Direct static code injection vulnerability in WordPress 2.0.2 and earlier:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2667

Well, there doesn't appear to be a patch available, so this review will have to
wait until there is one.  I'm watching the svn and testers lists upstream.

I'll have to correct myself - it appears this was patched on 5-26 in SVN.  I've
added that patch, rebuilt, and tested the given exploit, and the exploit now fails.

Spec: http://www.berningeronline.net/wordpress.spec
SRPM: http://www.berningeronline.net/wordpress-2.0.2-1.src.rpm

Happened to notice another one today, IP spoofing issue:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2702

(Note: just parroting my findings here, I have no experience with wordpress nor
am I planning to review it, and I've only _very_ quickly peeked into the SRPM,
so sorry in advance if this turns out to be noise.)

I'll go ahead and take on this review, since I'm familiar with the software.

My findings thus far:

1) There's a new version (2.0.3) out now (obsoletes the patch), need to update

2) Web apps should be installed in /usr/share/<name>, not /var/www, per fedora
extras guidelines

3) rpmlint complains about a bunch of empty files, they should be removed

4) config files should be broken out into /etc/ somewhere

5) %doc lines aren't quite correct, you should be removing them from the
installed packages and then sucking them in w/the %doc line, referring to them
by their relative path within the source

6) the Source0: url doesn't appear to actually work, upstream only post a
'latest.tar.gz' (rather annoying of them...)

I'm rather partial to proposing fixes for issues I come up with in review in the
form of an updated spec file, so you can see exactly what I'm suggesting:

http://wilsonet.com/packages/wordpress/

Packages updated to 2.0.3, other suggestions integrated.  New packages:

Spec: http://www.berningeronline.net/wordpress.spec
SRPM: http://www.berningeronline.net/wordpress-2.0.3-1.src.rpm

One thing I forgot to mention: the way you specify all the files is a matter of preference, but if you're 
going to list them all out rather than simply having a single line '%{_datadir}/wordpress/', you must also 
have a line '%dir %{_datadir}/wordpress/' so that the created directories are also owned by the package.

Also note that the symlink %{_datadir}/wordpress/wp-config.php shouldn't be marked as a config file, 
and symlinks generally should be relative, rather than absolute (otherwise they're hanging within the 
buildroot).

Ah, the wordpress-httpd-conf file needs /var/www/wordpress replaced with /usr/share/wordpress.

Personally, I'd also just do away with the '%define installdir %{_datadir}' and simply replace all cases of %
{installdir} with %{_datadir}, because it just adds unnecessary and non-standard cruft.

Additional review details:

* package meets naming and packaging guidelines: okay
* specfile is properly named, is cleanly written and uses macros consistently: my only beef on that is 
the now unnecessary use of %{installdir}
* dist tag is present: okay
* build root is correct.
      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n): okay
* license field matches the actual license: GPL, okay
* license is open source-compatible, license text included in package: okay
* source files match upstream: okay
      $ md5sum latest.tar.gz wordpress-2.0.3.tar.gz
        0ad0696351cba9ef9b4a3dd97b1f327b  latest.tar.gz
        0ad0696351cba9ef9b4a3dd97b1f327b  wordpress-2.0.3.tar.gz
* latest version is being packaged: v2.0.3, okay
* BuildRequires are proper: okay
* package builds in mock: okay (fedora development, x86_64)
* rpmlint is silent: not quite yet, it complains about /usr/share/wordpress/wp-config.php being 
marked as a config file
* final provides and requires are sane: okay
    wordpress-2.0.3-1.fc6.noarch.rpm
    config(wordpress) = 2.0.3-1.fc6
    wordpress = 2.0.3-1.fc6
    =
    config(wordpress) = 2.0.3-1.fc6
    httpd  
    mysql-server  
    php >= 4.1.

* no shared libraries are present: okay
* package is not relocatable: okay
* owns the directories it creates: not yet, need to add /usr/share/wordpress to %files
* doesn't own any directories it shouldn't: okay
* no duplicates in %files: okay
* file permissions are appropriate: okay
* %clean is present: okay
* %check is present and all tests pass: n/a
* no scriptlets present: okay
* code, not content: okay
* documentation is small, so no -docs subpackage is necessary: okay
* %docs are not necessary for the proper functioning of the package: okay
* no headers: okay
* no pkgconfig files: okay
* no libtool .la files: okay
* not a GUI app: okay
* not a web app: okay

Removed %{installdir} macro, symlink no longer marked config, correct4ed dir
ownerships

Spec: http://www.berningeronline.net/wordpress.spec
SRPM: http://www.berningeronline.net/wordpress-2.0.3-2.src.rpm

And you also corrected the httpd conf file. :) Everything looks good to go now,
package APPROVED.

imported and built for FC4, FC5, and devel.