Bug#839190:

2016-10-15 Thread LAGOLI WARLORD 
hello dearest

Bug#839190: marked as done (wordpress 4.1+dfsg-1+deb8u10 regression)

2016-10-03 Thread Debian Bug Tracking System 
Your message dated Mon, 03 Oct 2016 19:17:08 +
with message-id <e1br8jc-at...@franck.debian.org>
and subject line Bug#839190: fixed in wordpress 4.1+dfsg-1+deb8u11
has caused the Debian Bug report #839190,
regarding wordpress 4.1+dfsg-1+deb8u10 regression
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
839190: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839190
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: wordpress
Version: 4.1+dfsg-1+deb8u10
Severity: grave
Justification: renders package unusable

Dear Maintainer,

I've just applied a normal update to jessie, and wordpress 4.1+dfsg-1+deb8u10
(security fix) exhibits a regression, which causes all wordpress sites to fail
with the following error in the web server error log:

Thu Sep 29 23:56:10 2016 - PHP Fatal error:  Cannot redeclare wp_json_encode() \
(previously declared in /usr/share/wordpress/wp-includes/functions.php:2649) \
in /usr/share/wordpress/wp-includes/functions.php on line 2818

Downgrading to 4.1+dfsg-1+deb8u9 restores expected behaviour.

Cheers,
Phil.

-- System Information:
Debian Release: 8.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages wordpress depends on:
ii  ca-certificates  20141019+deb8u1
ii  libjs-cropper1.2.2-1
ii  libjs-mediaelement   2.15.1+dfsg-1
ii  libphp-phpmailer 5.2.9+dfsg-2+deb8u1
ii  mysql-client-5.5 [mysql-client]  5.5.52-0+deb8u1
ii  nginx-full [httpd]   1.6.2-5+deb8u2+b1
ii  php-getid3   1.9.8-3
ii  php5 5.6.24+dfsg-0+deb8u1
ii  php5-gd  5.6.24+dfsg-0+deb8u1
ii  php5-mysql   5.6.24+dfsg-0+deb8u1
ii  wordpress-theme-twentyfifteen4.1+dfsg-1+deb8u10

Versions of packages wordpress recommends:
ii  wordpress-l10n  4.1+dfsg-1+deb8u10

Versions of packages wordpress suggests:
ii  mysql-server  5.5.52-0+deb8u1
--- End Message ---
--- Begin Message ---
Source: wordpress
Source-Version: 4.1+dfsg-1+deb8u11

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 839...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yves-Alexis Perez <cor...@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sat, 01 Oct 2016 11:38:14 +0200
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentyfifteen 
wordpress-theme-twentyfourteen wordpress-theme-twentythirteen
Architecture: source all
Version: 4.1+dfsg-1+deb8u11
Distribution: jessie-security
Urgency: high
Maintainer: Craig Small <csm...@debian.org>
Changed-By: Yves-Alexis Perez <cor...@debian.org>
Description:
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
 wordpress-theme-twentyfifteen - weblog manager - twentytfifteen theme files
 wordpress-theme-twentyfourteen - weblog manager - twentyfourteen theme files
 wordpress-theme-twentythirteen - weblog manager - twentythirteen theme files
Closes: 839190
Changes:
 wordpress (4.1+dfsg-1+deb8u11) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * debian/patches/CVE-2016-6635.patch:
 - don't duplicate wp_encode_json() which has already been backported
   upstream, just merge later changes, fix regression in the previous
   upload.   closes: #839190
   * debian/languages: fix language with "\n" inconsistencies in msgid/msgstr.
Checksums-Sha1:
 760d8f442093f2980779e6cc14e6fdd8d486dfb8 2173 wordpress_4.1+dfsg-1+deb8u11.dsc
 017ed5af867e0028c790544842801944fb2cb069 6031528 
wordpress_4.1+dfsg-1+deb8u11.debian.tar.xz
 d8742e21b7b20ef883ed9a7023e490e8a067e8a8 3170566 
wordpress_4.1+dfsg-1+deb8u11_all.deb
 ba9e2249497765

