Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 435618 (CVE-2012-4437) - <dev-php/smarty-3.1.12: "SmartyException" Cross-site scripting (CVE-2012-4437)
Summary: <dev-php/smarty-3.1.12: "SmartyException" Cross-site scripting (CVE-2012-4437)
Status: RESOLVED FIXED
Alias: CVE-2012-4437
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/50589/
Whiteboard: B4 [noglsa]
Keywords:
: 481780 (view as bug list)
Depends on:
Blocks: CVE-2009-5052
  Show dependency tree
 
Reported: 2012-09-20 08:31 UTC by Agostino Sarubbo
Modified: 2014-06-19 12:21 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-09-20 08:31:39 UTC
Description
A vulnerability has been reported in Smarty, which can be exploited by malicious people to conduct cross-site scripting attacks.

Certain input passed via exception messages is not properly sanitised in the "SmartyException" class before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability is reported in version 3.1.11. Prior versions may also be affected.


Solution
Fixed in the SVN repository.

Patch:
http://code.google.com/p/smarty-php/source/detail?r=4658
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-10-01 21:35:02 UTC
CVE-2012-4437 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4437):
  Cross-site scripting (XSS) vulnerability in the SmartyException class in
  Smarty (aka smarty-php) before 3.1.12 allows remote attackers to inject
  arbitrary web script or HTML via unspecified vectors that trigger a Smarty
  exception.
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-03 17:19:02 UTC
@maintainers: looks like 2.6.27 is not listed as affected. Okay to stable it? (I assume we won't stable 3.1 at this time)
Comment 3 Ole Markus With (RETIRED) gentoo-dev 2013-09-26 08:41:03 UTC
(In reply to Chris Reffett from comment #2)
> @maintainers: looks like 2.6.27 is not listed as affected. Okay to stable
> it? (I assume we won't stable 3.1 at this time)

Sorry for the late response. Yep. You can stabilise it
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2013-09-29 16:22:36 UTC
Arches, please test and mark stable:
=dev-php/smarty-2.6.27
Target keywords: "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 5 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-29 18:23:48 UTC
Actually, hold off, we will probably be masking 2.6 and stabilizing 3.x. Will sort this all out tonight when I'm at my dev box.
Comment 6 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-30 16:19:48 UTC
After discussion with maintainers, we will be stabilizing 3.1.12 and pmasking 2.6.x. Arches, please test and stabilize:
=dev-php/smarty-3.1.12
Target arches: alpha amd64 hppa ia64 ppc ppc64 sparc x86
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2013-10-01 13:21:31 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2013-10-02 06:23:08 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-10-02 06:23:24 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-10-06 10:13:04 UTC
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-10-06 15:18:48 UTC
alpha stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-10-07 19:29:23 UTC
ppc stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-10-09 11:18:15 UTC
ppc64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-10-09 17:09:21 UTC
sparc stable
Comment 15 Michael Orlitzky gentoo-dev 2013-12-03 01:48:12 UTC
(In reply to Agostino Sarubbo from comment #9)
> x86 stable

Did this commit get lost somehow? I still see,

  KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc ~x86"
Comment 16 Chris Reffett (RETIRED) gentoo-dev Security 2013-12-09 01:50:23 UTC
x86 was not stabled for smarty-3.1.12, fix please.
Comment 17 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2013-12-26 19:21:03 UTC
(In reply to Chris Reffett from comment #16)
> x86 was not stabled for smarty-3.1.12, fix please.

done.
Comment 18 Sergey Popov gentoo-dev 2013-12-27 10:30:51 UTC
Thanks for your work.

GLSA vote: no
Comment 19 Chris Reffett (RETIRED) gentoo-dev Security 2013-12-27 13:45:21 UTC
GLSA vote: no, closing noglsa.
Comment 20 Yury German Gentoo Infrastructure gentoo-dev 2013-12-30 08:05:46 UTC
Maintainer(s), please drop the vulnerable version.
Comment 21 Matti Bickel (RETIRED) gentoo-dev 2014-01-08 17:36:22 UTC
*** Bug 481780 has been marked as a duplicate of this bug. ***
Comment 22 Chris Reffett (RETIRED) gentoo-dev Security 2014-06-19 12:21:04 UTC
2.6.28 is not affected and we ended up not removing 2.* because it had fixes backported for a different bug. Closing noglsa.