772206 – (CVE-2021-26119, CVE-2021-26120) <dev-php/smarty-3.1.39: multiple vulnerabilities (CVE-2021-{26119,26120})

Bug 772206 (CVE-2021-26119, CVE-2021-26120) - <dev-php/smarty-3.1.39: multiple vulnerabilities (CVE-2021-{26119,26120})

Summary: <dev-php/smarty-3.1.39: multiple vulnerabilities (CVE-2021-{26119,26120})

Status:	RESOLVED FIXED

Alias:	CVE-2021-26119, CVE-2021-26120

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Security

URL:	https://github.com/smarty-php/smarty/...
Whiteboard:	B2 [glsa+ cve]
Keywords:

Depends on:
Blocks:

Reported:	2021-02-22 23:53 UTC by John Helmert III
Modified:	2021-05-26 08:09 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-02-22 23:53:36 UTC

CVE-2021-26119:

Smarty before 3.1.39 allows a Sandbox Escape because $smarty.template_object can be accessed in sandbox mode.

CVE-2021-26120:

Smarty before 3.1.39 allows code injection via an unexpected function name after a {function name= substring.


These are fixed in 3.1.39. Please bump.

Comment 1 Larry the Git Cow gentoo-dev

2021-02-23 03:41:22 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e9bdc8cf072043af5e8a2b02cdd52c2a9fe476e2

commit e9bdc8cf072043af5e8a2b02cdd52c2a9fe476e2
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2021-02-23 03:37:33 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2021-02-23 03:37:33 +0000

    dev-php/smarty: new upstream version 3.1.39 with two security fixes.
    
    Bug: https://bugs.gentoo.org/772206
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 dev-php/smarty/Manifest                                       | 2 +-
 dev-php/smarty/{smarty-3.1.36.ebuild => smarty-3.1.39.ebuild} | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Comment 2 Michael Orlitzky gentoo-dev

2021-02-23 03:44:05 UTC

We skipped v3.1.37, but the only changes there were for compatibility with various new/old versions of PHP. v3.1.38 was a no-op, and v3.1.39 is security fixes. So this should be safe to stabilize right away.

Comment 3 John Helmert III archtester

2021-02-23 13:19:03 UTC

(In reply to Michael Orlitzky from comment #2)
> We skipped v3.1.37, but the only changes there were for compatibility with
> various new/old versions of PHP. v3.1.38 was a no-op, and v3.1.39 is
> security fixes. So this should be safe to stabilize right away.

Thanks!

Comment 4 Sam James archtester

2021-02-24 16:22:25 UTC

amd64 ppc ppc64 sparc x86 (ALLARCHES) done

all arches done

Comment 5 Larry the Git Cow gentoo-dev

2021-02-24 17:57:19 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=496ec07666e299bee0b0717da214e03cce24c362

commit 496ec07666e299bee0b0717da214e03cce24c362
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2021-02-24 17:56:34 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2021-02-24 17:56:34 +0000

    dev-php/smarty: Cleanup vulnerable version
    
    Bug: https://bugs.gentoo.org/772206
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-php/smarty/Manifest             |  1 -
 dev-php/smarty/smarty-3.1.33.ebuild | 46 -------------------------------------
 2 files changed, 47 deletions(-)

Comment 6 John Helmert III archtester

2021-02-24 17:58:33 UTC

Thanks!

Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev

2021-05-25 21:28:07 UTC

New GLSA request filed.

Comment 8 GLSAMaker/CVETool Bot gentoo-dev

2021-05-26 08:09:52 UTC

This issue was resolved and addressed in
 GLSA 202105-06 at https://security.gentoo.org/glsa/202105-06
by GLSA coordinator Thomas Deutschmann (whissi).