Am 14.03.2017 um 10:09 schrieb Craig Small: > Hi Markus, > I nearly missed this one. If you go to WPScan[1] which is a great > resource it says it is versions 4.7.0-4.7.2 only which implies that > jessie is not impacted. > > However, I also go look at the 4.1 changesets on the upstream[2] as they > have done all the hard work (mainly) of backporting the patches to > jessie or at least a generic 4.1 wordpress. Within that you will see > changeset 40176[3] which is the 4.1 verison of 40169 which is the > changeset for this patch in the 4.7 branch. > > So my whole rationale for adding this one in and going against what > WPScan said is purely 40176 is in the 4.1 branch of the upstreams svn. > Looking at the relevant file it does look like it does things and not > dead or unreachable code, so I think 4.1 is vulnerable, but PHP code is > horrible to debug for that sort of thing. Thanks for the explanation. That makes sense. By the way I think your patch cs40155_media_metadata, CVE-2017-6814, requires a backport of two more functions: wp_kses_post_deep and map_deep. Markus
Attachment:
signature.asc
Description: OpenPGP digital signature