Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 213322 - www-apps/gallery: <=2.2.5 affected by bundled smarty (CVE-2008-1066)
Summary: www-apps/gallery: <=2.2.5 affected by bundled smarty (CVE-2008-1066)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: C4? [noglsa]
Depends on: CVE-2008-1066
  Show dependency tree
Reported: 2008-03-13 23:17 UTC by Hanno Böck
Modified: 2009-01-11 19:06 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2008-03-13 23:17:33 UTC
Current gallery is affected by CVE-2008-1066, upstream informed, they'll update with the next release.
Comment 1 Tobias Sager 2008-06-12 05:43:20 UTC
Fixed in 2.2.5?
Comment 2 Gunnar Wrobel (RETIRED) gentoo-dev 2008-06-20 15:28:18 UTC
No, still smarty 2.6.16
Comment 3 Richard Freeman gentoo-dev 2008-09-18 10:29:15 UTC
Looks like a new release is available:
Comment 4 Hanno Böck gentoo-dev 2008-09-18 10:46:13 UTC
They seem to consider this very low priority, they've still not bumped in 2.2.6. I had a discussion with upstream about that and they said it only affects the rare case where external modules use that function and they probably won't update before 2.3 final.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-30 17:32:06 UTC
CVE-2008-1066 says:
The modifier.regex_replace.php plugin in Smarty before 2.6.19, as used by Serendipity (S9Y) and other products, allows attackers to call arbitrary PHP functions via templates, related to a '\0' character in a search string. 

Changing to B1. -> "Gallery 2.3 (Skidoo) Released!", we also have it in tree. Is this fixed now!?
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-11-30 17:59:57 UTC
I disagree with the B1 rating. Users should not be allowed to submit templates to exploit this issue. It does not happen within the gallery version we ship, so our whole package is not vulnerable to this. It might only be a problem if external modules are being used.

Hanno, did you check whether they included an update to smarty in this 2.3 release?
Comment 7 Hanno Böck gentoo-dev 2008-11-30 19:31:14 UTC
The bundled smarty is bumped in 2.3. I agree this is not a grave issue, so we should probably just try to get 2.3 stable soon and then close this.
Comment 8 Gunnar Wrobel (RETIRED) gentoo-dev 2008-12-03 00:09:10 UTC
www-apps/gallery/gallery-2.3 should be marked for stabilization then, right?


  alpha amd64 hppa ppc ppc64 sparc x86
Comment 9 Richard Freeman gentoo-dev 2008-12-03 01:10:39 UTC
amd64 stable
Comment 10 Brent Baude (RETIRED) gentoo-dev 2008-12-03 14:17:16 UTC
ppc64 done
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2008-12-03 16:10:26 UTC
Stable for HPPA.
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2008-12-05 09:38:27 UTC
alpha/sparc/x86 stable
Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev 2008-12-06 18:56:47 UTC
ppc stable
Comment 14 Gunnar Wrobel (RETIRED) gentoo-dev 2008-12-07 07:01:35 UTC
removed vulnerable versions. webapps done.
Comment 15 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-05 21:56:17 UTC
Re-Rating C4 due to rbu's comment, closing.