The modifier.regex_replace.php plugin in Smarty before 2.6.19, as used by
Serendipity (S9Y) and other products, allows attackers to call arbitrary PHP
functions via templates, related to a '\0' character in a search string.
PHP herd, is smarty-2.6.19 good to go stable?
I don't know the engine, can someone help me understand the impact/an attack scenario here?
(In reply to comment #1)
> PHP herd, is smarty-2.6.19 good to go stable?
Yeah, in fact it fixed multiple other bugs. Arches, please stabilize.
> I don't know the engine, can someone help me understand the impact/an attack
> scenario here?
The docs are at  but I guess tomk would be more familiar with this.
I'm not really sure about the impact either (I'll try to dig deeper into it later today), but this probably affects much more than just the smarty package, as this is bundled everywhere (bundling libraries is evil, but for php this is an even more tricky issue due to shared hosting).
www-apps/gallery may be also affected, probably others.
Hanno, if you can dig into that, it'd be great. I can also grep through our distfiles, if the lib copies have a common name.
Target keywords : "alpha amd64 hppa ppc release sparc x86"
Stable for HPPA.
I have feedback from gallery upstream: core is not affected (not using the function with dynamic content), but thirdparty modules could use it in a way that makes it vulnerable.
So low impact but still an issue for gallery, 2.2.5 should follow soon and fix it.
www-apps/tikiwiki may also be affected, upstream security contacted.
Hanno, dev-php/PEAR-PhpDocumentor-1.4.1 includes Smarty-2.6.0 so could be affected. I'm not sure what impact could be but in any case I suppose it's better to update PhpDocumentor to use system smarty.
Fixed in release snapshot.
Hanno, can you sum up the situation and open bugs for packages that are also affected?
We know of three packages affected, all upstreams informed, all consider it low impact but will update the bundled smarty with their next release.
Also informed some upstreams of affected packages not in portage. Will open bugs for the three above
glsa request filed.
Can anyone give a PoC?
Tnks in advance.
Anyone could provide a PoC?
Tnks in advance.