Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 213320 - <www-apps/tikiwiki-2.0 affected by bundled smarty and other unspecified issues (CVE-2008-{1066,3653,3654})
Summary: <www-apps/tikiwiki-2.0 affected by bundled smarty and other unspecified issue...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [noglsa]
Depends on:
Reported: 2008-03-13 23:15 UTC by Hanno Böck
Modified: 2010-05-30 11:05 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2008-03-13 23:15:44 UTC
tikiwiki is affected by CVE-2008-1066. Upstream is informed and will update with the next version.
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-15 21:03:07 UTC
Thanks for the report.
Comment 2 Gunnar Wrobel (RETIRED) gentoo-dev 2008-04-18 06:52:33 UTC
tikiwiki-1.9.11 is in the tree but it actually still contains smarty-2.6.18.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-04-18 09:17:53 UTC
Why did you add ppc then, if this but is no fixed?
Comment 4 Gunnar Wrobel (RETIRED) gentoo-dev 2008-04-18 10:56:10 UTC
Sorry, my mistake. I bumped the package, emerged it, started commenting on the bug, checked the install and only then realized that they didn't bump smarty. So I finished commenting on the bug but forgot that I already added ppc. fixed.
Comment 5 Matt Fleming (RETIRED) gentoo-dev 2008-05-08 20:16:16 UTC
What is the plan for this? Tikiwiki 1.9.11 is the latest version upstream and so presumably still contains the vulnerable version of smarty?
Comment 6 Hanno Böck gentoo-dev 2008-08-14 23:58:37 UTC
2.0 is fixed and contains some other vulnerabilities fixed.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-08-15 13:42:01 UTC
CVE-2008-3653 (
  Multiple unspecified vulnerabilities in TikiWiki CMS/Groupware before 2.0
  have unknown impact and attack vectors.

CVE-2008-3654 (
  Unspecified vulnerability in TikiWiki CMS/Groupware before 2.0 allows
  attackers to obtain "path and PHP configuration" via unknown vectors.
Comment 8 Gunnar Wrobel (RETIRED) gentoo-dev 2008-09-07 17:30:52 UTC
Added tikiwiki-2.0 to the tree.


Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-09-08 14:36:00 UTC
Arches, please test and mark stable:
Target keywords : "ppc"
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2008-09-19 18:45:29 UTC
ppc stable
Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-19 19:50:46 UTC
glsa with #212147
Comment 12 Gunnar Wrobel (RETIRED) gentoo-dev 2008-09-21 13:09:46 UTC
Removed vulnerable versions. webapps done.
Comment 13 Hanno Böck gentoo-dev 2008-11-30 20:17:50 UTC
Do we need a glsa on this? I think no and as 2.2 is in the tree and no older versions, could we then close this?
Comment 14 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-05-30 11:05:39 UTC
No GLSA will be sent.