Bug#839190:
hello dearest
Bug#839190: wordpress 4.1+dfsg-1+deb8u10 regression
On 30/09/16 09:20, Yves-Alexis Perez wrote: control: tag -1 patch pending Hi, thanks for the report, we're aware of the regression. Can you try the attached patch against functions.php and report back, as soon as possible? Regards, Hi, Applied as follows: # cd / # patch -p1
Bug#839190: [SECURITY] [DSA 3681-1] wordpress security update
On Fri, 30 Sep 2016 10:29:41 +0200 Yves-Alexis Perez wrote: As for the more general trend, it might also be because the landscape is more and more complex and time consuming, and there's never enough people to help on this. Yes, I can imagine that (for more than a decade, I got away with relying on Debian's high standards and not having a test server at all, although I probably should have). Thanks for the quick turnaround and all the work over the years, I really appreciate that. Merci. Best regards, Laurențiu
Bug#839190: [SECURITY] [DSA 3681-1] wordpress security update
Thanks guys! Adam On Fri, Sep 30, 2016 at 1:29 AM, Yves-Alexis Perez wrote: > On ven., 2016-09-30 at 10:26 +0200, Laurentiu Pancescu wrote: > > > > Your patch seems to work. The Ansible playbook completes successfully > > (it's pretty extensive, from the database creation to importing old > > posts and media, configuring users and several plugins programmatically > > with wp-cli, so I'm pretty confident there are no other issues) and > > browsing the site and logging in as admin and accessing different > > settings works without any warnings or errors. > > Thanks for the report, I'll push a regression update asap > > > > As a side note, I started using Debian with 2.2r3, and have the > > impression that problematic security updates became more frequent in the > > last few years. Are DSAs typically tested before being released? It > > wouldn't be realistic to expect the security team to have tests for each > > of the tens of thousands of packages that Debian carries, but the > > package maintainer should have a working installation with stable or > > oldstable for testing patches before release? Could also be just my > > selective memory, though... :) > > Unfortunately, on this one, there was some miscoordination between Craig > (who > prepared the upload) and me (who released it and sent the DSA), and in the > end > the package itself wasn't indeed tested as it should. > > As for the more general trend, it might also be because the landscape is > more > and more complex and time consuming, and there's never enough people to > help > on this. > > Regards, > -- > Yves-Alexis
Bug#839190: wordpress 4.1+dfsg-1+deb8u10 regression
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Fri, Sep 30, 2016 at 04:50:03PM +0200, Stefano Zacchiroli wrote: > On Fri, Sep 30, 2016 at 10:20:30AM +0200, Yves-Alexis Perez wrote: > > thanks for the report, we're aware of the regression. Can you try the > > attached > > patch against functions.php and report back, as soon as possible? > > I've tried the patch, and it fixed the regression for me. Thanks for the report. I have a package nearly ready for upload but I'm waiting some bits from Craig to fix a build failure which I'm not sure why happens here. Stay tuned. Regards, - -- Yves-Alexis Perez -BEGIN PGP SIGNATURE- iQEcBAEBCgAGBQJX7n2tAAoJEG3bU/KmdcCl92QH/1tBzdXrTzrtH2TFfK1+zxBo B8N5bAAgRIytkLlPilsiXWvq3aUmDZlSC3l75DkEWvK7qO6IMwDWBjWiBwIS2ODz 0aePrfoVNCUI1NjyiloGk5zyPOk1w5Qmsm2Yz2LmLJJmnl/9hC0zA6cnKWc0loE+ XGyMC9zedCy8kF3itY7V7kztGNcyu3RDjLc7/cWN6rLJcbKeb2N4gXaKgvRC/sjA 3Is+tW6MG+jObUMNaF7W4Y6s5QOH+a5GukYt4VrwCkfn3NLgdM3gQ0dmDhkJzt9h Z79LbUJhxqCbF+LkKD7yFglsJff64lO/bNUeSeQoIvscp9B0RoLtTvROq0V4Tdk= =1Ymt -END PGP SIGNATURE-
Bug#839190: wordpress 4.1+dfsg-1+deb8u10 regression
