Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 212147 (CVE-2008-1066) - dev-php/smarty < 2.6.19 Remote arbitrary PHP function call (CVE-2008-1066)
Summary: dev-php/smarty < 2.6.19 Remote arbitrary PHP function call (CVE-2008-1066)
Status: RESOLVED FIXED
Alias: CVE-2008-1066
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1? [glsa]
Keywords:
Depends on:
Blocks: 213318 213322
  Show dependency tree
 
Reported: 2008-03-03 01:37 UTC by Robert Buchholz (RETIRED)
Modified: 2010-06-02 21:21 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-03-03 01:37:59 UTC
CVE-2008-1066 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1066):
  The modifier.regex_replace.php plugin in Smarty before 2.6.19, as used by
  Serendipity (S9Y) and other products, allows attackers to call arbitrary PHP
  functions via templates, related to a '\0' character in a search string.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-03-03 01:41:20 UTC
PHP herd, is smarty-2.6.19 good to go stable?

I don't know the engine, can someone help me understand the impact/an attack scenario here?
Comment 2 Jakub Moc (RETIRED) gentoo-dev 2008-03-03 08:17:31 UTC
(In reply to comment #1)
> PHP herd, is smarty-2.6.19 good to go stable?

Yeah, in fact it fixed multiple other bugs. Arches, please stabilize.

> I don't know the engine, can someone help me understand the impact/an attack
> scenario here?

The docs are at [1] but I guess tomk would be more familiar with this.

http://www.smarty.net/manual/en/language.modifier.regex.replace.php
Comment 3 Hanno Böck gentoo-dev 2008-03-03 10:33:31 UTC
I'm not really sure about the impact either (I'll try to dig deeper into it later today), but this probably affects much more than just the smarty package, as this is bundled everywhere (bundling libraries is evil, but for php this is an even more tricky issue due to shared hosting).

www-apps/gallery may be also affected, probably others.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-03-03 18:06:59 UTC
Hanno, if you can dig into that, it'd be great. I can also grep through our distfiles, if the lib copies have a common name.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-03-03 18:09:12 UTC
=dev-php/smarty-2.6.19
Target keywords : "alpha amd64 hppa ppc release sparc x86"
Comment 6 Markus Meier gentoo-dev 2008-03-03 18:22:17 UTC
x86 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2008-03-03 19:03:49 UTC
Stable for HPPA.
Comment 8 Hanno Böck gentoo-dev 2008-03-03 20:42:16 UTC
I have feedback from gallery upstream: core is not affected (not using the function with dynamic content), but thirdparty modules could use it in a way that makes it vulnerable.

So low impact but still an issue for gallery, 2.2.5 should follow soon and fix it.
Comment 9 Hanno Böck gentoo-dev 2008-03-03 20:59:49 UTC
www-apps/tikiwiki may also be affected, upstream security contacted.
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2008-03-04 12:30:21 UTC
alpha/sparc stable
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2008-03-04 20:55:51 UTC
ppc stable
Comment 12 Peter Volkov (RETIRED) gentoo-dev 2008-03-08 19:36:10 UTC
amd64 stable
Comment 13 Peter Volkov (RETIRED) gentoo-dev 2008-03-08 21:44:18 UTC
Hanno, dev-php/PEAR-PhpDocumentor-1.4.1 includes Smarty-2.6.0 so could be affected. I'm not sure what impact could be but in any case I suppose it's better to update PhpDocumentor to use system smarty.
Comment 14 Peter Volkov (RETIRED) gentoo-dev 2008-03-09 10:17:17 UTC
Fixed in release snapshot.
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2008-03-13 15:43:11 UTC
Hanno, can you sum up the situation and open bugs for packages that are also affected?
Comment 16 Hanno Böck gentoo-dev 2008-03-13 23:11:01 UTC
We know of three packages affected, all upstreams informed, all consider it low impact but will update the bundled smarty with their next release.
www-apps/tikiwiki
www-apps/gallery
dev-php/PEAR-PhpDocumentor

Also informed some upstreams of affected packages not in portage. Will open bugs for the three above
Comment 17 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-15 21:06:50 UTC
glsa request filed.
Comment 18 George 2009-10-30 00:54:31 UTC
Can anyone give a PoC?

Tnks in advance.
Comment 19 George 2009-10-30 00:55:09 UTC
Anyone could provide a PoC?

Tnks in advance.

George.
Comment 20 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-02 21:21:38 UTC
GLSA 201006-13