Wordpress fix

To: debian-lts@lists.debian.org
Subject: Wordpress fix
From: Craig Small <csmall@debian.org>
Date: Fri, 8 Aug 2014 20:49:11 +1000
Message-id: <[🔎] 20140808104911.GA25687@enc.com.au>
Mail-followup-to: Craig Small <csmall@debian.org>, debian-lts@lists.debian.org

Hi,
  Wordpress has had some security updates on 3.9.2 I have backported
these changesets to the wheezy and now to squeeze. Attached is the
debdiff for review.

 - Craig
-- 
Craig Small (@smallsees)   http://enc.com.au/       csmall at : enc.com.au
Debian GNU/Linux           http://www.debian.org/   csmall at : debian.org
GPG fingerprint:        5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

diff -Nru wordpress-3.6.1+dfsg/debian/changelog wordpress-3.6.1+dfsg/debian/changelog
--- wordpress-3.6.1+dfsg/debian/changelog	2014-04-21 09:47:13.000000000 +1000
+++ wordpress-3.6.1+dfsg/debian/changelog	2014-08-08 20:33:48.000000000 +1000
@@ -1,3 +1,15 @@
+wordpress (3.6.1+dfsg-1~deb6u5) squeeze-lts; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Import Wordpress 3.9.2 changesets Closes: #757312
+  * Changeset 29405 - Ignore entites in XML-RPC
+  * Changeset 29390 - Disable entities in ID3
+  * Changeset 29384 - Constant time for wp_verify_nonce
+  * Changeset 29408 - delimiters on nonce
+  * Changeset 29398 - Escape late in get_avatar
+
+ -- Craig Small <csmall@debian.org>  Fri, 08 Aug 2014 18:22:51 +1000
+
 wordpress (3.6.1+dfsg-1~deb6u4) squeeze-security; urgency=medium
 
