Critical wordpress update: HTML sanitization

I've made this public as the upstream announcement is public.

Here's the equivalent patch that applies cleanly to 2.9.2. However, although it looks OK to me at a cursory glance, I haven't checked for any unintended side-effects, so it needs review.

The code in the patch looks sane to me, and applied cleanly against my installation of wordpress 2.9.2-1ubuntu1 (Lucid).

The patched WP's blog seems to work properly afterward; I restarted Apache and logged in as admin, created a new post and 2 comments and that worked fine.

What I'm worried about is that I don't know the innards of Wordpress or its internal APIs, and I don't know that the 3.0.4 API has changed subtly since 2.9.2 or not.

As upstream hasn't published an exploit, there's nothing to test against.

I can prepare a full debdiff for lucid and maverick, but I prefer to use bzr which is broken on Ubuntu natty. If someone else want to fix it in lucid and maverick, feel free.

ACK patch for Lucid.

Uploaded fix to the ubuntu-security-proposed PPA.

Uploaded fix for maverick to the ubuntu-security-proposed PPA using the upstream patch, which applied cleanly.

Artur, I've already prepared the patch for natty.

This bug was fixed in the package wordpress - 3.0.3-1ubuntu2

---------------
wordpress (3.0.3-1ubuntu2) natty; urgency=low

  * SECURITY UPDATE: this can be dropped in 3.0.4
    - debian/patches/kses-security.patch: fix several issues in the KSES HTML
      sanitization library
    - LP: #695646
    - CVE-XXXX-XXXX
 -- Jamie Strandboge <email address hidden> Fri, 31 Dec 2010 10:44:07 -0600

Pocket copied wordpress to proposed for lucid and maverick. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

To ubuntu-sru: if this passes the verification process, please also pocket copy to security. Thanks!

@Jamie: I wanted to fix issue by merge from Debian unstable.

Lucid -proposed works for me with no known issues. However, I'm actually still running Hardy but with Lucid's wordpress package, and of course I can't test the actual exploit as upstream hasn't published one.

Copied to lucid-security as well. Setting back to v-needed for the maverick update, which still needs to be tested.

wordpress (2.9.2-1ubuntu1.1) lucid-security; urgency=low

  * SECURITY UPDATE: fix several issues in the KSES HTML sanitization library
    - debian/patches/011kses.patch: patch based on upstream provided by
      Robie Basak
    - CVE-XXXX-XXXX

This bug was fixed in the package wordpress - 3.0.1-1ubuntu1.1

---------------
wordpress (3.0.1-1ubuntu1.1) maverick-security; urgency=low

  * SECURITY UPDATE:
    - debian/patches/011kses.patch: fix several issues in the KSES HTML
      sanitization library
    - LP: #695646
    - CVE-XXXX-XXXX
 -- Jamie Strandboge <email address hidden> Fri, 31 Dec 2010 10:48:01 -0600