213318 – <dev-php/PEAR-PhpDocumentor-1.4.3-r1: bundled smarty lib vulnerable (CVE-2008-1066)

Bug 213318 - <dev-php/PEAR-PhpDocumentor-1.4.3-r1: bundled smarty lib vulnerable (CVE-2008-1066)

Summary: <dev-php/PEAR-PhpDocumentor-1.4.3-r1: bundled smarty lib vulnerable (CVE-2008...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B2 [glsa]
Keywords:

Depends on:	CVE-2008-1066
Blocks:
	Show dependency tree

Reported:	2008-03-13 23:13 UTC by Hanno Böck
Modified:	2011-11-11 22:11 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanno Böck gentoo-dev

2008-03-13 23:13:44 UTC

PEAR-PhpDocumentor bundles smarty, which is affected by CVE-2008-1066. Upstream-Bug filed:
http://pear.php.net/bugs/bug.php?id=13351

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2008-03-28 00:37:52 UTC

Reading the Fedora ChangeLog:
* Fri Mar 21 2008 Konstantin Ryabitsev <icon fedoraproject org> - 1.4.1-2
- Use system php-Smarty.

Do we / can we use the system smarty?

Comment 2 Jakub Moc (RETIRED) gentoo-dev

2008-03-28 17:55:46 UTC

(In reply to comment #1)
> Do we / can we use the system smarty?

No, we don't. I couldn't find the relevant src.rpm anywhere and really don't intend on patching this myself, esp. considering that this bundles 2.6.0 while 2.6.19 is the current stable on Gentoo.

Comment 3 Matti Bickel (RETIRED) gentoo-dev

2010-12-19 21:20:22 UTC

Google gives this:
http://pkgs.fedoraproject.org/gitweb/?p=php-pear-PhpDocumentor.git;a=commitdiff;h=63f319e403332dc1c9bc78bb31e22355ea9efb94

Seems easy enough. Fixed in 1.4.3-r1.

Comment 4 Tim Sammut (RETIRED) gentoo-dev

2011-01-02 05:03:45 UTC

(In reply to comment #3)
> Google gives this:
> http://pkgs.fedoraproject.org/gitweb/?p=php-pear-PhpDocumentor.git;a=commitdiff;h=63f319e403332dc1c9bc78bb31e22355ea9efb94
> 
> Seems easy enough. Fixed in 1.4.3-r1.
> 

Thank you, Matti. Can we stabilize PEAR-PhpDocumentor-1.4.3-r1?

Comment 5 Ole Markus With (RETIRED) gentoo-dev

2011-02-08 12:30:43 UTC

(In reply to comment #4)
> (In reply to comment #3)
> > Google gives this:
> > http://pkgs.fedoraproject.org/gitweb/?p=php-pear-PhpDocumentor.git;a=commitdiff;h=63f319e403332dc1c9bc78bb31e22355ea9efb94
> > 
> > Seems easy enough. Fixed in 1.4.3-r1.
> > 
> 
> Thank you, Matti. Can we stabilize PEAR-PhpDocumentor-1.4.3-r1?
> 

Please do.

Comment 6 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2011-02-08 12:35:39 UTC

Thank you. Arches, please test and stabilize =dev-php/PEAR-PhpDocumentor-1.4.3-r1

Comment 7 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev

2011-02-08 18:02:11 UTC

ppc/ppc64 stable

Comment 8 Christian Faulhammer (RETIRED) gentoo-dev

2011-02-08 19:50:57 UTC

x86 stable

Comment 9 Agostino Sarubbo gentoo-dev

2011-02-09 14:14:01 UTC

amd64 ok

Comment 10 Markos Chandras (RETIRED) gentoo-dev

2011-02-10 22:17:15 UTC

amd64 done. Thanks Agostino

Comment 11 Jeroen Roovers (RETIRED) gentoo-dev

2011-02-11 07:09:39 UTC

Stable for HPPA.

Comment 12 Raúl Porcel (RETIRED) gentoo-dev

2011-02-12 17:16:45 UTC

alpha/ia64/sparc stable

Comment 13 Tim Sammut (RETIRED) gentoo-dev

2011-02-12 18:29:48 UTC

GLSA request filed.

Comment 14 GLSAMaker/CVETool Bot gentoo-dev

2011-11-11 22:11:22 UTC

This issue was resolved and addressed in
 GLSA 201111-04 at http://security.gentoo.org/glsa/glsa-201111-04.xml
by GLSA coordinator Tim Sammut (underling).