Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 772206 (CVE-2021-26119, CVE-2021-26120) - <dev-php/smarty-3.1.39: multiple vulnerabilities (CVE-2021-{26119,26120})
Summary: <dev-php/smarty-3.1.39: multiple vulnerabilities (CVE-2021-{26119,26120})
Status: RESOLVED FIXED
Alias: CVE-2021-26119, CVE-2021-26120
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://github.com/smarty-php/smarty/...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-22 23:53 UTC by John Helmert III
Modified: 2021-05-26 08:09 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-02-22 23:53:36 UTC
CVE-2021-26119:

Smarty before 3.1.39 allows a Sandbox Escape because $smarty.template_object can be accessed in sandbox mode.

CVE-2021-26120:

Smarty before 3.1.39 allows code injection via an unexpected function name after a {function name= substring.


These are fixed in 3.1.39. Please bump.
Comment 1 Larry the Git Cow gentoo-dev 2021-02-23 03:41:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e9bdc8cf072043af5e8a2b02cdd52c2a9fe476e2

commit e9bdc8cf072043af5e8a2b02cdd52c2a9fe476e2
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2021-02-23 03:37:33 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2021-02-23 03:37:33 +0000

    dev-php/smarty: new upstream version 3.1.39 with two security fixes.
    
    Bug: https://bugs.gentoo.org/772206
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 dev-php/smarty/Manifest                                       | 2 +-
 dev-php/smarty/{smarty-3.1.36.ebuild => smarty-3.1.39.ebuild} | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
Comment 2 Michael Orlitzky gentoo-dev 2021-02-23 03:44:05 UTC
We skipped v3.1.37, but the only changes there were for compatibility with various new/old versions of PHP. v3.1.38 was a no-op, and v3.1.39 is security fixes. So this should be safe to stabilize right away.
Comment 3 John Helmert III gentoo-dev Security 2021-02-23 13:19:03 UTC
(In reply to Michael Orlitzky from comment #2)
> We skipped v3.1.37, but the only changes there were for compatibility with
> various new/old versions of PHP. v3.1.38 was a no-op, and v3.1.39 is
> security fixes. So this should be safe to stabilize right away.

Thanks!
Comment 4 Sam James archtester gentoo-dev Security 2021-02-24 16:22:25 UTC
amd64 ppc ppc64 sparc x86 (ALLARCHES) done

all arches done
Comment 5 Larry the Git Cow gentoo-dev 2021-02-24 17:57:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=496ec07666e299bee0b0717da214e03cce24c362

commit 496ec07666e299bee0b0717da214e03cce24c362
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2021-02-24 17:56:34 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2021-02-24 17:56:34 +0000

    dev-php/smarty: Cleanup vulnerable version
    
    Bug: https://bugs.gentoo.org/772206
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-php/smarty/Manifest             |  1 -
 dev-php/smarty/smarty-3.1.33.ebuild | 46 -------------------------------------
 2 files changed, 47 deletions(-)
Comment 6 John Helmert III gentoo-dev Security 2021-02-24 17:58:33 UTC
Thanks!
Comment 7 Thomas Deutschmann gentoo-dev Security 2021-05-25 21:28:07 UTC
New GLSA request filed.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 08:09:52 UTC
This issue was resolved and addressed in
 GLSA 202105-06 at https://security.gentoo.org/glsa/202105-06
by GLSA coordinator Thomas Deutschmann (whissi).