cache
  - CVE-2020-11030
    Special payload can execute scripts in block editor
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/959391

Message #28 received at 959391-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 959391-close@bugs.debian.org

Subject: Bug#959391: fixed in wordpress 5.4.1+dfsg1-1

Date: Sat, 02 May 2020 04:48:44 +0000

Source: wordpress
Source-Version: 5.4.1+dfsg1-1
Done: Craig Small <csmall@debian.org>

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 959391@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 02 May 2020 14:21:58 +1000
Source: wordpress
Architecture: source
Version: 5.4.1+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Closes: 959391
Changes:
 wordpress (5.4.1+dfsg1-1) unstable; urgency=medium
 .
   * Security release, fixes 6 security bugs Closes: #959391
     - CVE-2020-11025
       XSS vulnerability in the navigation section of Customizer allows
       JavaScript code to be executed.
     - CVE-2020-11026
       uploaded files to Media section to lead to script execution
     - CVE-2020-11027
       Password reset link does not expire
     - CVE-2020-11028
       Private posts can be found through searching by date
     - CVE-2020-11029
       XSS in stats() method in class-wp-object-cache
     - CVE-2020-11030
       Special payload can execute scripts in block editor
   * Add multi-arch tags
   * Update to standards 4.5.0
Checksums-Sha1:
 4d40aaed64b9ca4f990f922a26dce2da621d078a 2440 wordpress_5.4.1+dfsg1-1.dsc
 74aaa655fde9723b1791c7172f3e0c56c2c96cf9 8532896 wordpress_5.4.1+dfsg1.orig.tar.xz
 4a20daab81332581de1258ee99222be36e3e6356 6823368 wordpress_5.4.1+dfsg1-1.debian.tar.xz
 3a8edc0afccc61752b33527c7fc24c62bd62e158 7305 wordpress_5.4.1+dfsg1-1_amd64.buildinfo
Checksums-Sha256:
 8863466e188147853c3bc1744e85eb295fe5106fa01704a0c995d4307d1a7a2f 2440 wordpress_5.4.1+dfsg1-1.dsc
 1586ab9e4594154d58af2604bafc3cc92e176fadec67616eb8b15edf457debb2 8532896 wordpress_5.4.1+dfsg1.orig.tar.xz
 4489939e92ffa56f5110886c56bf2b049e60755113f626a0c1c7274ec4ae3955 6823368 wordpress_5.4.1+dfsg1-1.debian.tar.xz
 d10d99b9ce00dc7129ec284278939bcbb639beb69531149128f446d6bf7ff095 7305 wordpress_5.4.1+dfsg1-1_amd64.buildinfo
Files:
 15a1f72efe08de3f0a4f2011f2e372c0 2440 web optional wordpress_5.4.1+dfsg1-1.dsc
 4e7044bfdf7536371667a749e22a48c4 8532896 web optional wordpress_5.4.1+dfsg1.orig.tar.xz
 47bdc2a8c648b064260f4efdcc006e14 6823368 web optional wordpress_5.4.1+dfsg1-1.debian.tar.xz
 c6fcde25b70a65419c95f65f66cc6112 7305 web optional wordpress_5.4.1+dfsg1-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAl6s9ncACgkQAiFmwP88
hOMYoQ//SlOj9mQmIx9RyRjSM2gCk5C7YjFPhXWZJlyxqwP/MjajwWT3TB4BX6nl
z2XV/X42SKF1MtJKugz+7H8s2R5sADUESZ3lNbWkKK/gGJnaF+SXSmcM/WrwH5CU
9igHm+PMUjwczAEIpOl4bT8KIh/7jW24JvAWGx2RdqB4xELXw+4B1xjEu2Wj0JkR
ZKg2/n26ZKV+Ew9wmpQYIHA9McD80hmuQG+653L1vIWWyKhf5kMuH6B+4Su8htZ7
ZERPzwtyxS9UFMJVgLJWWzGH02BiAawBFp3NcLGK6wKY8wHWni1Txotqyuv7AD8i
36XmM5Z5rmWnObvMEUZkQHavKEZpXrTZmK6L8aiPIsvmiIegSW/DEX0fN1MWvuTg
MWb50uGDVHek4vwjuoRqMiaq1tSb6+dyWznmf5Qmbkec5U8l6h4z2YXeWgU8vza+
DawB3tp3y4r6SDwtHQCtmcOdMpWrZWVdH6lho/4+izHEhP1vW2TsrFpmXhXjBofA
AVx3fVkIPmqzJornT88DmHcInfAFC3n9mB8btA5x5ZSNFFziJRewOa05XBnQVkqR
gDp6eMN0OCe0nvX5IK9epR8J2Zfn/Bra5Xf42l3s+QSngAkYbwI1nGcOLOX/hmYq
gu+HxTYJ2y+1fx9STSBKhJqQ0QU/4uFBnSbMJgKDZBqdZSA/ruc=
=dWEf
-----END PGP SIGNATURE-----

Message #33 received at 959391@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Craig Small <csmall@debian.org>, 959391@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#959391: wordpress: CVE-2020-11025 CVE-2020-11026 CVE-2020-11027 CVE-2020-11028 CVE-2020-11029 CVE-2020-11030

Date: Sat, 2 May 2020 11:14:50 +0200

Hi Craig,

On Sat, May 02, 2020 at 10:31:24AM +1000, Craig Small wrote:
> This is the analysis of the latest WordPress security bugs.
> Is it awesome upstream already has CVE IDs and (almost) clear patches of
> the fixes? Yes, it is!
> 
> Sid: 5.4
> All vulnerabilities, use upstream 5.4.1
> 
> Bullseye: 5.3.2
> https://github.com/WordPress/wordpress-develop/commit/42cbfc76f87add1853996730c587ea66aa8fdc28
> SVN references: 47633 47634 47635 47636 47637 47638
> https://core.trac.wordpress.org/changeset/47633  Customizer - CVE-2020-11025
> https://core.trac.wordpress.org/changeset/47634 password update -
> CVE-2020-11027
> https://core.trac.wordpress.org/changeset/47635 single post on query -
> CVE-2020-11028
> https://core.trac.wordpress.org/changeset/47636 block editor escape -
> CVE-2020-11030
> https://core.trac.wordpress.org/changeset/47637 escaping around stats -
> CVE-2020-11029
> https://core.trac.wordpress.org/changeset/47638 sanitize file name -
> CVE-2020-11026
> All vulnerable, use aggregated GH commit

Thanks for this btw, and I have synced the security-tracker
information with it now (plus trying to add respective isolated
commits from the git hub repository a swell).

For a respective update in the other branches it makes obviously sense
as you say to use the aggregted commit from GH.

Regards,
Salvatore

Send a report that this bug log contains spam.