Summary: | dev-php/smarty <2.6.20-r1 "embedded variable" Remote code execution (CVE-2008-{4810,4811}) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | CC: | php-bugs, tomk | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://code.google.com/p/smarty-php/source/diff?spec=svn2797&r=2797&format=side&path=/trunk/libs/Smarty_Compiler.class.php | ||||||
Whiteboard: | B1 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Bug Depends on: | |||||||
Bug Blocks: | 250376 | ||||||
Attachments: |
|
Description
Robert Buchholz (RETIRED)
2008-10-24 17:17:42 UTC
Latest version available is 2.6.20, there's no "2.6.20-1". 2.6.20 is in CVS since September 4th. Unfortunately, Secunia does not quote any references. Apparently, they refer to the last three commits here: http://code.google.com/p/smarty-php/source/list?path=/trunk/libs/Smarty_Compiler.class.php&start=2797 Created attachment 169804 [details, diff]
smarty-function-injection.patch
Name: CVE-2008-4810 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4810 Published: 2008-10-31 Severity: Description: The _expand_quoted_text function in libs/Smarty_Compiler.class.php in Smarty 2.6.20 before r2797 allows remote attackers to execute arbitrary PHP code via vectors related to templates and (1) a dollar-sign character, aka "php executed in templates;" and (2) a double quoted literal string, aka a "function injection security hole." NOTE: each vector affects slightly different SVN revisions. Name: CVE-2008-4811 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4811 Published: 2008-10-31 Severity: Description: The _expand_quoted_text function in libs/Smarty_Compiler.class.php in Smarty 2.6.20 r2797 and earlier allows remote attackers to execute arbitrary PHP code via vectors related to templates and a \ (backslash) before a dollar-sign character. I revbumped smarty to 2.6.20-r1 which includes the fix attached to this bug. Candidate for stabilization: =dev-php/smarty-2.6.20-r1 (and as well: this affects other applications bundling smarty *sigh*) Arches, please test and mark stable: =dev-php/smarty-2.6.20-r1 Target keywords : "alpha amd64 hppa ppc sparc x86" amd64/x86 stable ppc stable alpha/sparc stable Stable for HPPA. smarty 2.6.21 is now released. GLSA together with bug 212147 and 213320. GLSA 201006-13 |