Bug#881088: Wordpress on wheezy

2017-11-12 Thread Markus Koschany 
I have investigated the issue and found out that it is not just about
the missing brace, an additional database upgrade would also be required
to fix CVE-2017-14990 in Wheezy. The signup_id column does not exist
before version 3.7. In addition further code changes would be necessary.
I believe this would be too intrusive in this case because
CVE-2017-14990 is merely a new hardening feature for multisite
installations. I will revert the patch for CVE-2017-14990 for now. I am
sorry for any inconvenience this may have caused.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#881088: Wordpress on wheezy

2017-11-12 Thread Markus Koschany 
Am 12.11.2017 um 11:16 schrieb Craig Small:
[...]
> Hi Marcus, are you able to fix wheezy? I assume it was the LTS team that
> did this one as it doesn't appear in the Jessie patch list.

Thank you for contacting me about this bug. I will issue a regression
update for Wheezy asap.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#881088: Wordpress on wheezy

2017-11-12 Thread Craig Small 
On Wed, 8 Nov 2017 at 03:03 Mckinnell, James 
wrote:

> Initial report of failure to access the Wordpress site - Apache showing Error 
> 500
> Apache error.log shows:
> [Wed Nov 01 10:32:53 2017] [error] [client xx.xx.xx.xx] PHP Parse error:  
> syntax error, unexpected end of file in 
> /usr/share/wordpress/wp-includes/ms-functions.php on line 2016
>
> Hi Jim,
  The error is in the bottom of Debian patch CVE-2017-14990 produced by, I
believe the LTS team. In the patch header it mentions  Marcus as the author
who I have CC'ed into this bug report.

Your analysis is correct about the braces, at the near-end of that patch
you see.
-   if ( empty( $signup ) )
+   if ( ! $wp_hasher->CheckPassword( $key, $signup->activation_key ) )
{

You can see that the removed line has no brace, while the added line has
one.

I don't believe the add_action line is a mistake as its not added in by
that patch.  It is a syntax error because the function is loaded in before
this file is parsed. It's one of those awfulness about PHP that makes
debugging so much fun.  I use the lint command (php -l myfile.php) to check
the patches but even that is not 100% unfortunately.

Hi Marcus, are you able to fix wheezy? I assume it was the LTS team that
did this one as it doesn't appear in the Jessie patch list.

 - Craig

-- 
Craig Small https://dropbear.xyz/ csmall at : enc.com.au
Debian GNU/Linuxhttps://www.debian.org/   csmall at : debian.org
Mastodon: @smalls...@social.dropbear.xyz Twitter: @smallsees
GPG fingerprint:  5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

Bug#881088: Wordpress on wheezy

2017-11-07 Thread Mckinnell, James 
Package: wordpress

Version: 3.6.1+dfsg-1~deb7u18

Initial report of failure to access the Wordpress site - Apache showing Error 
500
Apache error.log shows:
[Wed Nov 01 10:32:53 2017] [error] [client xx.xx.xx.xx] PHP Parse error:  
syntax error, unexpected end of file in 
/usr/share/wordpress/wp-includes/ms-functions.php on line 2016

Did the following:


downloaded and unpacked the package:
# cd /var/tmp
# apt-get download wordpress=3.6.1+dfsg-1~deb7u18
# dpkg-deb -x wordpress_3.6.1+dfsg-1~deb7u18_all.deb .
verified syntax error:
# php usr/share/wordpress/wp-includes/ms-functions.php
PHP Parse error: syntax error, unexpected end of file in 
/var/tmp/usr/share/wordpress/wp-includes/ms-functions.php on line 2016
counted braces:
# fgrep { usr/share/wordpress/wp-includes/ms-functions.php | wc
13810007226
# fgrep } usr/share/wordpress/wp-includes/ms-functions.php | wc
137 2791728

laboriously found mismatch and made correction:

# cp -p ms-functions.php ms-functions.php_20171107
# vi ms-functions.php
# diff ms-functions.php_20171107 ms-functions.php
845c845
< if ( ! $wp_hasher->CheckPassword( $key, $signup->activation_key ) ) {
-
> if ( ! $wp_hasher->CheckPassword( $key, $signup->activation_key ) )
1756c1756
< add_action('update_option_blog_public', 'update_blog_public', 10, 2);
-
> // add_action('update_option_blog_public', 'update_blog_public', 10, 2);

The first change removes the syntax error (and hopefully preserves what was 
intended) but leaves an oddity...
Note that there is also a spurious(?) source line not enclosed in any function 
- is it supposed to be there? I doubt it!

Regards
Jim McKinnell




To view the terms under which this email is distributed, please go to:-
http://disclaimer.leedsbeckett.ac.uk/disclaimer/disclaimer.html