On Sat, Sep 10, 2016 at 6:25 PM Salvatore Bonaccorso <car...@debian.org> wrote:
> HI Craig, > > Thanks for looking into it. Some comments, and adding the security > team alias. > > On Fri, Sep 09, 2016 at 09:13:46PM +0000, Craig Small wrote: > > On Fri, Sep 9, 2016 at 3:39 AM Salvatore Bonaccorso <car...@debian.org> > > wrote: > > > CSRFcheck done too late. > > This is CVE-2016-6897, oss-sec correctly broke the two issues out due to > > different versions being impacted. It was (silently?) fixed for wordpress > > 4.6 but that didn't get updated (I missed the 4.6 announcement) so sid > was > > still vulnerable until I uploaded 4.6.1 > > Reported in wordpress 37490 and fixed in changeset 38168. > > Thanks for looking. Note that CVE-2016-6896 and CVE-2016-6897 are > related to > > https://sumofpwn.nl/advisory/2016/path_traversal_vulnerability_in_wordpress_core_ajax_handlers.html > . The CVEs were assigned in > https://marc.info/?l=oss-security&m=147184869305873&w=2 . > > Thus https://core.trac.wordpress.org/changeset/38168 should be > addressing both CVE-2016-6896 and CVE-2016-6897, is this correct? > No, between 4.2 and 4.6 the sequence was: * check the file (get_plugin_data) * check the permissions (current_user_can) * check the nonce for CSRF (check_ajax_referer) Then changeset 37714 did a lot of things, including putting the check_ajax_referer check before everything else. This, I believe, fixed CVE-2016-6897 if I'm understanding the reasons for the various functions and that the point of check_ajax_referer() is to stop CSRF. So 4.6 (not 4.6.1) had: * check the nonce for CSRF (check_ajax_referer) * check the file (get_plugin_data) * check the permissions (current_user_can) This is why under "Fix" on the sumofpwn website it says 4.6 fixed that bit. At 4.6 we're safe from CVE-2016-6897 but not CVE-2016-6896. So we need: changeset 37714, or a subset of it, for CVE-2016-6897 changeset 38168 for CVE-2016-6896, see how the current_user_can() gets moved forward and get_plugin_data() moved backward? > Directory traversal > > This is CVE-2016-6896. Wordpress 4.6.1 reports this as " a cross-site > > scripting vulnerability via image filename, reported by SumOfPwn > researcher > > Cengiz Han Sahin". Fixed in changeset 38538. > > Actually I think this is CVE-2016-7168. Cf. > https://marc.info/?l=oss-security&m=147337303615272&w=2 where the CVE > was assigned and is different from CVE-2016-6896. So the 'cross-site > scripting vulnerability via image filename', which is CVE-2016-7168 > should be addressed by https://core.trac.wordpress.org/changeset/38538 > . > Ah yes you're correct. They didn't mention this one in their release notes, odd. Or perhaps I mixed this one up with the previous two as it was the same reporter. I concurr 38538 relates to CVE-2016-7168. > > Upgrade Package Uploader > > This has no CVE. Wordpress 4.6.1 reports this as "path traversal > > vulnerability in the upgrade package uploader, reported by Dominik > > Schilling". Fixed in changeset 38524. > > This is CVE-2016-7169. > (https://core.trac.wordpress.org/changeset/38524). > I concur that changeset 38524 is for CVE-2016-7169 > Can you confirm the above? > In summary: CVE-2016-6896 - CSRF in ajax: fixed in changeset 38168 CVE-2016-6897 - ajax handler path traversal: fixed in changet 37114 CVE-2016-7168 - directory traversal on image filename: fixed in changeset 38538 CVE-2016-7169 - upgrade package uploader: fixed in changeset 38524 For Jessie, the first two its not vulnerable as the functions were introduced in WordPress 4.2.x It means what is required is the two patches and changelog need to just have their CVE IDs fixed. Does that sound right to you? - Craig
