Bug#549436: marked as done (wordpress: Fix for 500295 is too restrictive)

Sat, 14 Nov 2009 04:26:33 -0800 

Your message dated Sat, 14 Nov 2009 12:18:00 +0000
with message-id <[email protected]>
and subject line Bug#549436: fixed in wordpress 2.8.6-1
has caused the Debian Bug report #549436,
regarding wordpress: Fix for 500295 is too restrictive
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
549436: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=549436
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: wordpress
Version: 2.8.4-2
Severity: important


The fix for bug 500295 is too restrictive.  It disables a completely
reasonable way of configuring wordpress.  Using symlinks is probably
the only way of allowing trusted users to manage their wordpress
configuration without having to be root (other than to create the symlink).
We use this type of configuration, given that we have users that we trust.
The proposed additional solution of adding a list of directories that can
contain configuration files is messy - there must be a better solution!

One problem with the fix is that the nature of the possible attack isn't
actually explained in the bug.  Can someone please explain it?  Then we
could help to try and find a better solution.

Does the attack involved having special characters/substrings like '/' and
".." in HTTP_HOST, which then possibly allows them to run code in files
in the uploads area?  If so, why not just disallow '/' in HTTP_HOST?  That
would seem to be a simpler and less restrictive fix...

There must be a fix that doesn't impose the restrictions that realpath()
imples...

Note, we haven't yet installed version 2.8.4-2 because we'd like to
make sure we have a workaround/solution that allows us to have users
manage their own configurations and minimise the amount of root access
they require.

peace & happiness,
martin


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages wordpress depends on:
ii  apache2                2.2.13-2          Apache HTTP Server metapackage
ii  apache2-mpm-prefork [h 2.2.13-2          Apache HTTP Server - traditional n
ii  libapache2-mod-php5    5.2.10.dfsg.1-2.2 server-side, HTML-embedded scripti
ii  libjs-jquery           1.3.3-2           JavaScript library for dynamic web
ii  libjs-prototype        1.6.1-1           JavaScript Framework for dynamic w
ii  libjs-scriptaculous    1.8.2-2           JavaScript library for dynamic web
ii  libphp-phpmailer       2.1-1             full featured email transfer class
ii  libphp-snoopy          1.2.4-1           Snoopy is a PHP class that simulat
ii  mysql-client-5.0 [virt 5.0.51a-24+lenny2 MySQL database client binaries
ii  php5                   5.2.10.dfsg.1-2.2 server-side, HTML-embedded scripti
ii  php5-gd                5.2.10.dfsg.1-2.2 GD module for php5
ii  php5-mysql             5.2.10.dfsg.1-2.2 MySQL module for php5
ii  tinymce                3.2.6-1           platform independent web based Jav

wordpress recommends no packages.

Versions of packages wordpress suggests:
hi  mysql-server-5.0 [virt 5.0.51a-24+lenny1 MySQL database server binaries

-- no debconf information

-- debsums errors found:
debsums: changed file /usr/share/wordpress/wp-includes/pluggable.php (from 
wordpress package)

--- End Message ---
--- Begin Message --- 
Source: wordpress
Source-Version: 2.8.6-1

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive:

wordpress-l10n_2.8.6-1_all.deb
  to main/w/wordpress/wordpress-l10n_2.8.6-1_all.deb
wordpress_2.8.6-1.diff.gz
  to main/w/wordpress/wordpress_2.8.6-1.diff.gz
wordpress_2.8.6-1.dsc
  to main/w/wordpress/wordpress_2.8.6-1.dsc
wordpress_2.8.6-1_all.deb
  to main/w/wordpress/wordpress_2.8.6-1_all.deb
wordpress_2.8.6.orig.tar.gz
  to main/w/wordpress/wordpress_2.8.6.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <[email protected]> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 14 Nov 2009 12:53:07 +0100
Source: wordpress
Binary: wordpress wordpress-l10n
Architecture: source all
Version: 2.8.6-1
Distribution: unstable
Urgency: low
Maintainer: Giuseppe Iuculano <[email protected]>
Changed-By: Giuseppe Iuculano <[email protected]>
Description: 
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
Closes: 549436 555729
Changes: 
 wordpress (2.8.6-1) unstable; urgency=low
 .
   * [cf87b24] Updated debian/watch (Closes: #555729) - thanks to Hideki
     Yamane
   * [997165e] Imported Upstream version 2.8.6
   * [05395e1] debian/wp-config.php: sanitize $debian_server and do not
     check if $debian_file is under /etc/wordpress (Closes: #549436)
   * [dc016ce] Updated language files
Checksums-Sha1: 
 0580aefcdc026606ccc11f5cc918538315b6346f 1209 wordpress_2.8.6-1.dsc
 01a996c57f54a95cf6e457b61082f520a82ad1b5 2078596 wordpress_2.8.6.orig.tar.gz
 109ec47eedb327cf48f586a44279d9131e0565af 4852855 wordpress_2.8.6-1.diff.gz
 16b4d0f44a92ed8ffc76e06a58bc2b6d59382bd3 1859280 wordpress_2.8.6-1_all.deb
 9df672b8a180ae5d28b6a13cf769fc9066590bd6 4306040 wordpress-l10n_2.8.6-1_all.deb
Checksums-Sha256: 
 792d2f3164ee1195fcb83b13b325dcb8ba423c8a438135150a79161dca2ebf94 1209 
wordpress_2.8.6-1.dsc
 977bae2c445d0f68262b1532168610481aab62794e8c02fc1c1fcbddfcd5cf21 2078596 
wordpress_2.8.6.orig.tar.gz
 b386d0dd213ff907716861aabc5f0e3d7099017b9c107ab4f50d3a758a417701 4852855 
wordpress_2.8.6-1.diff.gz
 1c833174f5f1b8e7c0371863b2603b113b9a7f73b690198fea3e9ef3747949e2 1859280 
wordpress_2.8.6-1_all.deb
 ac91c6b223b3164d924f24ba3996db5780dc4dd25307e913c3e4a0e5e7fc19fa 4306040 
wordpress-l10n_2.8.6-1_all.deb
Files: 
 774e27657074d015fbb4430416852195 1209 web optional wordpress_2.8.6-1.dsc
 1956f09f2abe74ed85e0de04d511d433 2078596 web optional 
wordpress_2.8.6.orig.tar.gz
 85865abfd4440b5527bbee68ebd6fa3a 4852855 web optional wordpress_2.8.6-1.diff.gz
 af0ab4177c88c01b6ab0fbccc998ad05 1859280 web optional wordpress_2.8.6-1_all.deb
 bce9ca479a83d7029d213905d16c8546 4306040 web optional 
wordpress-l10n_2.8.6-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkr+mvwACgkQNxpp46476ap08ACdHpYqpghQIV0y0F5D0X7wQOQk
cEIAnRydQnP05tpM9nWYrOKI7wLlK7OO
=1pqJ
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to