Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 526542 (CVE-2014-8350) - <dev-php/smarty-3.1.21-r1: secure mode bypass (CVE-2014-8350)
Summary: <dev-php/smarty-3.1.21-r1: secure mode bypass (CVE-2014-8350)
Status: RESOLVED FIXED
Alias: CVE-2014-8350
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-10-23 07:28 UTC by Agostino Sarubbo
Modified: 2015-05-11 20:07 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-10-23 07:28:05 UTC
From ${URL} :

The 3.1.21 release fixes the following issue:

""
Smarty 3.1.21 minor bug fixes and improvements. Also following up a
security bug fix where <script language="php"> tags still worked in
secure mode. To note, this only affects users using Smarty in secure
mode and exposing templates to untrusted third parties.
""

It is not clear if the 2.x versions are affected or not.

CVE request:

http://seclists.org/oss-sec/2014/q4/420

References:

https://code.google.com/p/smarty-php/source/browse/trunk/distribution/change_log.txt?r=4902
https://bugs.debian.org/765920


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-01-11 01:04:16 UTC
CVE-2014-8350 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8350):
  Smarty before 3.1.21 allows remote attackers to bypass the secure mode
  restrictions and execute arbitrary PHP code as demonstrated by
  "{literal}<{/literal}script language=php>" in a template.
Comment 2 Brian Evans (RETIRED) gentoo-dev 2015-04-29 17:08:09 UTC
Arches, please mark stable

Target keywords:
dev-php/smarty-3.1.21-r1 alpha amd64 hppa ia64 ppc ppc64 sparc x86
Comment 3 Agostino Sarubbo gentoo-dev 2015-04-30 10:56:48 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-04-30 10:58:13 UTC
Stable for alpha/hppa/ia64/ppc/ppc64/sparc/x86
Comment 5 Brian Evans (RETIRED) gentoo-dev 2015-04-30 14:14:55 UTC
+  30 Apr 2015; Brian Evans <grknight@gentoo.org> -smarty-3.1.12.ebuild:
+  Drop vulnerable version wrt security bug 526542
+

+  30 Apr 2015; <grknight@gentoo.org> package.mask:
+  Mask <dev-php/smarty-2.6.29 as it is unknown if vulnerable to security bug
+  526542. Removal in 30 days as to not break scripts using the old version


Cleanup complete.

@security: it's in your court now.
Comment 6 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-04-30 18:53:45 UTC
(In reply to Brian Evans from comment #5)

> 
> Cleanup complete.

Thanks for cleanup

> 
> @security: it's in your court now.

GLSA Vote: No
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-05-11 20:07:59 UTC
GLSA vote: no.

Closing as [noglsa]