Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 830980 (CVE-2021-21408, CVE-2021-29454) - <dev-php/smarty-4.0.3: multiple vulnerabilities
Summary: <dev-php/smarty-4.0.3: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2021-21408, CVE-2021-29454
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa?]
Keywords:
Depends on: 832854
Blocks:
  Show dependency tree
 
Reported: 2022-01-11 02:45 UTC by John Helmert III
Modified: 2022-02-09 03:25 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-11 02:45:16 UTC
CVE-2021-29454 (https://github.com/smarty-php/smarty/security/advisories/GHSA-29gp-2c3m-3j6m):

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.42 and 4.0.2, template authors could run arbitrary PHP code by crafting a malicious math string. If a math string was passed through as user provided data to the math function, external users could run arbitrary PHP code by crafting a malicious math string. Users should upgrade to version 3.1.42 or 4.0.2 to receive a patch.

CVE-2021-21408 (https://github.com/smarty-php/smarty/security/advisories/GHSA-4h9c-v5vg-5m6m):

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.43 and 4.0.3, template authors could run restricted static php methods. Users should upgrade to version 3.1.43 or 4.0.3 to receive a patch.

Please bump to 3.1.43.
Comment 1 Larry the Git Cow gentoo-dev 2022-01-11 16:05:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7ceabb261d8cfed718f1d1939da6f5e58b69424c

commit 7ceabb261d8cfed718f1d1939da6f5e58b69424c
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2022-01-11 16:05:12 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2022-01-11 16:05:12 +0000

    dev-php/smarty: Version bump for 4.0.3
    
    Bug: https://bugs.gentoo.org/830980
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-php/smarty/Manifest            |  1 +
 dev-php/smarty/smarty-4.0.3.ebuild | 46 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-11 20:39:32 UTC
Thanks! Please stabilize.
Comment 3 Larry the Git Cow gentoo-dev 2022-02-08 13:24:47 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=344efd1264754faaeb184f644eac4eec350ebe67

commit 344efd1264754faaeb184f644eac4eec350ebe67
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2022-02-08 13:24:09 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2022-02-08 13:24:09 +0000

    dev-php/smarty: Drop old
    
    Bug: https://bugs.gentoo.org/830980
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-php/smarty/Manifest             |  2 --
 dev-php/smarty/smarty-3.1.39.ebuild | 46 -------------------------------------
 dev-php/smarty/smarty-4.0.3.ebuild  | 46 -------------------------------------
 3 files changed, 94 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-09 03:25:32 UTC
Thanks!