CVE-2021-26119: Smarty before 3.1.39 allows a Sandbox Escape because $smarty.template_object can be accessed in sandbox mode. CVE-2021-26120: Smarty before 3.1.39 allows code injection via an unexpected function name after a {function name= substring. These are fixed in 3.1.39. Please bump.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e9bdc8cf072043af5e8a2b02cdd52c2a9fe476e2 commit e9bdc8cf072043af5e8a2b02cdd52c2a9fe476e2 Author: Michael Orlitzky <mjo@gentoo.org> AuthorDate: 2021-02-23 03:37:33 +0000 Commit: Michael Orlitzky <mjo@gentoo.org> CommitDate: 2021-02-23 03:37:33 +0000 dev-php/smarty: new upstream version 3.1.39 with two security fixes. Bug: https://bugs.gentoo.org/772206 Package-Manager: Portage-3.0.13, Repoman-3.0.2 Signed-off-by: Michael Orlitzky <mjo@gentoo.org> dev-php/smarty/Manifest | 2 +- dev-php/smarty/{smarty-3.1.36.ebuild => smarty-3.1.39.ebuild} | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
We skipped v3.1.37, but the only changes there were for compatibility with various new/old versions of PHP. v3.1.38 was a no-op, and v3.1.39 is security fixes. So this should be safe to stabilize right away.
(In reply to Michael Orlitzky from comment #2) > We skipped v3.1.37, but the only changes there were for compatibility with > various new/old versions of PHP. v3.1.38 was a no-op, and v3.1.39 is > security fixes. So this should be safe to stabilize right away. Thanks!
amd64 ppc ppc64 sparc x86 (ALLARCHES) done all arches done
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=496ec07666e299bee0b0717da214e03cce24c362 commit 496ec07666e299bee0b0717da214e03cce24c362 Author: Brian Evans <grknight@gentoo.org> AuthorDate: 2021-02-24 17:56:34 +0000 Commit: Brian Evans <grknight@gentoo.org> CommitDate: 2021-02-24 17:56:34 +0000 dev-php/smarty: Cleanup vulnerable version Bug: https://bugs.gentoo.org/772206 Signed-off-by: Brian Evans <grknight@gentoo.org> dev-php/smarty/Manifest | 1 - dev-php/smarty/smarty-3.1.33.ebuild | 46 ------------------------------------- 2 files changed, 47 deletions(-)
Thanks!
New GLSA request filed.
This issue was resolved and addressed in GLSA 202105-06 at https://security.gentoo.org/glsa/202105-06 by GLSA coordinator Thomas Deutschmann (whissi).