Bug#839190: closing 839190

2016-10-01 Thread Yves-Alexis Perez 
close 839190 4.1+dfsg-1+deb8u11
thanks

Processed: Bug#839190 marked as pending

2016-10-01 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> tag 839190 pending
Bug #839190 [wordpress] wordpress 4.1+dfsg-1+deb8u10 regression
Ignoring request to alter tags of bug #839190 to the same tags previously set
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
839190: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839190
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#839190: marked as pending

2016-10-01 Thread Yves-Alexis Perez 
tag 839190 pending
thanks

Hello,

Bug #839190 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

http://git.debian.org/?p=collab-maint/wordpress.git;a=commitdiff;h=517f657

---
commit 517f65760c1d1a9b9aacc92fdbb382afdb074ba1
Author: Yves-Alexis Perez <cor...@debian.org>
Date:   Fri Sep 30 09:46:15 2016 +0200

Fix regression in previous upload

* Non-maintainer upload by the Security Team.
* debian/patches/CVE-2016-6635.patch:
  - don't duplicate wp_encode_json() which has already been backported
upstream, just merge later changes, fix regression in the previous
upload.

diff --git a/debian/changelog b/debian/changelog
index ad90ddc..3c7cc96 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+wordpress (4.1+dfsg-1+deb8u11) UNRELEASED; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * debian/patches/CVE-2016-6635.patch:
+- don't duplicate wp_encode_json() which has already been backported
+  upstream, just merge later changes, fix regression in the previous
+  upload.   closes: #839190
+
+ -- Yves-Alexis Perez <cor...@debian.org>  Fri, 30 Sep 2016 09:45:14 +0200
+
 wordpress (4.1+dfsg-1+deb8u10) jessie-security; urgency=high
 
   * Backport patches from 4.6.1/4.1.13 Closes: #837090

Bug#839190: wordpress 4.1+dfsg-1+deb8u10 regression

2016-09-30 Thread Phil Ashby 

On 30/09/16 09:20, Yves-Alexis Perez wrote:

control: tag -1 patch pending

Hi,

thanks for the report, we're aware of the regression. Can you try the attached
patch against functions.php and report back, as soon as possible?

Regards,



Hi,

Applied as follows:

# cd /
# patch -p1

Bug#839190: [SECURITY] [DSA 3681-1] wordpress security update

2016-09-30 Thread Laurentiu Pancescu 
On Fri, 30 Sep 2016 10:29:41 +0200 Yves-Alexis Perez  
wrote:

As for the more general trend, it might also be because the landscape is more
and more complex and time consuming, and there's never enough people to help
on this.


Yes, I can imagine that (for more than a decade, I got away with relying 
on Debian's high standards and not having a test server at all, although 
I probably should have).  Thanks for the quick turnaround and all the 
work over the years, I really appreciate that.  Merci.


Best regards,
Laurențiu

Bug#839190: [SECURITY] [DSA 3681-1] wordpress security update

2016-09-30 Thread Adam Waite 
Thanks guys!

Adam

On Fri, Sep 30, 2016 at 1:29 AM, Yves-Alexis Perez 
wrote:

> On ven., 2016-09-30 at 10:26 +0200, Laurentiu Pancescu wrote:
> >
> > Your patch seems to work.  The Ansible playbook completes successfully
> > (it's pretty extensive, from the database creation to importing old
> > posts and media, configuring users and several plugins programmatically
> > with wp-cli, so I'm pretty confident there are no other issues) and
> > browsing the site and logging in as admin and accessing different
> > settings works without any warnings or errors.
>
> Thanks for the report, I'll push a regression update asap
> >
> > As a side note, I started using Debian with 2.2r3, and have the
> > impression that problematic security updates became more frequent in the
> > last few years.  Are DSAs typically tested before being released?  It
> > wouldn't be realistic to expect the security team to have tests for each
> > of the tens of thousands of packages that Debian carries, but the
> > package maintainer should have a working installation with stable or
> > oldstable for testing patches before release?  Could also be just my
> > selective memory, though... :)
>
> Unfortunately, on this one, there was some miscoordination between Craig
> (who
> prepared the upload) and me (who released it and sent the DSA), and in the
> end
> the package itself wasn't indeed tested as it should.
>
> As for the more general trend, it might also be because the landscape is
> more
> and more complex and time consuming, and there's never enough people to
> help
> on this.
>
> Regards,
> --
> Yves-Alexis

