CVE-2012-6112: wordpress: Google spellchecker can make requests to remote servers

Debian Bug report logs - #701667
CVE-2012-6112: wordpress: Google spellchecker can make requests to remote servers

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: submit@bugs.debian.org

Subject: CVE-2012-6112: wordpress: Google spellchecker can make requests to remote servers

Date: Mon, 25 Feb 2013 23:12:04 +0200

Package: wordpress
Version: 3.3.2+dfsg-1~squeeze1
Severity: important
Tags: security

Hello,

http://www.tinymce.com/forum/viewtopic.php?id=30036 reports:

This version includes an important security upgrade where it's possible to use
the Google spellchecker logic to make requests to remote servers. We strongly
recommend people to upgrade if they are using the PHP spellchecker with the
Google spellchecker engine enabled.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6112
https://github.com/tinymce/tinymce_spellchecker_php/commit/22910187bfb9edae90c26e10100d8145b505b974
/usr/share/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/GoogleSpell.php

Haven't reproduced this issue, but I did check source code. Please ask if you
need help.

--
Henri Salo

-- System Information:
Debian Release: 6.0.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages wordpress depends on:
ii  apache2               2.2.16-6+squeeze10 Apache HTTP Server metapackage
ii  apache2-mpm-prefork [ 2.2.16-6+squeeze10 Apache HTTP Server - traditional n
ii  libapache2-mod-php5   5.3.3-7+squeeze14  server-side, HTML-embedded scripti
ii  libjs-cropper         1.2.1-2            JavaScript image cropper UI
ii  libjs-prototype       1.6.1-1            JavaScript Framework for dynamic w
ii  libjs-scriptaculous   1.8.3-1            JavaScript library for dynamic web
ii  libphp-phpmailer      5.1-1              full featured email transfer class
ii  libphp-snoopy         1.2.4-2            Snoopy is a PHP class that simulat
ii  mysql-client-5.1 [mys 5.1.66-0+squeeze1  MySQL database client binaries
ii  php5                  5.3.3-7+squeeze14  server-side, HTML-embedded scripti
ii  php5-gd               5.3.3-7+squeeze14  GD module for php5
ii  php5-mysql            5.3.3-7+squeeze14  MySQL module for php5

Versions of packages wordpress recommends:
ii  wordpress-l10n     3.3.2+dfsg-1~squeeze1 weblog manager - language files

Versions of packages wordpress suggests:
pn  mysql-server                  <none>     (no description available)

-- no debconf information

Message #10 received at 701667-done@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Henri Salo <henri@nerv.fi>, 701667-done@bugs.debian.org

Subject: Re: Bug#701667: CVE-2012-6112: wordpress: Google spellchecker can make requests to remote servers

Date: Tue, 26 Feb 2013 08:16:42 +0100

Version: 3.5.1+dfsg-1

On Mon, 25 Feb 2013, Henri Salo wrote:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6112
> https://github.com/tinymce/tinymce_spellchecker_php/commit/22910187bfb9edae90c26e10100d8145b505b974
> /usr/share/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/GoogleSpell.php
> 
> Haven't reproduced this issue, but I did check source code. Please ask if you
> need help.

The sid version (3.5.1+dfsg-2) has the fix already. For the stable
version, there are other more important security issues that are still
not solved.

It would be nice to get 3.5.1+dfsg-2 migrated to wheezy though.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/

Send a report that this bug log contains spam.