Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 213318 - <dev-php/PEAR-PhpDocumentor-1.4.3-r1: bundled smarty lib vulnerable (CVE-2008-1066)
Summary: <dev-php/PEAR-PhpDocumentor-1.4.3-r1: bundled smarty lib vulnerable (CVE-2008...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
Depends on: CVE-2008-1066
Blocks:
  Show dependency tree
 
Reported: 2008-03-13 23:13 UTC by Hanno Böck
Modified: 2011-11-11 22:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2008-03-13 23:13:44 UTC
PEAR-PhpDocumentor bundles smarty, which is affected by CVE-2008-1066. Upstream-Bug filed:
http://pear.php.net/bugs/bug.php?id=13351
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-03-28 00:37:52 UTC
Reading the Fedora ChangeLog:
* Fri Mar 21 2008 Konstantin Ryabitsev <icon fedoraproject org> - 1.4.1-2
- Use system php-Smarty.

Do we / can we use the system smarty?
Comment 2 Jakub Moc (RETIRED) gentoo-dev 2008-03-28 17:55:46 UTC
(In reply to comment #1)
> Do we / can we use the system smarty?

No, we don't. I couldn't find the relevant src.rpm anywhere and really don't intend on patching this myself, esp. considering that this bundles 2.6.0 while 2.6.19 is the current stable on Gentoo. 
Comment 3 Matti Bickel (RETIRED) gentoo-dev 2010-12-19 21:20:22 UTC
Google gives this:
http://pkgs.fedoraproject.org/gitweb/?p=php-pear-PhpDocumentor.git;a=commitdiff;h=63f319e403332dc1c9bc78bb31e22355ea9efb94

Seems easy enough. Fixed in 1.4.3-r1.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-01-02 05:03:45 UTC
(In reply to comment #3)
> Google gives this:
> http://pkgs.fedoraproject.org/gitweb/?p=php-pear-PhpDocumentor.git;a=commitdiff;h=63f319e403332dc1c9bc78bb31e22355ea9efb94
> 
> Seems easy enough. Fixed in 1.4.3-r1.
> 

Thank you, Matti. Can we stabilize PEAR-PhpDocumentor-1.4.3-r1?

Comment 5 Ole Markus With (RETIRED) gentoo-dev 2011-02-08 12:30:43 UTC
(In reply to comment #4)
> (In reply to comment #3)
> > Google gives this:
> > http://pkgs.fedoraproject.org/gitweb/?p=php-pear-PhpDocumentor.git;a=commitdiff;h=63f319e403332dc1c9bc78bb31e22355ea9efb94
> > 
> > Seems easy enough. Fixed in 1.4.3-r1.
> > 
> 
> Thank you, Matti. Can we stabilize PEAR-PhpDocumentor-1.4.3-r1?
> 

Please do.
Comment 6 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-08 12:35:39 UTC
Thank you. Arches, please test and stabilize =dev-php/PEAR-PhpDocumentor-1.4.3-r1
Comment 7 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-02-08 18:02:11 UTC
ppc/ppc64 stable
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2011-02-08 19:50:57 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2011-02-09 14:14:01 UTC
amd64 ok
Comment 10 Markos Chandras (RETIRED) gentoo-dev 2011-02-10 22:17:15 UTC
amd64 done. Thanks Agostino
Comment 11 Jeroen Roovers gentoo-dev 2011-02-11 07:09:39 UTC
Stable for HPPA.
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2011-02-12 17:16:45 UTC
alpha/ia64/sparc stable
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2011-02-12 18:29:48 UTC
GLSA request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2011-11-11 22:11:22 UTC
This issue was resolved and addressed in
 GLSA 201111-04 at http://security.gentoo.org/glsa/glsa-201111-04.xml
by GLSA coordinator Tim Sammut (underling).