Bug#839190: wordpress 4.1+dfsg-1+deb8u10 regression

2016-09-30 Thread Yves-Alexis Perez 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Fri, Sep 30, 2016 at 04:50:03PM +0200, Stefano Zacchiroli wrote:
> On Fri, Sep 30, 2016 at 10:20:30AM +0200, Yves-Alexis Perez wrote:
> > thanks for the report, we're aware of the regression. Can you try the 
> > attached
> > patch against functions.php and report back, as soon as possible?
> 
> I've tried the patch, and it fixed the regression for me.

Thanks for the report. I have a package nearly ready for upload but I'm
waiting some bits from Craig to fix a build failure which I'm not sure
why happens here. Stay tuned.

Regards,
- -- 
Yves-Alexis Perez
-BEGIN PGP SIGNATURE-

iQEcBAEBCgAGBQJX7n2tAAoJEG3bU/KmdcCl92QH/1tBzdXrTzrtH2TFfK1+zxBo
B8N5bAAgRIytkLlPilsiXWvq3aUmDZlSC3l75DkEWvK7qO6IMwDWBjWiBwIS2ODz
0aePrfoVNCUI1NjyiloGk5zyPOk1w5Qmsm2Yz2LmLJJmnl/9hC0zA6cnKWc0loE+
XGyMC9zedCy8kF3itY7V7kztGNcyu3RDjLc7/cWN6rLJcbKeb2N4gXaKgvRC/sjA
3Is+tW6MG+jObUMNaF7W4Y6s5QOH+a5GukYt4VrwCkfn3NLgdM3gQ0dmDhkJzt9h
Z79LbUJhxqCbF+LkKD7yFglsJff64lO/bNUeSeQoIvscp9B0RoLtTvROq0V4Tdk=
=1Ymt
-END PGP SIGNATURE-

Bug#839190: wordpress 4.1+dfsg-1+deb8u10 regression

2016-09-30 Thread Stefano Zacchiroli 
On Fri, Sep 30, 2016 at 10:20:30AM +0200, Yves-Alexis Perez wrote:
> thanks for the report, we're aware of the regression. Can you try the attached
> patch against functions.php and report back, as soon as possible?

I've tried the patch, and it fixed the regression for me.

Cheers.
-- 
Stefano Zacchiroli . z...@upsilon.cc . upsilon.cc/zack . . o . . . o . o
Computer Science Professor . CTO Software Heritage . . . . . o . . . o o
Former Debian Project Leader . OSI Board Director  . . . o o o . . . o .
« the first rule of tautology club is the first rule of tautology club »

Bug#839190: [SECURITY] [DSA 3681-1] wordpress security update

2016-09-30 Thread Yves-Alexis Perez 
On ven., 2016-09-30 at 10:26 +0200, Laurentiu Pancescu wrote:
> 
> Your patch seems to work.  The Ansible playbook completes successfully 
> (it's pretty extensive, from the database creation to importing old 
> posts and media, configuring users and several plugins programmatically 
> with wp-cli, so I'm pretty confident there are no other issues) and 
> browsing the site and logging in as admin and accessing different 
> settings works without any warnings or errors.

Thanks for the report, I'll push a regression update asap
> 
> As a side note, I started using Debian with 2.2r3, and have the 
> impression that problematic security updates became more frequent in the 
> last few years.  Are DSAs typically tested before being released?  It 
> wouldn't be realistic to expect the security team to have tests for each 
> of the tens of thousands of packages that Debian carries, but the 
> package maintainer should have a working installation with stable or 
> oldstable for testing patches before release?  Could also be just my 
> selective memory, though... :)

Unfortunately, on this one, there was some miscoordination between Craig (who
prepared the upload) and me (who released it and sent the DSA), and in the end
the package itself wasn't indeed tested as it should.