   * Non-maintainer upload by the Security Team.
diff -Nru wordpress-3.6.1+dfsg/debian/patches/cs29384_time_nonce wordpress-3.6.1+dfsg/debian/patches/cs29384_time_nonce
--- wordpress-3.6.1+dfsg/debian/patches/cs29384_time_nonce	1970-01-01 10:00:00.000000000 +1000
+++ wordpress-3.6.1+dfsg/debian/patches/cs29384_time_nonce	2014-08-08 18:28:12.000000000 +1000
@@ -0,0 +1,105 @@
+Description: Constant time for wp_verify_nonce()
+Author: nacin
+Origin: vendor, https://core.trac.wordpress.org/changeset/29384
+--- a/wp-includes/compat.php
++++ b/wp-includes/compat.php
+@@ -94,3 +94,32 @@
+ 		return is_array($data) ? array_map(__FUNCTION__, $data) : $data;
+ 	}
+ }
++
++if ( ! function_exists( 'hash_equals' ) ) :
++/**
++ * Compare two strings in constant time.
++ *
++ * This function was added in PHP 5.6.
++ * It can leak the length of a string.
++ *
++ * @since 3.9.2
++ *
++ * @param string $a Expected string.
++ * @param string $b Actual string.
++ * @return bool Whether strings are equal.
++ */
++function hash_equals( $a, $b ) {
++	$a_length = strlen( $a );
++	if ( $a_length !== strlen( $b ) ) {
++		return false;
++	}
++	$result = 0;
++
++	// Do not attempt to "optimize" this.
++	for ( $i = 0; $i < $a_length; $i++ ) {
++		$result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] );
++	}
++
++	return $result === 0;
++}
++endif;
+--- a/wp-includes/pluggable.php
++++ b/wp-includes/pluggable.php
+@@ -546,7 +546,7 @@
+ 	$key = wp_hash($username . $pass_frag . '|' . $expiration, $scheme);
+ 	$hash = hash_hmac('md5', $username . '|' . $expiration, $key);
+ 
+-	if ( hash_hmac( 'md5', $hmac, $key ) !== hash_hmac( 'md5', $hash, $key ) ) {
++	if ( ! hash_equals( $hash, $hmac ) ) {
+ 		do_action('auth_cookie_bad_hash', $cookie_elements);
+ 		return false;
+ 	}
+@@ -1261,11 +1261,17 @@
+ 	$i = wp_nonce_tick();
+ 
+ 	// Nonce generated 0-12 hours ago
+-	if ( substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10) === $nonce )
++	$expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce'), -12, 10 );
++	if ( hash_equals( $expected, $nonce ) ) {
+ 		return 1;
++	}
++
+ 	// Nonce generated 12-24 hours ago
+-	if ( substr(wp_hash(($i - 1) . $action . $uid, 'nonce'), -12, 10) === $nonce )
++	$expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
++	if ( hash_equals( $expected, $nonce ) ) {
+ 		return 2;
++	}
++
+ 	// Invalid nonce
+ 	return false;
+ }
+@@ -1747,3 +1753,35 @@
+ }
+ endif;
+ 
++if ( ! function_exists( 'hash_equals' ) ) :
++/**
++ * Compare two strings in constant time.
++ *
++ * This function is NOT pluggable. It is in this file (in addition to
++ * compat.php) to prevent errors if, during an update, pluggable.php
++ * copies over but compat.php does not.
++ *
++ * This function was added in PHP 5.6.
++ * It can leak the length of a string.
++ *
++ * @since 3.9.2
++ *
++ * @param string $a Expected string.
++ * @param string $b Actual string.
++ * @return bool Whether strings are equal.
++ */
++function hash_equals( $a, $b ) {
++	$a_length = strlen( $a );
++	if ( $a_length !== strlen( $b ) ) {
++		return false;
++	}
++	$result = 0;
++
++	// Do not attempt to "optimize" this.
++	for ( $i = 0; $i < $a_length; $i++ ) {
++		$result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] );
++	}
++
++	return $result === 0;
++}
++endif;
diff -Nru wordpress-3.6.1+dfsg/debian/patches/cs29390_disable_id3_entities wordpress-3.6.1+dfsg/debian/patches/cs29390_disable_id3_entities
--- wordpress-3.6.1+dfsg/debian/patches/cs29390_disable_id3_entities	1970-01-01 10:00:00.000000000 +1000
+++ wordpress-3.6.1+dfsg/debian/patches/cs29390_disable_id3_entities	2014-08-08 18:28:12.000000000 +1000
@@ -0,0 +1,23 @@
+Description: Disable external entities in ID3.
+Author: nacin
+Origin: vendor, https://core.trac.wordpress.org/changeset/29390
+--- a/wp-includes/ID3/getid3.lib.php
++++ b/wp-includes/ID3/getid3.lib.php
+@@ -519,11 +519,12 @@
+ 	}
+ 
+ 	public static function XML2array($XMLstring) {
+-		if (function_exists('simplexml_load_string')) {
+-			if (function_exists('get_object_vars')) {
+-				$XMLobject = simplexml_load_string($XMLstring);
+-				return self::SimpleXMLelement2array($XMLobject);
+-			}
++		if ( function_exists( 'simplexml_load_string' ) && function_exists( 'libxml_disable_entity_loader' ) ) {
++			$loader = libxml_disable_entity_loader( true );
++			$XMLobject = simplexml_load_string( $XMLstring, 'SimpleXMLElement', LIBXML_NOENT );
++			$return = self::SimpleXMLelement2array( $XMLobject );
++			libxml_disable_entity_loader( $loader );
++			return $return;
+ 		}
+ 		return false;
+ 	}
diff -Nru wordpress-3.6.1+dfsg/debian/patches/cs29398_escape_get_avatar wordpress-3.6.1+dfsg/debian/patches/cs29398_escape_get_avatar
--- wordpress-3.6.1+dfsg/debian/patches/cs29398_escape_get_avatar	1970-01-01 10:00:00.000000000 +1000
+++ wordpress-3.6.1+dfsg/debian/patches/cs29398_escape_get_avatar	2014-08-08 18:28:12.000000000 +1000
