Re: #862816 and CVE-2017-9066

[Ola Lundqvist <ola@inguza.com>]

Hi

Thank you for quick response.

The check I did for wheezy was simply to grep for ghe validation function and it was missing. Thins is whag I mean with clearly vulnerable. I should have said clearly not patched.

I have not seen a patch that works for eheezy yet.

I will investigate this more if noone beats me to it.

/ Ola

Sent from a phone

Den 6 jun 2017 23:26 skrev "Craig Small" <csmall@debian.org>:

On Wed, 7 Jun. 2017, 06:33 Ola Lundqvist, <ola@inguza.com> wrote:

I can see the following comments from you:
+  * Backport patches from 4.7.5 Closes: #862816
+   CVEs to be added once issued
+   - CVE-2017-XXX
+     Insufficient redirect validation in the HTTP class.

The changelog now reads:

 * CVE-2017-9066 not fixed as the relevant code has changed dramatically

    and there is no upstream patch for it.

    Insufficient redirect validation in the HTTP class.

  

There was no upstream patch for it in the wordpress 4.1 stream.  There didn't seem to be a way of making a patch for it either.

The patch is available here:
https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11

 Do this mean that the package is vulnerable?

Wheezy is clearly vulnerable at least.

It means I am unsure. I'd like to know what you did to say it was clearly vulnerable. There is a request method, but it is radically different to wordpress 4.5

The patch referenced is for 4.5 and would not come close to working; for example the hooks construct seems to be missing or used very differently.

However, if you have a patch that works on wordpress 4.1, I'd be glad to see it!

 - Craig

--

Craig Small             https://dropbear.xyz/     csmall at : enc.com.au

Debian GNU/Linux        https://www.debian.org/   csmall at : debian.org

Mastodon: @smallsees@social.dropbear.xyz             Twitter: @smallsees  

GPG fingerprint:      5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5