As for the more general trend, it might also be because the landscape is more
and more complex and time consuming, and there's never enough people to help
on this.

Regards,
-- 
Yves-Alexis

signature.asc
Description: This is a digitally signed message part

Bug#839190: wordpress 4.1+dfsg-1+deb8u10 regression

2016-09-30 Thread Yves-Alexis Perez 
control: tag -1 patch pending

Hi,

thanks for the report, we're aware of the regression. Can you try the attached
patch against functions.php and report back, as soon as possible?

Regards,
-- 
Yves-Alexis Perez - Debian Security

--- /usr/share/wordpress/wp-includes/functions.php.old	2016-09-30 09:25:52.577170437 +0200
+++ /usr/share/wordpress/wp-includes/functions.php	2016-09-30 09:27:12.659872469 +0200
@@ -2644,142 +2644,6 @@
  * @param int   $options Optional. Options to be passed to json_encode(). Default 0.
  * @param int   $depth   Optional. Maximum depth to walk through $data. Must be
  *   greater than 0. Default 512.
- * @return bool|string The JSON encoded string, or false if it cannot be encoded.
- */
-function wp_json_encode( $data, $options = 0, $depth = 512 ) {
-	/*
-	 * json_encode() has had extra params added over the years.
-	 * $options was added in 5.3, and $depth in 5.5.
-	 * We need to make sure we call it with the correct arguments.
-	 */
-	if ( version_compare( PHP_VERSION, '5.5', '>=' ) ) {
-		$args = array( $data, $options, $depth );
-	} elseif ( version_compare( PHP_VERSION, '5.3', '>=' ) ) {
-		$args = array( $data, $options );
-	} else {
-		$args = array( $data );
-	}
-
-	$json = call_user_func_array( 'json_encode', $args );
-
-	// If json_encode() was successful, no need to do more sanity checking.
-	// ... unless we're in an old version of PHP, and json_encode() returned
-	// a string containing 'null'. Then we need to do more sanity checking.
-	if ( false !== $json && ( version_compare( PHP_VERSION, '5.5', '>=' ) || false === strpos( $json, 'null' ) ) )  {
-		return $json;
-	}
-
-	try {
-		$args[0] = _wp_json_sanity_check( $data, $depth );
-	} catch ( Exception $e ) {
-		return false;
-	}
-
-	return call_user_func_array( 'json_encode', $args );
-}
-
-/**
- * Perform sanity checks on data that shall be encoded to JSON.
- *
- * @see wp_json_encode()
- *
- * @since 4.1.0
- * @access private
- * @internal
- *
- * @param mixed $data  Variable (usually an array or object) to encode as JSON.
- * @param int   $depth Maximum depth to walk through $data. Must be greater than 0.
- * @return mixed The sanitized data that shall be encoded to JSON.
- */
-function _wp_json_sanity_check( $data, $depth ) {
-	if ( $depth < 0 ) {
-		throw new Exception( 'Reached depth limit' );
-	}
-
-	if ( is_array( $data ) ) {
-		$output = array();
-		foreach ( $data as $id => $el ) {
-			// Don't forget to sanitize the ID!
-			if ( is_string( $id ) ) {
-$clean_id = _wp_json_convert_string( $id );
-			} else {
-$clean_id = $id;
-			}
-
-			// Check the element type, so that we're only recursing if we really have to.
-			if ( is_array( $el ) || is_object( $el ) ) {
-$output[ $clean_id ] = _wp_json_sanity_check( $el, $depth - 1 );
-			} elseif ( is_string( $el ) ) {
-$output[ $clean_id ] = _wp_json_convert_string( $el );
-			} else {
-$output[ $clean_id ] = $el;
-			}
-		}
-	} elseif ( is_object( $data ) ) {
-		$output = new stdClass;
-		foreach ( $data as $id => $el ) {
-			if ( is_string( $id ) ) {
-$clean_id = _wp_json_convert_string( $id );
-			} else {
-$clean_id = $id;
-			}
-
-			if ( is_array( $el ) || is_object( $el ) ) {
-$output->$clean_id = _wp_json_sanity_check( $el, $depth - 1 );
-			} elseif ( is_string( $el ) ) {
-$output->$clean_id = _wp_json_convert_string( $el );
-			} else {
-$output->$clean_id = $el;
-			}
-		}
-	} elseif ( is_string( $data ) ) {
-		return _wp_json_convert_string( $data );
-	} else {
-		return $data;
-	}
-
-	return $output;
-}
-
-/**
- * Convert a string to UTF-8, so that it can be safely encoded to JSON.
- *
- * @see _wp_json_sanity_check()
- *
- * @since 4.1.0
- * @access private
- * @internal
- *
- * @param string $string The string which is to be converted.
- * @return string The checked string.
- */
-function _wp_json_convert_string( $string ) {
-	static $use_mb = null;
-	if ( is_null( $use_mb ) ) {
-		$use_mb = function_exists( 'mb_convert_encoding' );
-	}
-
-	if ( $use_mb ) {
-		$encoding = mb_detect_encoding( $string, mb_detect_order(), true );
-		if ( $encoding ) {
-			return mb_convert_encoding( $string, 'UTF-8', $encoding );
-		} else {
-			return mb_convert_encoding( $string, 'UTF-8', 'UTF-8' );
-		}
-	} else {
-		return wp_check_invalid_utf8( $string, true );
-	}
-}
-
-/**
- * Encode a variable into JSON, with some sanity checks.
- *
- * @since 4.1.0
- *
- * @param mixed $dataVariable (usually an array or object) to encode as JSON.
- * @param int   $options Optional. Options to be passed to json_encode(). Default 0.
- * @param int   $depth   Optional. Maximum depth to walk through $data. Must be
- *   greater than 0. Default 512.
  * @return string|false The JSON encoded string, or false if it cannot be encoded.
  */
 function wp_json_encode( $data, $options = 0, $depth = 512 ) {
@@ -2867,39 +2731,6 @@
 	}
 }
 
