Bug#837090: wordpress CVEs (was: Re: Bug#837090: wordpress: CVE-2016-6896 CVE-2016-6897)

Sat, 10 Sep 2016 01:26:11 -0700 

HI Craig,

Thanks for looking into it. Some comments, and adding the security
team alias.

On Fri, Sep 09, 2016 at 09:13:46PM +0000, Craig Small wrote:
> On Fri, Sep 9, 2016 at 3:39 AM Salvatore Bonaccorso <car...@debian.org>
> wrote:
> 
> > the following vulnerabilities were published for wordpress.
> >
> > CVE-2016-6896[0] and CVE-2016-6897[1]. It was reported that they at
> > least affect 4.5.3, no earlier version were so far checked, since no
> > full details to fixes given. There are more information in [2].
> >
> 
> It's a little more complicated than that with three vulnerabilities and the
> identification a bit mixed up. So here goes.
> 
> CSRFcheck done too late.
> This is CVE-2016-6897, oss-sec correctly broke the two issues out due to
> different versions being impacted. It was (silently?) fixed for wordpress
> 4.6 but that didn't get updated (I missed the 4.6 announcement) so sid was
> still vulnerable until I uploaded 4.6.1
> Reported in wordpress 37490 and fixed in changeset 38168.

Thanks for looking. Note that CVE-2016-6896 and CVE-2016-6897 are
related to
https://sumofpwn.nl/advisory/2016/path_traversal_vulnerability_in_wordpress_core_ajax_handlers.html
. The CVEs were assigned in
https://marc.info/?l=oss-security&m=147184869305873&w=2 .

Thus https://core.trac.wordpress.org/changeset/38168 should be
addressing both CVE-2016-6896 and CVE-2016-6897, is this correct?

> Directory traversal
> This is CVE-2016-6896. Wordpress 4.6.1 reports this as " a cross-site
> scripting vulnerability via image filename, reported by SumOfPwn researcher
> Cengiz Han Sahin". Fixed in changeset 38538.

Actually I think this is CVE-2016-7168. Cf.
https://marc.info/?l=oss-security&m=147337303615272&w=2 where the CVE
was assigned and is different from CVE-2016-6896. So the 'cross-site
scripting vulnerability via image filename', which is CVE-2016-7168
should be addressed by https://core.trac.wordpress.org/changeset/38538
.

> Upgrade Package Uploader
> This has no CVE. Wordpress 4.6.1 reports this as "path traversal
> vulnerability in the upgrade package uploader, reported by Dominik
> Schilling". Fixed in changeset 38524.

This is CVE-2016-7169.
(https://core.trac.wordpress.org/changeset/38524).

Can you confirm the above?

Regards,
Salvatore

Attachment: signature.asc
Description: PGP signature

Reply via email to