|Summary:||dev-php/smarty < 2.6.19 Remote arbitrary PHP function call (CVE-2008-1066)|
|Product:||Gentoo Security||Reporter:||Robert Buchholz (RETIRED) <rbu>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||major||CC:||hanno, jen, php-bugs, pva, scuarplex, tomk|
|Package list:||Runtime testing required:||---|
|Bug Depends on:|
|Bug Blocks:||213318, 213322|
Description Robert Buchholz (RETIRED) 2008-03-03 01:37:59 UTC
CVE-2008-1066 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1066): The modifier.regex_replace.php plugin in Smarty before 2.6.19, as used by Serendipity (S9Y) and other products, allows attackers to call arbitrary PHP functions via templates, related to a '\0' character in a search string.
Comment 1 Robert Buchholz (RETIRED) 2008-03-03 01:41:20 UTC
PHP herd, is smarty-2.6.19 good to go stable? I don't know the engine, can someone help me understand the impact/an attack scenario here?
Comment 2 Jakub Moc (RETIRED) 2008-03-03 08:17:31 UTC
(In reply to comment #1) > PHP herd, is smarty-2.6.19 good to go stable? Yeah, in fact it fixed multiple other bugs. Arches, please stabilize. > I don't know the engine, can someone help me understand the impact/an attack > scenario here? The docs are at  but I guess tomk would be more familiar with this. http://www.smarty.net/manual/en/language.modifier.regex.replace.php
Comment 3 Hanno Böck 2008-03-03 10:33:31 UTC
I'm not really sure about the impact either (I'll try to dig deeper into it later today), but this probably affects much more than just the smarty package, as this is bundled everywhere (bundling libraries is evil, but for php this is an even more tricky issue due to shared hosting). www-apps/gallery may be also affected, probably others.
Comment 4 Robert Buchholz (RETIRED) 2008-03-03 18:06:59 UTC
Hanno, if you can dig into that, it'd be great. I can also grep through our distfiles, if the lib copies have a common name.
Comment 5 Robert Buchholz (RETIRED) 2008-03-03 18:09:12 UTC
=dev-php/smarty-2.6.19 Target keywords : "alpha amd64 hppa ppc release sparc x86"
Comment 6 Markus Meier 2008-03-03 18:22:17 UTC
Comment 7 Jeroen Roovers (RETIRED) 2008-03-03 19:03:49 UTC
Stable for HPPA.
Comment 8 Hanno Böck 2008-03-03 20:42:16 UTC
I have feedback from gallery upstream: core is not affected (not using the function with dynamic content), but thirdparty modules could use it in a way that makes it vulnerable. So low impact but still an issue for gallery, 2.2.5 should follow soon and fix it.
Comment 9 Hanno Böck 2008-03-03 20:59:49 UTC
www-apps/tikiwiki may also be affected, upstream security contacted.
Comment 10 Raúl Porcel (RETIRED) 2008-03-04 12:30:21 UTC
Comment 11 Tobias Scherbaum (RETIRED) 2008-03-04 20:55:51 UTC
Comment 12 Peter Volkov (RETIRED) 2008-03-08 19:36:10 UTC
Comment 13 Peter Volkov (RETIRED) 2008-03-08 21:44:18 UTC
Hanno, dev-php/PEAR-PhpDocumentor-1.4.1 includes Smarty-2.6.0 so could be affected. I'm not sure what impact could be but in any case I suppose it's better to update PhpDocumentor to use system smarty.
Comment 14 Peter Volkov (RETIRED) 2008-03-09 10:17:17 UTC
Fixed in release snapshot.
Comment 15 Robert Buchholz (RETIRED) 2008-03-13 15:43:11 UTC
Hanno, can you sum up the situation and open bugs for packages that are also affected?
Comment 16 Hanno Böck 2008-03-13 23:11:01 UTC
We know of three packages affected, all upstreams informed, all consider it low impact but will update the bundled smarty with their next release. www-apps/tikiwiki www-apps/gallery dev-php/PEAR-PhpDocumentor Also informed some upstreams of affected packages not in portage. Will open bugs for the three above
Comment 17 Pierre-Yves Rofes (RETIRED) 2008-03-15 21:06:50 UTC
glsa request filed.
Comment 18 George 2009-10-30 00:54:31 UTC
Can anyone give a PoC? Tnks in advance.
Comment 19 George 2009-10-30 00:55:09 UTC
Anyone could provide a PoC? Tnks in advance. George.
Comment 20 Alex Legler (RETIRED) 2010-06-02 21:21:38 UTC