-/**
- * Convert a string to UTF-8, so that it can be safely

Bug#839190: wordpress 4.1+dfsg-1+deb8u10 regression

2016-09-29 Thread Phil Ashby 
Package: wordpress
Version: 4.1+dfsg-1+deb8u10
Severity: grave
Justification: renders package unusable

Dear Maintainer,

I've just applied a normal update to jessie, and wordpress 4.1+dfsg-1+deb8u10
(security fix) exhibits a regression, which causes all wordpress sites to fail
with the following error in the web server error log:

Thu Sep 29 23:56:10 2016 - PHP Fatal error:  Cannot redeclare wp_json_encode() \
(previously declared in /usr/share/wordpress/wp-includes/functions.php:2649) \
in /usr/share/wordpress/wp-includes/functions.php on line 2818

Downgrading to 4.1+dfsg-1+deb8u9 restores expected behaviour.

Cheers,
Phil.

-- System Information:
Debian Release: 8.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages wordpress depends on:
ii  ca-certificates  20141019+deb8u1
ii  libjs-cropper1.2.2-1
ii  libjs-mediaelement   2.15.1+dfsg-1
ii  libphp-phpmailer 5.2.9+dfsg-2+deb8u1
ii  mysql-client-5.5 [mysql-client]  5.5.52-0+deb8u1
ii  nginx-full [httpd]   1.6.2-5+deb8u2+b1
ii  php-getid3   1.9.8-3
ii  php5 5.6.24+dfsg-0+deb8u1
ii  php5-gd  5.6.24+dfsg-0+deb8u1
ii  php5-mysql   5.6.24+dfsg-0+deb8u1
ii  wordpress-theme-twentyfifteen4.1+dfsg-1+deb8u10

Versions of packages wordpress recommends:
ii  wordpress-l10n  4.1+dfsg-1+deb8u10

Versions of packages wordpress suggests:
ii  mysql-server  5.5.52-0+deb8u1