Secunia wrote: A vulnerability has been reported in Smarty, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an error when processing data with embedded variables. This can be exploited to potentially execute arbitrary PHP code. This vulnerability is reported in version 2.6.19. SOLUTION: Update to version 2.6.20-1. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor.
Latest version available is 2.6.20, there's no "2.6.20-1". 2.6.20 is in CVS since September 4th.
Unfortunately, Secunia does not quote any references. Apparently, they refer to the last three commits here: http://code.google.com/p/smarty-php/source/list?path=/trunk/libs/Smarty_Compiler.class.php&start=2797
Created attachment 169804 [details, diff] smarty-function-injection.patch
Name: CVE-2008-4810 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4810 Published: 2008-10-31 Severity: Description: The _expand_quoted_text function in libs/Smarty_Compiler.class.php in Smarty 2.6.20 before r2797 allows remote attackers to execute arbitrary PHP code via vectors related to templates and (1) a dollar-sign character, aka "php executed in templates;" and (2) a double quoted literal string, aka a "function injection security hole." NOTE: each vector affects slightly different SVN revisions.
Name: CVE-2008-4811 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4811 Published: 2008-10-31 Severity: Description: The _expand_quoted_text function in libs/Smarty_Compiler.class.php in Smarty 2.6.20 r2797 and earlier allows remote attackers to execute arbitrary PHP code via vectors related to templates and a \ (backslash) before a dollar-sign character.
I revbumped smarty to 2.6.20-r1 which includes the fix attached to this bug. Candidate for stabilization: =dev-php/smarty-2.6.20-r1 (and as well: this affects other applications bundling smarty *sigh*)
Arches, please test and mark stable: =dev-php/smarty-2.6.20-r1 Target keywords : "alpha amd64 hppa ppc sparc x86"
amd64/x86 stable
ppc stable
alpha/sparc stable
Stable for HPPA.
smarty 2.6.21 is now released.
GLSA together with bug 212147 and 213320.
GLSA 201006-13