Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 243856 (CVE-2008-4810) - dev-php/smarty <2.6.20-r1 "embedded variable" Remote code execution (CVE-2008-{4810,4811})
Summary: dev-php/smarty <2.6.20-r1 "embedded variable" Remote code execution (CVE-2008...
Status: RESOLVED FIXED
Alias: CVE-2008-4810
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://code.google.com/p/smarty-php/s...
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks: 250376
  Show dependency tree
 
Reported: 2008-10-24 17:17 UTC by Robert Buchholz (RETIRED)
Modified: 2010-06-02 21:21 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
smarty-function-injection.patch (smarty-function-injection.patch,1.21 KB, patch)
2008-10-25 12:47 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-10-24 17:17:42 UTC
Secunia wrote:
A vulnerability has been reported in Smarty, which can be exploited
by malicious people to bypass certain security restrictions.

The vulnerability is caused due to an error when processing data with
embedded variables. This can be exploited to potentially execute
arbitrary PHP code.

This vulnerability is reported in version 2.6.19.

SOLUTION:
Update to version 2.6.20-1.

PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
Comment 1 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-24 17:26:12 UTC
Latest version available is 2.6.20, there's no "2.6.20-1". 2.6.20 is in CVS since September 4th.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-10-25 12:46:47 UTC
Unfortunately, Secunia does not quote any references. Apparently, they refer to the last three commits here:
http://code.google.com/p/smarty-php/source/list?path=/trunk/libs/Smarty_Compiler.class.php&start=2797
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-10-25 12:47:04 UTC
Created attachment 169804 [details, diff]
smarty-function-injection.patch
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-02 20:01:22 UTC
Name:      CVE-2008-4810
URL:       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4810
Published: 2008-10-31
Severity:
Description:

The _expand_quoted_text function in libs/Smarty_Compiler.class.php in
Smarty 2.6.20 before r2797 allows remote attackers to execute arbitrary
PHP code via vectors related to templates and (1) a dollar-sign
character, aka "php executed in templates;" and (2) a double quoted
literal string, aka a "function injection security hole." NOTE: each
vector affects slightly different SVN revisions.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-02 20:02:18 UTC
Name:      CVE-2008-4811
URL:       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4811
Published: 2008-10-31
Severity:
Description:

The _expand_quoted_text function in libs/Smarty_Compiler.class.php in
Smarty 2.6.20 r2797 and earlier allows remote attackers to execute
arbitrary PHP code via vectors related to templates and a \ (backslash)
before a dollar-sign character.
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2008-11-28 15:56:18 UTC
I revbumped smarty to 2.6.20-r1 which includes the fix attached to this bug.

Candidate for stabilization: 
=dev-php/smarty-2.6.20-r1

(and as well: this affects other applications bundling smarty *sigh*)
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-11-28 17:55:20 UTC
Arches, please test and mark stable:
=dev-php/smarty-2.6.20-r1
Target keywords : "alpha amd64 hppa ppc sparc x86"
Comment 8 Markus Meier gentoo-dev 2008-11-28 20:18:13 UTC
amd64/x86 stable
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2008-11-28 21:57:35 UTC
ppc stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2008-11-29 16:56:21 UTC
alpha/sparc stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2008-11-29 17:49:59 UTC
Stable for HPPA.
Comment 12 Hanno Böck gentoo-dev 2008-12-03 00:08:53 UTC
smarty 2.6.21 is now released.
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-15 14:04:08 UTC
GLSA together with bug 212147 and 213320.
Comment 14 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-02 21:21:47 UTC
GLSA 201006-13