Summary: | www-apps/gallery: <=2.2.5 affected by bundled smarty (CVE-2008-1066) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | moixa |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | C4? [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 212147 | ||
Bug Blocks: |
Description
Hanno Böck
2008-03-13 23:17:33 UTC
Fixed in 2.2.5? http://gallery.menalto.com/gallery_2.2.5_released No, still smarty 2.6.16 Looks like a new release is available: http://gallery.menalto.com/gallery_2.2.6_released They seem to consider this very low priority, they've still not bumped in 2.2.6. I had a discussion with upstream about that and they said it only affects the rare case where external modules use that function and they probably won't update before 2.3 final. CVE-2008-1066 says: The modifier.regex_replace.php plugin in Smarty before 2.6.19, as used by Serendipity (S9Y) and other products, allows attackers to call arbitrary PHP functions via templates, related to a '\0' character in a search string. Changing to B1. http://gallery.menalto.com/ -> "Gallery 2.3 (Skidoo) Released!", we also have it in tree. Is this fixed now!? I disagree with the B1 rating. Users should not be allowed to submit templates to exploit this issue. It does not happen within the gallery version we ship, so our whole package is not vulnerable to this. It might only be a problem if external modules are being used. Hanno, did you check whether they included an update to smarty in this 2.3 release? The bundled smarty is bumped in 2.3. I agree this is not a grave issue, so we should probably just try to get 2.3 stable soon and then close this. www-apps/gallery/gallery-2.3 should be marked for stabilization then, right? Targets: alpha amd64 hppa ppc ppc64 sparc x86 amd64 stable ppc64 done Stable for HPPA. alpha/sparc/x86 stable ppc stable removed vulnerable versions. webapps done. Re-Rating C4 due to rbu's comment, closing. |