Bug 193478
Summary: | Review Request: wordpress - database driven blogging software | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | John Berninger <john> |
Component: | Package Review | Assignee: | Jarod Wilson <jarod> |
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Package Reviews List <fedora-package-review> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | peter |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-06-21 02:18:12 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 163779 |
Description
John Berninger
2006-05-29 13:53:05 UTC
Direct static code injection vulnerability in WordPress 2.0.2 and earlier: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2667 Well, there doesn't appear to be a patch available, so this review will have to wait until there is one. I'm watching the svn and testers lists upstream. I'll have to correct myself - it appears this was patched on 5-26 in SVN. I've added that patch, rebuilt, and tested the given exploit, and the exploit now fails. Spec: http://www.berningeronline.net/wordpress.spec SRPM: http://www.berningeronline.net/wordpress-2.0.2-1.src.rpm Happened to notice another one today, IP spoofing issue: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2702 (Note: just parroting my findings here, I have no experience with wordpress nor am I planning to review it, and I've only _very_ quickly peeked into the SRPM, so sorry in advance if this turns out to be noise.) I'll go ahead and take on this review, since I'm familiar with the software. My findings thus far: 1) There's a new version (2.0.3) out now (obsoletes the patch), need to update 2) Web apps should be installed in /usr/share/<name>, not /var/www, per fedora extras guidelines 3) rpmlint complains about a bunch of empty files, they should be removed 4) config files should be broken out into /etc/ somewhere 5) %doc lines aren't quite correct, you should be removing them from the installed packages and then sucking them in w/the %doc line, referring to them by their relative path within the source 6) the Source0: url doesn't appear to actually work, upstream only post a 'latest.tar.gz' (rather annoying of them...) I'm rather partial to proposing fixes for issues I come up with in review in the form of an updated spec file, so you can see exactly what I'm suggesting: http://wilsonet.com/packages/wordpress/ Packages updated to 2.0.3, other suggestions integrated. New packages: Spec: http://www.berningeronline.net/wordpress.spec SRPM: http://www.berningeronline.net/wordpress-2.0.3-1.src.rpm One thing I forgot to mention: the way you specify all the files is a matter of preference, but if you're going to list them all out rather than simply having a single line '%{_datadir}/wordpress/', you must also have a line '%dir %{_datadir}/wordpress/' so that the created directories are also owned by the package. Also note that the symlink %{_datadir}/wordpress/wp-config.php shouldn't be marked as a config file, and symlinks generally should be relative, rather than absolute (otherwise they're hanging within the buildroot). Ah, the wordpress-httpd-conf file needs /var/www/wordpress replaced with /usr/share/wordpress. Personally, I'd also just do away with the '%define installdir %{_datadir}' and simply replace all cases of % {installdir} with %{_datadir}, because it just adds unnecessary and non-standard cruft. Additional review details: * package meets naming and packaging guidelines: okay * specfile is properly named, is cleanly written and uses macros consistently: my only beef on that is the now unnecessary use of %{installdir} * dist tag is present: okay * build root is correct. %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n): okay * license field matches the actual license: GPL, okay * license is open source-compatible, license text included in package: okay * source files match upstream: okay $ md5sum latest.tar.gz wordpress-2.0.3.tar.gz 0ad0696351cba9ef9b4a3dd97b1f327b latest.tar.gz 0ad0696351cba9ef9b4a3dd97b1f327b wordpress-2.0.3.tar.gz * latest version is being packaged: v2.0.3, okay * BuildRequires are proper: okay * package builds in mock: okay (fedora development, x86_64) * rpmlint is silent: not quite yet, it complains about /usr/share/wordpress/wp-config.php being marked as a config file * final provides and requires are sane: okay wordpress-2.0.3-1.fc6.noarch.rpm config(wordpress) = 2.0.3-1.fc6 wordpress = 2.0.3-1.fc6 = config(wordpress) = 2.0.3-1.fc6 httpd mysql-server php >= 4.1. * no shared libraries are present: okay * package is not relocatable: okay * owns the directories it creates: not yet, need to add /usr/share/wordpress to %files * doesn't own any directories it shouldn't: okay * no duplicates in %files: okay * file permissions are appropriate: okay * %clean is present: okay * %check is present and all tests pass: n/a * no scriptlets present: okay * code, not content: okay * documentation is small, so no -docs subpackage is necessary: okay * %docs are not necessary for the proper functioning of the package: okay * no headers: okay * no pkgconfig files: okay * no libtool .la files: okay * not a GUI app: okay * not a web app: okay Removed %{installdir} macro, symlink no longer marked config, correct4ed dir ownerships Spec: http://www.berningeronline.net/wordpress.spec SRPM: http://www.berningeronline.net/wordpress-2.0.3-2.src.rpm And you also corrected the httpd conf file. :) Everything looks good to go now, package APPROVED. imported and built for FC4, FC5, and devel. |