596080 – <dev-php/smarty-3.1.30 - {math} shell injection vulnerability

Bug 596080 - <dev-php/smarty-3.1.30 - {math} shell injection vulnerability

Summary: <dev-php/smarty-3.1.30 - {math} shell injection vulnerability

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2016-10-03 18:56 UTC by Brian Evans (RETIRED)
Modified:	2016-11-24 01:55 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Brian Evans (RETIRED) gentoo-dev

2016-10-03 18:56:29 UTC

dev-php/smarty-3.1.30 fixes a shell injection vulnerability with templates that use the math function in a template.

The template must contain backticks or dollar signs as part of the {math} call on disk AND not have the math function disabled by security features in the running script.

Ebuild has been added to the tree.  It is ready to stable with ALLARCHES.

Comment 1 Aaron Bauman (RETIRED) gentoo-dev

2016-11-20 05:32:05 UTC

Marking this as a B4 as it would be considered more of a flaw vice a vulnerability.  Per the upstream comments:

"Many minor bug fixes and enhancements. One {math} shell injection vulnerability patch provided by Tim Weber. Note this is only vulnerable to those with template write access using security features."

@PHP, can we please mark this stable per the ALLARCHES policy?

Comment 2 Michael Orlitzky gentoo-dev

2016-11-20 11:31:32 UTC

(In reply to Aaron Bauman from comment #1)
> 
> @PHP, can we please mark this stable per the ALLARCHES policy?

Yes please.

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2016-11-20 11:40:54 UTC

@PHP, package marked stable per ALLARCH policy.  Please let us know when you are ready to clean the vulnerable ebuilds.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=483491fd82409bfd0ec032db979e759fff7881a3

Comment 4 Michael Orlitzky gentoo-dev

2016-11-24 01:52:47 UTC

(In reply to Aaron Bauman from comment #3)
> Please let us know when you are ready to clean the vulnerable ebuilds.

I just removed them.

Comment 5 Aaron Bauman (RETIRED) gentoo-dev

2016-11-24 01:55:41 UTC

GLSA Vote: No