Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 356615 (CVE-2011-1028) - <dev-php/smarty-2.6.28 : File inclusion vulnerability (CVE-2011-1028)
Summary: <dev-php/smarty-2.6.28 : File inclusion vulnerability (CVE-2011-1028)
Status: RESOLVED FIXED
Alias: CVE-2011-1028
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.smarty.net/forums/viewtopi...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-02-26 20:03 UTC by Tim Sammut (RETIRED)
Modified: 2013-12-15 09:21 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-02-26 20:03:11 UTC
From $URL:

Anyway, i found a problem with $smarty.template variable, and how it's inserted into compiled php file.
If i have a template source file named '.(include 'hack.php').'.tpl containing just {$smarty.template} string, it gets compiled into following:
Code:
<?php echo ''.(include 'hack.php').'.tpl';?>

Which would effectively include hack.php file.

Vulnerable code is found in sysplugins/smarty_internal_compile_private_special_variable.php file (line 60), and looks like there's several potential issues as well. I guess solution would be to simply call addslashes for inserted variable.


@tomk and @php, 3.0.7 is reportedly fixed and is already in the tree. Is it an appropriate target for stabilization? Thanks!
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-03-02 06:46:49 UTC
Adding CVE assignment per http://www.openwall.com/lists/oss-security/2011/02/28/8.
Comment 2 Tom Knight (RETIRED) gentoo-dev 2011-03-02 09:38:31 UTC
I'd like to do a bit more testing with this, especially to see if the 2.6 branch is vulnerable or not.
Comment 3 Ole Markus With (RETIRED) gentoo-dev 2011-03-02 10:39:49 UTC
(In reply to comment #2)
> I'd like to do a bit more testing with this, especially to see if the 2.6
> branch is vulnerable or not.
> 

This is my concern too. Especially since e.g phpdocumentor has a dependency on <smarty-3.
Comment 4 Tom Knight (RETIRED) gentoo-dev 2011-03-02 11:53:24 UTC
2.6.24 and 2.6.26 are vulnerable, I'll get a patch together to fix them (at least 2.2.26) and submit upstream. If they're not interested in supporting 2.6 any more we can use the patch locally while there are still packages that depend on 2.6.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-06-12 20:46:57 UTC
(In reply to comment #4)
> 2.6.24 and 2.6.26 are vulnerable, I'll get a patch together to fix them (at
> least 2.2.26) and submit upstream. If they're not interested in supporting 2.6
> any more we can use the patch locally while there are still packages that
> depend on 2.6.

Hi, Tom. Any luck on this? Thanks!
Comment 6 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-03 19:51:56 UTC
Fix has been in upstream SVN since Feb 2011. Is 2.6.27 affected? If no, are we good to stable?
Comment 7 Thomas Deutschmann gentoo-dev Security 2013-09-03 21:07:26 UTC
(In reply to Chris Reffett from comment #6)
> Fix has been in upstream SVN since Feb 2011. Is 2.6.27 affected? If no, are
> we good to stable?

I took some time and verified: 2.6.27 (latest 2.6.x version) *is* affected!
Comment 8 Thomas Deutschmann gentoo-dev Security 2013-09-30 19:52:00 UTC
Hi,

I contacted Uwe Tews (Smarty author). He confirmed the vulnerability in Smarty v2.x, but the impact should be limited to developers only.

The fix is already in SVN (see r4779; thank you Uwe for the fast response!):
https://code.google.com/p/smarty-php/source/detail?r=4779

Upstream says a new 2.x release containing this fix will be released within the next few days.
Comment 9 Thomas Deutschmann gentoo-dev Security 2013-10-02 19:42:57 UTC
Smarty v2.6.28 is now available:
http://www.smarty.net/files/Smarty-2.6.28.tar.gz
Comment 10 Yury German Gentoo Infrastructure gentoo-dev Security 2013-10-08 04:41:28 UTC
(In reply to Thomas D. from comment #9)
> Smarty v2.6.28 is now available:
> http://www.smarty.net/files/Smarty-2.6.28.tar.gz

Can an ebuild be created for 2.6.28 for stabilization?
Comment 11 Thomas Deutschmann gentoo-dev Security 2013-10-21 12:14:12 UTC
Is there anything we can help with? This bug takes very long now...

You just have to create a copy of the previous ebuild for the new version.
Comment 12 Ole Markus With (RETIRED) gentoo-dev 2013-10-21 19:24:44 UTC
(In reply to Thomas D. from comment #11)
> Is there anything we can help with? This bug takes very long now...
> 
> You just have to create a copy of the previous ebuild for the new version.

This is sort of being handled by bug 435618
Comment 13 Chris Reffett (RETIRED) gentoo-dev Security 2013-10-21 19:43:36 UTC
Bumped in tree by olemarkus. Arches, please test and stabilize:
=dev-php/smarty-2.6.28
Target keywords: alpha amd64 hppa ia64 ppc ppc64 sparc x86
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2013-10-24 12:54:16 UTC
Stable for HPPA.
Comment 15 Agostino Sarubbo gentoo-dev 2013-10-25 10:51:17 UTC
amd64/ppc/ppc64/x86 stable
Comment 16 Agostino Sarubbo gentoo-dev 2013-10-25 10:52:57 UTC
alpha/ia64 stable
Comment 17 Agostino Sarubbo gentoo-dev 2013-11-03 11:24:40 UTC
sparc stable. Maintainer(s), please cleanup
Comment 18 Yury German Gentoo Infrastructure gentoo-dev Security 2013-11-03 14:25:48 UTC
GLSA? Vote while cleanup is in progress
Comment 19 Chris Reffett (RETIRED) gentoo-dev Security 2013-12-09 01:51:27 UTC
GLSA vote: no. Maintainer timeout, cleaned up.
Comment 20 Sergey Popov gentoo-dev 2013-12-15 09:21:29 UTC
GLSA vote: no

Closing as noglsa