On Fri, Sep 30, 2016 at 10:20:30AM +0200, Yves-Alexis Perez wrote: > thanks for the report, we're aware of the regression. Can you try the attached > patch against functions.php and report back, as soon as possible? I've tried the patch, and it fixed the regression for me. Cheers. -- Stefano Zacchiroli . z...@upsilon.cc . upsilon.cc/zack . . o . . . o . o Computer Science Professor . CTO Software Heritage . . . . . o . . . o o Former Debian Project Leader . OSI Board Director . . . o o o . . . o . « the first rule of tautology club is the first rule of tautology club »
Bug#839190: [SECURITY] [DSA 3681-1] wordpress security update
On ven., 2016-09-30 at 10:26 +0200, Laurentiu Pancescu wrote: > > Your patch seems to work. The Ansible playbook completes successfully > (it's pretty extensive, from the database creation to importing old > posts and media, configuring users and several plugins programmatically > with wp-cli, so I'm pretty confident there are no other issues) and > browsing the site and logging in as admin and accessing different > settings works without any warnings or errors. Thanks for the report, I'll push a regression update asap > > As a side note, I started using Debian with 2.2r3, and have the > impression that problematic security updates became more frequent in the > last few years. Are DSAs typically tested before being released? It > wouldn't be realistic to expect the security team to have tests for each > of the tens of thousands of packages that Debian carries, but the > package maintainer should have a working installation with stable or > oldstable for testing patches before release? Could also be just my > selective memory, though... :) Unfortunately, on this one, there was some miscoordination between Craig (who prepared the upload) and me (who released it and sent the DSA), and in the end the package itself wasn't indeed tested as it should. As for the more general trend, it might also be because the landscape is more and more complex and time consuming, and there's never enough people to help on this. Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Bug#839190: wordpress 4.1+dfsg-1+deb8u10 regression
control: tag -1 patch pending Hi, thanks for the report, we're aware of the regression. Can you try the attached patch against functions.php and report back, as soon as possible? Regards, -- Yves-Alexis Perez - Debian Security --- /usr/share/wordpress/wp-includes/functions.php.old 2016-09-30 09:25:52.577170437 +0200 +++ /usr/share/wordpress/wp-includes/functions.php 2016-09-30 09:27:12.659872469 +0200 @@ -2644,142 +2644,6 @@ * @param int $options Optional. Options to be passed to json_encode(). Default 0. * @param int $depth Optional. Maximum depth to walk through $data. Must be * greater than 0. Default 512. - * @return bool|string The JSON encoded string, or false if it cannot be encoded. - */ -function wp_json_encode( $data, $options = 0, $depth = 512 ) { - /* - * json_encode() has had extra params added over the years. - * $options was added in 5.3, and $depth in 5.5. - * We need to make sure we call it with the correct arguments. - */ - if ( version_compare( PHP_VERSION, '5.5', '>=' ) ) { - $args = array( $data, $options, $depth ); - } elseif ( version_compare( PHP_VERSION, '5.3', '>=' ) ) { - $args = array( $data, $options ); - } else { - $args = array( $data ); - } - - $json = call_user_func_array( 'json_encode', $args ); - - // If json_encode() was successful, no need to do more sanity checking. - // ... unless we're in an old version of PHP, and json_encode() returned - // a string containing 'null'. Then we need to do more sanity checking. - if ( false !== $json && ( version_compare( PHP_VERSION, '5.5', '>=' ) || false === strpos( $json, 'null' ) ) ) { - return $json; - } - - try { - $args[0] = _wp_json_sanity_check( $data, $depth ); - } catch ( Exception $e ) { - return false; - } - - return call_user_func_array( 'json_encode', $args ); -} - -/** - * Perform sanity checks on data that shall be encoded to JSON. - * - * @see wp_json_encode() - * - * @since 4.1.0 - * @access private - * @internal - * - * @param mixed $data Variable (usually an array or object) to encode as JSON. - * @param int $depth Maximum depth to walk through $data. Must be greater than 0. - * @return mixed The sanitized