Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 202071 (CVE-2007-6318) - www-apps/wordpress < 2.3.2 SQL injection vulnerability (CVE-2007-6318)
Summary: www-apps/wordpress < 2.3.2 SQL injection vulnerability (CVE-2007-6318)
Status: RESOLVED FIXED
Alias: CVE-2007-6318
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: http://www.abelcheung.org/advisory/20...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-12-12 18:23 UTC by Lars Hartmann
Modified: 2008-01-08 08:21 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Hartmann 2007-12-12 18:23:35 UTC 
SQL injection vulnerability in wp-includes/query.php in WordPress 2.3.1 and
earlier allows remote attackers to execute arbitrary SQL commands via the s
parameter, when DB_CHARSET is set to (1) Big5, (2) GBK, or possibly other
character set encodings that support a "\" in a multibyte character.

Reproducible: Always
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-12-13 01:28:03 UTC 
Feel free to cc maintainers and set a whiteboard as proposal yourself ;-)
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-12-13 01:28:21 UTC 
web-apps, please advise.
Comment 3 Gunnar Wrobel (RETIRED) gentoo-dev 2007-12-13 06:23:34 UTC 
No patch available and I don't see a chance at fixing it myself. Should we mask it again?
Comment 4 Tomas Hoger 2007-12-13 07:50:31 UTC 
Upstream bug: http://trac.wordpress.org/ticket/5455
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2007-12-13 12:22:05 UTC 
(In reply to comment #3)
> No patch available and I don't see a chance at fixing it myself. Should we mask
> it again? 

No need to jump to a mask if we can fix it within target delay, which is 40 days for ~X. Let's give the Wordpress folks some days.
Comment 6 Gunnar Wrobel (RETIRED) gentoo-dev 2008-01-08 06:30:26 UTC 
Added 2.3.2 to the tree. All archs unstable. Removed insecure versions. webapps done here.