@@ -0,0 +1,15 @@
+Descripton: Escape late in get_avatar()
+Author: nacin
+Origin: vendor, https://core.trac.wordpress.org/changeset/29398
+--- a/wp-includes/pluggable.php
++++ b/wp-includes/pluggable.php
+@@ -1672,7 +1672,8 @@
+ 
+ 		$avatar = "<img alt='{$safe_alt}' src='{$out}' class='avatar avatar-{$size} photo' height='{$size}' width='{$size}' />";
+ 	} else {
+-		$avatar = "<img alt='{$safe_alt}' src='{$default}' class='avatar avatar-{$size} photo avatar-default' height='{$size}' width='{$size}' />";
++		$out = esc_url( $default );
++		$avatar = "<img alt='{$safe_alt}' src='{$out}' class='avatar avatar-{$size} photo avatar-default' height='{$size}' width='{$size}' />";
+ 	}
+ 
+ 	return apply_filters('get_avatar', $avatar, $id_or_email, $size, $default, $alt);
diff -Nru wordpress-3.6.1+dfsg/debian/patches/cs29405_ignore_xml wordpress-3.6.1+dfsg/debian/patches/cs29405_ignore_xml
--- wordpress-3.6.1+dfsg/debian/patches/cs29405_ignore_xml	1970-01-01 10:00:00.000000000 +1000
+++ wordpress-3.6.1+dfsg/debian/patches/cs29405_ignore_xml	2014-08-08 18:28:12.000000000 +1000
@@ -0,0 +1,46 @@
+Description: Ignore entities in XML-RPC requests
+Author: nacin
+Origin: vendor, https://core.trac.wordpress.org/changeset/29405/branches/3.9
+--- a/wp-includes/class-IXR.php
++++ b/wp-includes/class-IXR.php
+@@ -203,11 +203,37 @@
+     {
+         // first remove the XML declaration
+         // merged from WP #10698 - this method avoids the RAM usage of preg_replace on very large messages
+-        $header = preg_replace( '/<\?xml.*?\?'.'>/', '', substr($this->message, 0, 100), 1);
+-        $this->message = substr_replace($this->message, $header, 0, 100);
+-        if (trim($this->message) == '') {
++        $header = preg_replace( '/<\?xml.*?\?'.'>/s', '', substr( $this->message, 0, 100 ), 1 );
++        $this->message = trim( substr_replace( $this->message, $header, 0, 100 ) );
++        if ( '' == $this->message ) {
+             return false;
+         }
++
++        // Then remove the DOCTYPE
++        $header = preg_replace( '/^<!DOCTYPE[^>]*+>/i', '', substr( $this->message, 0, 200 ), 1 );
++        $this->message = trim( substr_replace( $this->message, $header, 0, 200 ) );
++        if ( '' == $this->message ) {
++            return false;
++        }
++
++        // Check that the root tag is valid
++        $root_tag = substr( $this->message, 0, strcspn( substr( $this->message, 0, 20 ), "> \t\r\n" ) );
++        if ( '<!DOCTYPE' === strtoupper( $root_tag ) ) {
++            return false;
++        }
++        if ( ! in_array( $root_tag, array( '<methodCall', '<methodResponse', '<fault' ) ) ) {
++            return false;
++        }
++
++        // Bail if there are too many elements to parse
++        $element_limit = 30000;
++        if ( function_exists( 'apply_filters' ) ) {
++            $element_limit = apply_filters( 'xmlrpc_element_limit', $element_limit );
++        }
++        if ( $element_limit && 2 * $element_limit < substr_count( $this->message, '<' ) ) {
++            return false;
++        }
++
+         $this->_parser = xml_parser_create();
+         // Set XML parser to take the case of tags in to account
+         xml_parser_set_option($this->_parser, XML_OPTION_CASE_FOLDING, false);
diff -Nru wordpress-3.6.1+dfsg/debian/patches/cs29408_delim_nonce wordpress-3.6.1+dfsg/debian/patches/cs29408_delim_nonce
--- wordpress-3.6.1+dfsg/debian/patches/cs29408_delim_nonce	1970-01-01 10:00:00.000000000 +1000
+++ wordpress-3.6.1+dfsg/debian/patches/cs29408_delim_nonce	2014-08-08 18:28:12.000000000 +1000
@@ -0,0 +1,30 @@
+Description: Use delimiters when building nonce hashes
+Author: nacin
+Origin: vendor, https://core.trac.wordpress.org/changeset/29408
+--- a/wp-includes/pluggable.php
++++ b/wp-includes/pluggable.php
+@@ -1261,13 +1261,13 @@
+ 	$i = wp_nonce_tick();
+ 
+ 	// Nonce generated 0-12 hours ago
+-	$expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce'), -12, 10 );
++	$expected = substr( wp_hash( $i . '|' . $action . '|' . $uid, 'nonce'), -12, 10 );
+ 	if ( hash_equals( $expected, $nonce ) ) {
+ 		return 1;
+ 	}
+ 
+ 	// Nonce generated 12-24 hours ago
+-	$expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
++	$expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid, 'nonce' ), -12, 10 );
+ 	if ( hash_equals( $expected, $nonce ) ) {
+ 		return 2;
+ 	}
+@@ -1294,7 +1294,7 @@
+ 
+ 	$i = wp_nonce_tick();
+ 
+-	return substr(wp_hash($i . $action . $uid, 'nonce'), -12, 10);
++	return substr(wp_hash($i . '|' . $action . '|' . $uid, 'nonce'), -12, 10);
+ }
+ endif;
+

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: Re: Security support for adns in squeeze-lts
Next by Date: Re: Security support for adns in squeeze-lts
Previous by thread: Re: N/A Re: [alerts-security] [DLA 20-1] munin security update
Next by thread: N/a: Re: [alerts-security] [DLA 31-1] reportbug security update
Index(es):
- Date
- Thread