data that shall be encoded to JSON. - */ -function _wp_json_sanity_check( $data, $depth ) { - if ( $depth < 0 ) { - throw new Exception( 'Reached depth limit' ); - } - - if ( is_array( $data ) ) { - $output = array(); - foreach ( $data as $id => $el ) { - // Don't forget to sanitize the ID! - if ( is_string( $id ) ) { -$clean_id = _wp_json_convert_string( $id ); - } else { -$clean_id = $id; - } - - // Check the element type, so that we're only recursing if we really have to. - if ( is_array( $el ) || is_object( $el ) ) { -$output[ $clean_id ] = _wp_json_sanity_check( $el, $depth - 1 ); - } elseif ( is_string( $el ) ) { -$output[ $clean_id ] = _wp_json_convert_string( $el ); - } else { -$output[ $clean_id ] = $el; - } - } - } elseif ( is_object( $data ) ) { - $output = new stdClass; - foreach ( $data as $id => $el ) { - if ( is_string( $id ) ) { -$clean_id = _wp_json_convert_string( $id ); - } else { -$clean_id = $id; - } - - if ( is_array( $el ) || is_object( $el ) ) { -$output->$clean_id = _wp_json_sanity_check( $el, $depth - 1 ); - } elseif ( is_string( $el ) ) { -$output->$clean_id = _wp_json_convert_string( $el ); - } else { -$output->$clean_id = $el; - } - } - } elseif ( is_string( $data ) ) { - return _wp_json_convert_string( $data ); - } else { - return $data; - } - - return $output; -} - -/** - * Convert a string to UTF-8, so that it can be safely encoded to JSON. - * - * @see _wp_json_sanity_check() - * - * @since 4.1.0 - * @access private - * @internal - * - * @param string $string The string which is to be converted. - * @return string The checked string. - */ -function _wp_json_convert_string( $string ) { - static $use_mb = null; - if ( is_null( $use_mb ) ) { - $use_mb = function_exists( 'mb_convert_encoding' ); - } - - if ( $use_mb ) { - $encoding = mb_detect_encoding( $string, mb_detect_order(), true ); - if ( $encoding ) { - return mb_convert_encoding( $string, 'UTF-8', $encoding ); - } else { - return mb_convert_encoding( $string, 'UTF-8', 'UTF-8' ); - } - } else { - return wp_check_invalid_utf8( $string, true ); - } -} - -/** - * Encode a variable into JSON, with some sanity checks. - * - * @since 4.1.0 - * - * @param mixed $dataVariable (usually an array or object) to encode as JSON. - * @param int $options Optional. Options to be passed to json_encode(). Default 0. - * @param int $depth Optional. Maximum depth to walk through $data. Must be - * greater than 0. Default 512. * @return string|false The JSON encoded string, or false if it cannot be encoded. */ function wp_json_encode( $data, $options = 0, $depth = 512 ) { @@ -2867,39 +2731,6 @@ } } -/** - * Convert a string to UTF-8, so that it can be safely encod
Bug#839190: wordpress 4.1+dfsg-1+deb8u10 regression
Package: wordpress Version: 4.1+dfsg-1+deb8u10 Severity: grave Justification: renders package unusable Dear Maintainer, I've just applied a normal update to jessie, and wordpress 4.1+dfsg-1+deb8u10 (security fix) exhibits a regression, which causes all wordpress sites to fail with the following error in the web server error log: Thu Sep 29 23:56:10 2016 - PHP Fatal error: Cannot redeclare wp_json_encode() \ (previously declared in /usr/share/wordpress/wp-includes/functions.php:2649) \ in /usr/share/wordpress/wp-includes/functions.php on line 2818 Downgrading to 4.1+dfsg-1+deb8u9 restores expected behaviour. Cheers, Phil. -- System Information: Debian Release: 8.6 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages wordpress depends on: ii ca-certificates 20141019+deb8u1 ii libjs-cropper1.2.2-1 ii libjs-mediaelement 2.15.1+dfsg-1 ii libphp-phpmailer 5.2.9+dfsg-2+deb8u1 ii mysql-client-5.5 [mysql-client] 5.5.52-0+deb8u1 ii nginx-full [httpd] 1.6.2-5+deb8u2+b1 ii php-getid3 1.9.8-3 ii php5 5.6.24+dfsg-0+deb8u1 ii php5-gd 5.6.24+dfsg-0+deb8u1 ii php5-mysql 5.6.24+dfsg-0+deb8u1 ii wordpress-theme-twentyfifteen4.1+dfsg-1+deb8u10 Versions of packages wordpress recommends: ii wordpress-l10n 4.1+dfsg-1+deb8u10 Versions of packages wordpress suggests: ii mysql-server 5.5.52-0+deb8u1