Bug 229991 (CVE-2007-1049)

Summary: CVE-2007-1049: wordpress < 2.1.1 XSS
Product: [Fedora] Fedora Reporter: Ville Skyttä <ville.skytta>
Component: wordpressAssignee: John Berninger <john>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: deisenst, fedora-security-list
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1049
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-02-27 16:12:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ville Skyttä 2007-02-25 16:37:38 UTC
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1049

"Cross-site scripting (XSS) vulnerability in the wp_explain_nonce function in
the nonce AYS functionality (wp-includes/functions.php) for WordPress 2.0 before
2.0.9 and 2.1 before 2.1.1 allows remote attackers to inject arbitrary web
script or HTML via the file parameter to wp-admin/templates.php, and possibly
other vectors involving the action variable."

FE5+ apparently affected.

Comment 1 John Berninger 2007-02-27 16:12:40 UTC
New packages uploaded / built

Comment 2 David Eisenstein 2007-03-03 04:07:08 UTC
Although John Beringer indicates as of 2007-02-27, new packages have
been uploaded and built for Wordpress, I am not seeing any new packages
in Extras repositories for Wordpress for FC5 nor for devel.  What's going on?

Comment 3 Jason Tibbitts 2007-03-03 04:42:19 UTC
Indeed, it seems that the new versions were tagged, but I don't see that they
were ever built.  It's probably just an oversight; I could build them myself but
at this point I think it's more prudent to wait to see if the maintainer will
chime in soon.

Comment 4 Ville Skyttä 2007-03-03 07:47:17 UTC
Which repository/mirror do you use?  I verified the existence of the builds
before marking this CVE taken care of in fedora-security/audit/fe* and they're
still there just as expected:

$ HEAD
http://download.fedora.redhat.com/pub/fedora/linux/extras/5/i386/wordpress-2.1.1-0.fc5.noarch.rpm
| grep '\(OK\|Last-Mod\)'
200 OK
Last-Modified: Tue, 27 Feb 2007 21:41:47 GMT

$ HEAD
http://download.fedora.redhat.com/pub/fedora/linux/extras/6/i386/wordpress-2.1.1-0.fc6.noarch.rpm
| grep '\(OK\|Last-Mod\)'
200 OK
Last-Modified: Tue, 27 Feb 2007 21:40:52 GMT

$ HEAD
http://download.fedora.redhat.com/pub/fedora/linux/extras/development/i386/wordpress-2.1.1-0.fc7.noarch.rpm
| grep '\(OK\|Last-Mod\)'
200 OK
Last-Modified: Tue, 27 Feb 2007 23:30:09 GMT


Comment 5 John Berninger 2007-03-03 13:26:51 UTC
http://buildsys.fedoraproject.org/logs/fedora-5-extras/28349-wordpress-2.1.1-0.fc5/

http://buildsys.fedoraproject.org/logs/fedora-6-extras/28350-wordpress-2.1.1-0.fc6/

http://buildsys.fedoraproject.org/logs/fedora-development-extras/28351-wordpress-2.1.1-0.fc7/

New packages were indeed built as of 27-Feb-2007.  If a given mirror does not
have the new packages, you may wish to contact that mirror's maintainer.

Comment 6 Jason Tibbitts 2007-03-03 15:07:56 UTC
Hmm, I'm mirroring from kernel.org.  How odd, the binary rpm is there, but the
source rpm isn't.  Sorry for not checking deeper earlier.  WHen I saw that the
srpm wasn't there, I tried to extract info from the buildsys but of course you
can only go back a couple of days.

Comment 7 Ville Skyttä 2007-03-03 15:38:30 UTC
That kind of situation is almost certainly a mirroring issue.  The scripts used
to publish Extras repositories work so that before creating and pushing a repo
to the primary public mirror, all binary rpms for which a source rpm is not
available are removed.

Comment 8 Jason Tibbitts 2007-03-03 15:47:25 UTC
In any case, I've re-pulled my mirror and the srpm is there, so I don't know
what was up.  And in any case this is all moot since you really, really don't
want to be running 2.1.1 anyway.