From $URL: Anyway, i found a problem with $smarty.template variable, and how it's inserted into compiled php file. If i have a template source file named '.(include 'hack.php').'.tpl containing just {$smarty.template} string, it gets compiled into following: Code: <?php echo ''.(include 'hack.php').'.tpl';?> Which would effectively include hack.php file. Vulnerable code is found in sysplugins/smarty_internal_compile_private_special_variable.php file (line 60), and looks like there's several potential issues as well. I guess solution would be to simply call addslashes for inserted variable. @tomk and @php, 3.0.7 is reportedly fixed and is already in the tree. Is it an appropriate target for stabilization? Thanks!
Adding CVE assignment per http://www.openwall.com/lists/oss-security/2011/02/28/8.
I'd like to do a bit more testing with this, especially to see if the 2.6 branch is vulnerable or not.
(In reply to comment #2) > I'd like to do a bit more testing with this, especially to see if the 2.6 > branch is vulnerable or not. > This is my concern too. Especially since e.g phpdocumentor has a dependency on <smarty-3.
2.6.24 and 2.6.26 are vulnerable, I'll get a patch together to fix them (at least 2.2.26) and submit upstream. If they're not interested in supporting 2.6 any more we can use the patch locally while there are still packages that depend on 2.6.
(In reply to comment #4) > 2.6.24 and 2.6.26 are vulnerable, I'll get a patch together to fix them (at > least 2.2.26) and submit upstream. If they're not interested in supporting 2.6 > any more we can use the patch locally while there are still packages that > depend on 2.6. Hi, Tom. Any luck on this? Thanks!
Fix has been in upstream SVN since Feb 2011. Is 2.6.27 affected? If no, are we good to stable?
(In reply to Chris Reffett from comment #6) > Fix has been in upstream SVN since Feb 2011. Is 2.6.27 affected? If no, are > we good to stable? I took some time and verified: 2.6.27 (latest 2.6.x version) *is* affected!
Hi, I contacted Uwe Tews (Smarty author). He confirmed the vulnerability in Smarty v2.x, but the impact should be limited to developers only. The fix is already in SVN (see r4779; thank you Uwe for the fast response!): https://code.google.com/p/smarty-php/source/detail?r=4779 Upstream says a new 2.x release containing this fix will be released within the next few days.
Smarty v2.6.28 is now available: http://www.smarty.net/files/Smarty-2.6.28.tar.gz
(In reply to Thomas D. from comment #9) > Smarty v2.6.28 is now available: > http://www.smarty.net/files/Smarty-2.6.28.tar.gz Can an ebuild be created for 2.6.28 for stabilization?
Is there anything we can help with? This bug takes very long now... You just have to create a copy of the previous ebuild for the new version.
(In reply to Thomas D. from comment #11) > Is there anything we can help with? This bug takes very long now... > > You just have to create a copy of the previous ebuild for the new version. This is sort of being handled by bug 435618
Bumped in tree by olemarkus. Arches, please test and stabilize: =dev-php/smarty-2.6.28 Target keywords: alpha amd64 hppa ia64 ppc ppc64 sparc x86
Stable for HPPA.
amd64/ppc/ppc64/x86 stable
alpha/ia64 stable
sparc stable. Maintainer(s), please cleanup
GLSA? Vote while cleanup is in progress
GLSA vote: no. Maintainer timeout, cleaned up.
GLSA vote: no Closing as noglsa
