Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 270494 (CVE-2009-1669) - <dev-php/smarty-2.6.23 Arbitrary command execution (CVE-2009-1669)
Summary: <dev-php/smarty-2.6.23 Arbitrary command execution (CVE-2009-1669)
Status: RESOLVED FIXED
Alias: CVE-2009-1669
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-05-19 21:25 UTC by Alex Legler (RETIRED)
Modified: 2010-06-02 21:21 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-19 21:25:47 UTC 
CVE-2009-1669 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1669):
  The smarty_function_math function in libs/plugins/function.math.php
  in Smarty 2.6.22 allows context-dependent attackers to execute
  arbitrary commands via shell metacharacters in the equation attribute
  of the math function.  NOTE: some of these details are obtained from
  third party information.
Comment 1 Tobias Scherbaum (RETIRED) gentoo-dev 2009-05-20 16:57:05 UTC 
Smarty-2.6.24 has been released meanwhile, which is now added to cvs.

Candidate for stabilization:
=dev-php/smarty-2.6.24
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-05-20 18:39:13 UTC 
Arches, please test and mark stable:
=dev-php/smarty-2.6.24
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2009-05-21 01:40:21 UTC 
Stable for HPPA.
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2009-05-22 12:44:46 UTC 
x86 stable
Comment 5 Markus Meier gentoo-dev 2009-05-22 22:46:40 UTC 
amd64 stable
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2009-05-24 13:35:04 UTC 
Stable on alpha.
Comment 7 Brent Baude (RETIRED) gentoo-dev 2009-05-25 16:06:20 UTC 
ppc64 done
Comment 8 Brent Baude (RETIRED) gentoo-dev 2009-05-25 16:06:26 UTC 
ppc done
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2009-06-02 16:46:01 UTC 
alpha/sparc stable
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2009-06-03 18:16:41 UTC 
GLSA together with bug 212147, bug 213320, and bug 243856.
Comment 11 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-02 21:21:51 UTC 
GLSA 201006-13