First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 212147
Alias:
Product:
Component:
Status: ASSIGNED
Resolution:
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 212147 depends on: Show dependency tree
Bug 212147 blocks: 213318 213320 213322

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-03-03 01:37 0000 
CVE-2008-1066 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1066):
  The modifier.regex_replace.php plugin in Smarty before 2.6.19, as used by
  Serendipity (S9Y) and other products, allows attackers to call arbitrary PHP
  functions via templates, related to a '\0' character in a search string.

------- Comment #1 From Robert Buchholz 2008-03-03 01:41:20 0000 ------- 
PHP herd, is smarty-2.6.19 good to go stable?

I don't know the engine, can someone help me understand the impact/an attack
scenario here?

------- Comment #2 From Jakub Moc (RETIRED) 2008-03-03 08:17:31 0000 ------- 
(In reply to comment #1)
> PHP herd, is smarty-2.6.19 good to go stable?

Yeah, in fact it fixed multiple other bugs. Arches, please stabilize.

> I don't know the engine, can someone help me understand the impact/an attack
> scenario here?

The docs are at [1] but I guess tomk would be more familiar with this.

http://www.smarty.net/manual/en/language.modifier.regex.replace.php

------- Comment #3 From Hanno Boeck 2008-03-03 10:33:31 0000 ------- 
I'm not really sure about the impact either (I'll try to dig deeper into it
later today), but this probably affects much more than just the smarty package,
as this is bundled everywhere (bundling libraries is evil, but for php this is
an even more tricky issue due to shared hosting).

www-apps/gallery may be also affected, probably others.

------- Comment #4 From Robert Buchholz 2008-03-03 18:06:59 0000 ------- 
Hanno, if you can dig into that, it'd be great. I can also grep through our
distfiles, if the lib copies have a common name.

------- Comment #5 From Robert Buchholz 2008-03-03 18:09:12 0000 ------- 
=dev-php/smarty-2.6.19
Target keywords : "alpha amd64 hppa ppc release sparc x86"

------- Comment #6 From Markus Meier 2008-03-03 18:22:17 0000 ------- 
x86 stable

------- Comment #7 From Jeroen Roovers 2008-03-03 19:03:49 0000 ------- 
Stable for HPPA.

------- Comment #8 From Hanno Boeck 2008-03-03 20:42:16 0000 ------- 
I have feedback from gallery upstream: core is not affected (not using the
function with dynamic content), but thirdparty modules could use it in a way
that makes it vulnerable.

So low impact but still an issue for gallery, 2.2.5 should follow soon and fix
it.

------- Comment #9 From Hanno Boeck 2008-03-03 20:59:49 0000 ------- 
www-apps/tikiwiki may also be affected, upstream security contacted.

------- Comment #10 From Raúl Porcel 2008-03-04 12:30:21 0000 ------- 
alpha/sparc stable

------- Comment #11 From Tobias Scherbaum 2008-03-04 20:55:51 0000 ------- 
ppc stable

------- Comment #12 From Peter Volkov 2008-03-08 19:36:10 0000 ------- 
amd64 stable

------- Comment #13 From Peter Volkov 2008-03-08 21:44:18 0000 ------- 
Hanno, dev-php/PEAR-PhpDocumentor-1.4.1 includes Smarty-2.6.0 so could be
affected. I'm not sure what impact could be but in any case I suppose it's
better to update PhpDocumentor to use system smarty.

------- Comment #14 From Peter Volkov 2008-03-09 10:17:17 0000 ------- 
Fixed in release snapshot.

------- Comment #15 From Robert Buchholz 2008-03-13 15:43:11 0000 ------- 
Hanno, can you sum up the situation and open bugs for packages that are also
affected?

------- Comment #16 From Hanno Boeck 2008-03-13 23:11:01 0000 ------- 
We know of three packages affected, all upstreams informed, all consider it low
impact but will update the bundled smarty with their next release.
www-apps/tikiwiki
www-apps/gallery
dev-php/PEAR-PhpDocumentor

Also informed some upstreams of affected packages not in portage. Will open
bugs for the three above

------- Comment #17 From Pierre-Yves Rofes 2008-03-15 21:06:50 0000 ------- 
glsa request filed.
First Last Prev Next    No search results available      Search page      Enter new bug