Hi, Wordpress has had some security updates on 3.9.2 I have backported these changesets to the wheezy and now to squeeze. Attached is the debdiff for review.
- Craig -- Craig Small (@smallsees) http://enc.com.au/ csmall at : enc.com.au Debian GNU/Linux http://www.debian.org/ csmall at : debian.org GPG fingerprint: 5D2F B320 B825 D939 04D2 0519 3938 F96B DF50 FEA5
diff -Nru wordpress-3.6.1+dfsg/debian/changelog wordpress-3.6.1+dfsg/debian/changelog --- wordpress-3.6.1+dfsg/debian/changelog 2014-04-21 09:47:13.000000000 +1000 +++ wordpress-3.6.1+dfsg/debian/changelog 2014-08-08 20:33:48.000000000 +1000 @@ -1,3 +1,15 @@ +wordpress (3.6.1+dfsg-1~deb6u5) squeeze-lts; urgency=high + + * Non-maintainer upload by the Security Team. + * Import Wordpress 3.9.2 changesets Closes: #757312 + * Changeset 29405 - Ignore entites in XML-RPC + * Changeset 29390 - Disable entities in ID3 + * Changeset 29384 - Constant time for wp_verify_nonce + * Changeset 29408 - delimiters on nonce + * Changeset 29398 - Escape late in get_avatar + + -- Craig Small <csm...@debian.org> Fri, 08 Aug 2014 18:22:51 +1000 + wordpress (3.6.1+dfsg-1~deb6u4) squeeze-security; urgency=medium * Non-maintainer upload by the Security Team. diff -Nru wordpress-3.6.1+dfsg/debian/patches/cs29384_time_nonce wordpress-3.6.1+dfsg/debian/patches/cs29384_time_nonce --- wordpress-3.6.1+dfsg/debian/patches/cs29384_time_nonce 1970-01-01 10:00:00.000000000 +1000 +++ wordpress-3.6.1+dfsg/debian/patches/cs29384_time_nonce 2014-08-08 18:28:12.000000000 +1000 @@ -0,0 +1,105 @@ +Description: Constant time for wp_verify_nonce() +Author: nacin +Origin: vendor, https://core.trac.wordpress.org/changeset/29384 +--- a/wp-includes/compat.php ++++ b/wp-includes/compat.php +@@ -94,3 +94,32 @@ + return is_array($data) ? array_map(__FUNCTION__, $data) : $data; + } + } ++ ++if ( ! function_exists( 'hash_equals' ) ) : ++/** ++ * Compare two strings in constant time. ++ * ++ * This function was added in PHP 5.6. ++ * It can leak the length of a string. ++ * ++ * @since 3.9.2 ++ * ++ * @param string $a Expected string. ++ * @param string $b Actual string. ++ * @return bool Whether strings are equal. ++ */ ++function hash_equals( $a, $b ) { ++ $a_length = strlen( $a ); ++ if ( $a_length !== strlen( $b ) ) { ++ return false; ++ } ++ $result = 0; ++ ++ // Do not attempt to "optimize" this. ++ for ( $i = 0; $i < $a_length; $i++ ) { ++ $result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] ); ++ } ++ ++ return $result === 0; ++} ++endif; +--- a/wp-includes/pluggable.php ++++ b/wp-includes/pluggable.php +@@ -546,7 +546,7 @@ + $key = wp_hash($username . $pass_frag . '|' . $expiration, $scheme); + $hash = hash_hmac('md5', $username . '|' . $expiration, $key); + +- if ( hash_hmac( 'md5', $hmac, $key ) !== hash_hmac( 'md5', $hash, $key ) ) { ++ if ( ! hash_equals( $hash, $hmac ) ) { + do_action('auth_cookie_bad_hash', $cookie_elements); + return false; + } +@@ -1261,11 +1261,17 @@ + $i = wp_nonce_tick(); + + // Nonce generated 0-12 hours ago +- if ( substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10) === $nonce ) ++ $expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce'), -12, 10 ); ++ if ( hash_equals( $expected, $nonce ) ) { + return 1; ++ } ++ + // Nonce generated 12-24 hours ago +- if ( substr(wp_hash(($i - 1) . $action . $uid, 'nonce'), -12, 10) === $nonce ) ++ $expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 ); ++ if ( hash_equals( $expected, $nonce ) ) { + return 2; ++ } ++ + // Invalid nonce + return false; + } +@@ -1747,3 +1753,35 @@ + } + endif; + ++if ( ! function_exists( 'hash_equals' ) ) : ++/** ++ * Compare two strings in constant time. ++ * ++ * This function is NOT pluggable. It is in this file (in addition to ++ * compat.php) to prevent errors if, during an update, pluggable.php ++ * copies over but compat.php does not. ++ * ++ * This function was added in PHP 5.6. ++ * It can leak the length of a string. ++ * ++ * @since 3.9.2 ++ * ++ * @param string $a Expected string. ++ * @param string $b Actual string. ++ * @return bool Whether strings are equal. ++ */ ++function hash_equals( $a, $b ) { ++ $a_length = strlen( $a ); ++ if ( $a_length !== strlen( $b ) ) { ++ return false; ++ } ++ $result = 0; ++ ++ // Do not attempt to "optimize" this. ++ for ( $i = 0; $i < $a_length; $i++ ) { ++ $result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] ); ++ } ++ ++ return $result === 0; ++} ++endif; diff -Nru wordpress-3.6.1+dfsg/debian/patches/cs29390_disable_id3_entities wordpress-3.6.1+dfsg/debian/patches/cs29390_disable_id3_entities --- wordpress-3.6.1+dfsg/debian/patches/cs29390_disable_id3_entities 1970-01-01 10:00:00.000000000 +1000 +++ wordpress-3.6.1+dfsg/debian/patches/cs29390_disable_id3_entities 2014-08-08 18:28:12.000000000 +1000 @@ -0,0 +1,23 @@ +Description: Disable external entities in ID3. +Author: nacin +Origin: vendor, https://core.trac.wordpress.org/changeset/29390 +--- a/wp-includes/ID3/getid3.lib.php ++++ b/wp-includes/ID3/getid3.lib.php +@@ -519,11 +519,12 @@ + } + + public static function XML2array($XMLstring) { +- if (function_exists('simplexml_load_string')) { +- if (function_exists('get_object_vars')) { +- $XMLobject = simplexml_load_string($XMLstring); +- return self::SimpleXMLelement2array($XMLobject); +- } ++ if ( function_exists( 'simplexml_load_string' ) && function_exists( 'libxml_disable_entity_loader' ) ) { ++ $loader = libxml_disable_entity_loader( true ); ++ $XMLobject = simplexml_load_string( $XMLstring, 'SimpleXMLElement', LIBXML_NOENT ); ++ $return = self::SimpleXMLelement2array( $XMLobject ); ++ libxml_disable_entity_loader( $loader ); ++ return $return; + } + return false; + } diff -Nru wordpress-3.6.1+dfsg/debian/patches/cs29398_escape_get_avatar wordpress-3.6.1+dfsg/debian/patches/cs29398_escape_get_avatar --- wordpress-3.6.1+dfsg/debian/patches/cs29398_escape_get_avatar 1970-01-01 10:00:00.000000000 +1000 +++ wordpress-3.6.1+dfsg/debian/patches/cs29398_escape_get_avatar 2014-08-08 18:28:12.000000000 +1000 @@ -0,0 +1,15 @@ +Descripton: Escape late in get_avatar() +Author: nacin +Origin: vendor, https://core.trac.wordpress.org/changeset/29398 +--- a/wp-includes/pluggable.php ++++ b/wp-includes/pluggable.php +@@ -1672,7 +1672,8 @@ + + $avatar = "<img alt='{$safe_alt}' src='{$out}' class='avatar avatar-{$size} photo' height='{$size}' width='{$size}' />"; + } else { +- $avatar = "<img alt='{$safe_alt}' src='{$default}' class='avatar avatar-{$size} photo avatar-default' height='{$size}' width='{$size}' />"; ++ $out = esc_url( $default ); ++ $avatar = "<img alt='{$safe_alt}' src='{$out}' class='avatar avatar-{$size} photo avatar-default' height='{$size}' width='{$size}' />"; + } + + return apply_filters('get_avatar', $avatar, $id_or_email, $size, $default, $alt); diff -Nru wordpress-3.6.1+dfsg/debian/patches/cs29405_ignore_xml wordpress-3.6.1+dfsg/debian/patches/cs29405_ignore_xml --- wordpress-3.6.1+dfsg/debian/patches/cs29405_ignore_xml 1970-01-01 10:00:00.000000000 +1000 +++ wordpress-3.6.1+dfsg/debian/patches/cs29405_ignore_xml 2014-08-08 18:28:12.000000000 +1000 @@ -0,0 +1,46 @@ +Description: Ignore entities in XML-RPC requests +Author: nacin +Origin: vendor, https://core.trac.wordpress.org/changeset/29405/branches/3.9 +--- a/wp-includes/class-IXR.php ++++ b/wp-includes/class-IXR.php +@@ -203,11 +203,37 @@ + { + // first remove the XML declaration + // merged from WP #10698 - this method avoids the RAM usage of preg_replace on very large messages +- $header = preg_replace( '/<\?xml.*?\?'.'>/', '', substr($this->message, 0, 100), 1); +- $this->message = substr_replace($this->message, $header, 0, 100); +- if (trim($this->message) == '') { ++ $header = preg_replace( '/<\?xml.*?\?'.'>/s', '', substr( $this->message, 0, 100 ), 1 ); ++ $this->message = trim( substr_replace( $this->message, $header, 0, 100 ) ); ++ if ( '' == $this->message ) { + return false; + } ++ ++ // Then remove the DOCTYPE ++ $header = preg_replace( '/^<!DOCTYPE[^>]*+>/i', '', substr( $this->message, 0, 200 ), 1 ); ++ $this->message = trim( substr_replace( $this->message, $header, 0, 200 ) ); ++ if ( '' == $this->message ) { ++ return false; ++ } ++ ++ // Check that the root tag is valid ++ $root_tag = substr( $this->message, 0, strcspn( substr( $this->message, 0, 20 ), "> \t\r\n" ) ); ++ if ( '<!DOCTYPE' === strtoupper( $root_tag ) ) { ++ return false; ++ } ++ if ( ! in_array( $root_tag, array( '<methodCall', '<methodResponse', '<fault' ) ) ) { ++ return false; ++ } ++ ++ // Bail if there are too many elements to parse ++ $element_limit = 30000; ++ if ( function_exists( 'apply_filters' ) ) { ++ $element_limit = apply_filters( 'xmlrpc_element_limit', $element_limit ); ++ } ++ if ( $element_limit && 2 * $element_limit < substr_count( $this->message, '<' ) ) { ++ return false; ++ } ++ + $this->_parser = xml_parser_create(); + // Set XML parser to take the case of tags in to account + xml_parser_set_option($this->_parser, XML_OPTION_CASE_FOLDING, false); diff -Nru wordpress-3.6.1+dfsg/debian/patches/cs29408_delim_nonce wordpress-3.6.1+dfsg/debian/patches/cs29408_delim_nonce --- wordpress-3.6.1+dfsg/debian/patches/cs29408_delim_nonce 1970-01-01 10:00:00.000000000 +1000 +++ wordpress-3.6.1+dfsg/debian/patches/cs29408_delim_nonce 2014-08-08 18:28:12.000000000 +1000 @@ -0,0 +1,30 @@ +Description: Use delimiters when building nonce hashes +Author: nacin +Origin: vendor, https://core.trac.wordpress.org/changeset/29408 +--- a/wp-includes/pluggable.php ++++ b/wp-includes/pluggable.php +@@ -1261,13 +1261,13 @@ + $i = wp_nonce_tick(); + + // Nonce generated 0-12 hours ago +- $expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce'), -12, 10 ); ++ $expected = substr( wp_hash( $i . '|' . $action . '|' . $uid, 'nonce'), -12, 10 ); + if ( hash_equals( $expected, $nonce ) ) { + return 1; + } + + // Nonce generated 12-24 hours ago +- $expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 ); ++ $expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid, 'nonce' ), -12, 10 ); + if ( hash_equals( $expected, $nonce ) ) { + return 2; + } +@@ -1294,7 +1294,7 @@ + + $i = wp_nonce_tick(); + +- return substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10); ++ return substr(wp_hash($i . '|' . $action . '|' . $uid, 'nonce'), -12, 10); + } + endif; +
signature.asc
Description: Digital signature
