Summary: | <dev-php/smarty-2.6.28 : File inclusion vulnerability (CVE-2011-1028) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tim Sammut (RETIRED) <underling> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | mjo, php-bugs, tomk, whissi |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.smarty.net/forums/viewtopic.php?t=18815 | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Tim Sammut (RETIRED)
2011-02-26 20:03:11 UTC
Adding CVE assignment per http://www.openwall.com/lists/oss-security/2011/02/28/8. I'd like to do a bit more testing with this, especially to see if the 2.6 branch is vulnerable or not. (In reply to comment #2) > I'd like to do a bit more testing with this, especially to see if the 2.6 > branch is vulnerable or not. > This is my concern too. Especially since e.g phpdocumentor has a dependency on <smarty-3. 2.6.24 and 2.6.26 are vulnerable, I'll get a patch together to fix them (at least 2.2.26) and submit upstream. If they're not interested in supporting 2.6 any more we can use the patch locally while there are still packages that depend on 2.6. (In reply to comment #4) > 2.6.24 and 2.6.26 are vulnerable, I'll get a patch together to fix them (at > least 2.2.26) and submit upstream. If they're not interested in supporting 2.6 > any more we can use the patch locally while there are still packages that > depend on 2.6. Hi, Tom. Any luck on this? Thanks! Fix has been in upstream SVN since Feb 2011. Is 2.6.27 affected? If no, are we good to stable? (In reply to Chris Reffett from comment #6) > Fix has been in upstream SVN since Feb 2011. Is 2.6.27 affected? If no, are > we good to stable? I took some time and verified: 2.6.27 (latest 2.6.x version) *is* affected! Hi, I contacted Uwe Tews (Smarty author). He confirmed the vulnerability in Smarty v2.x, but the impact should be limited to developers only. The fix is already in SVN (see r4779; thank you Uwe for the fast response!): https://code.google.com/p/smarty-php/source/detail?r=4779 Upstream says a new 2.x release containing this fix will be released within the next few days. Smarty v2.6.28 is now available: http://www.smarty.net/files/Smarty-2.6.28.tar.gz (In reply to Thomas D. from comment #9) > Smarty v2.6.28 is now available: > http://www.smarty.net/files/Smarty-2.6.28.tar.gz Can an ebuild be created for 2.6.28 for stabilization? Is there anything we can help with? This bug takes very long now... You just have to create a copy of the previous ebuild for the new version. (In reply to Thomas D. from comment #11) > Is there anything we can help with? This bug takes very long now... > > You just have to create a copy of the previous ebuild for the new version. This is sort of being handled by bug 435618 Bumped in tree by olemarkus. Arches, please test and stabilize: =dev-php/smarty-2.6.28 Target keywords: alpha amd64 hppa ia64 ppc ppc64 sparc x86 Stable for HPPA. amd64/ppc/ppc64/x86 stable alpha/ia64 stable sparc stable. Maintainer(s), please cleanup GLSA? Vote while cleanup is in progress GLSA vote: no. Maintainer timeout, cleaned up. GLSA vote: no Closing as noglsa |