Bug 14465

Oden has informed me that egroupware-gallery and php-pear-PhpDocumentor may also bundle Smarty.

CC: (none) => thomas

For php-pear-PhpDocumentor, it already is patched to use the system smarty, but it also ships its bundled copy because it isn't deleted during the package build.  Oden gave this svn diff to fix it:

Index: SPECS/php-pear-PhpDocumentor.spec
===================================================================
--- SPECS/php-pear-PhpDocumentor.spec   (revision 795826)
+++ SPECS/php-pear-PhpDocumentor.spec   (working copy)
@@ -64,6 +64,9 @@
 %patch -p 1
 mv package.xml %{upstream_name}-%{version}/%{upstream_name}.xml
 
+# nuke bundled smarty
+rm -rf phpDocumentor/Smarty-2.6.0
+
 %install
 cd %{upstream_name}-%{version}
 pear install --nodeps --packagingroot %{buildroot} %{upstream_name}.xml

(In reply to David Walser from comment #2)
> For php-pear-PhpDocumentor, it already is patched to use the system smarty,
> but it also ships its bundled copy because it isn't deleted during the
> package build.  Oden gave this svn diff to fix it:
> 
> Index: SPECS/php-pear-PhpDocumentor.spec
> ===================================================================
> --- SPECS/php-pear-PhpDocumentor.spec   (revision 795826)
> +++ SPECS/php-pear-PhpDocumentor.spec   (working copy)
> @@ -64,6 +64,9 @@
>  %patch -p 1
>  mv package.xml %{upstream_name}-%{version}/%{upstream_name}.xml
>  
> +# nuke bundled smarty
> +rm -rf phpDocumentor/Smarty-2.6.0
> +
>  %install
>  cd %{upstream_name}-%{version}
>  pear install --nodeps --packagingroot %{buildroot} %{upstream_name}.xml

It's not that simple.
That patch was removed because of php-pear-PhpDocumentor crashing using the system smarty.
It was easy to fix because php-pear-PhpDocumentor provided a bundled smarty-2.6.0.
What I see in the report, the security advisory only lists smarty-3

(In reply to Thomas Spuhler from comment #3)
> It's not that simple.
> That patch was removed because of php-pear-PhpDocumentor crashing using the
> system smarty.

I see.

> It was easy to fix because php-pear-PhpDocumentor provided a bundled
> smarty-2.6.0.
> What I see in the report, the security advisory only lists smarty-3

While that's true, smarty2 has several unfixed security vulnerabilities and is unmaintained upstream.  In fact, I removed it from Cauldron today because of that.  Does PhpDocumenter have a solution upstream for using smarty3?

(In reply to David Walser from comment #4)
> (In reply to Thomas Spuhler from comment #3)
> > It's not that simple.
> > That patch was removed because of php-pear-PhpDocumentor crashing using the
> > system smarty.
> 
> I see.
> 
> > It was easy to fix because php-pear-PhpDocumentor provided a bundled
> > smarty-2.6.0.
> > What I see in the report, the security advisory only lists smarty-3
> 
> While that's true, smarty2 has several unfixed security vulnerabilities and
> is unmaintained upstream.  In fact, I removed it from Cauldron today because
> of that.  Does PhpDocumenter have a solution upstream for using smarty3?

This package is not maintained upstream anymore except for bug fixes. My take this isn't true either.
It has been replaced with PhpDocumenter-2.8.0. I don't see smarty in there. Let me try to see if it builds.

Fixed in Cauldron in php-smarty-3.1.21-1.mga5.

Version: Cauldron => 4
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Updated packages uploaded for Mageia 3 and Mageia 4.

Note to QA, there is a PoC here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765920

Advisory:
========================

Updated php-smarty packages fix security vulnerability:

Smarty before 3.1.21 allows remote attackers to bypass the secure mode
restrictions and execute arbitrary PHP code as demonstrated by
"{literal}<{/literal}script language=php>" in a template (CVE-2014-8350).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8350
https://lists.fedoraproject.org/pipermail/package-announce/2014-November/142696.html
========================

Updated packages in core/updates_testing:
========================
php-smarty-3.1.21-1.mga3
php-smarty-doc-3.1.21-1.mga3
php-smarty-3.1.21-1.mga4
php-smarty-doc-3.1.21-1.mga4

from SRPMS:
php-smarty-3.1.21-1.mga3
php-smarty-3.1.21-1.mga4

CC: (none) => oe
Assignee: oe => qa-bugs

Testing complete mga4 64

Using modified PoC for our php-smarty path.

$ mkdir -p testing/templates
$ cd testing

$ cat test.php 
<?php
require_once('/usr/share/php/Smarty/SmartyBC.class.php');
$smarty = new Smarty();

$smarty->setTemplateDir('templates/');
$smarty->setCompileDir('templates_c/');
$smarty->enableSecurity();
$smarty->force_compile = true;
$tpl = $smarty->createTemplate('test.tpl');
$tpl->compileTemplateSource();
$smarty->display('test.tpl');
?>

$ cat templates/test.tpl 
{literal}<{/literal}script language=php>echo 1+1;</script>


Before
------
$ php ./test.php 
2

This shows it has executed the script, echoing the result of 1 + 1.

After
-----
$ rm -rf templates_c
$ php ./test.php 
<script language=php>echo 1+1;</script>

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok

Testing complete Mageia 3 i586 and Mageia 4 i586 using Claire's procedure in Comment 8.  I was able to reproduce the same results as she had, both before and after the update.

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok

Testing on Mageia3-64 real HW

Using Claire's procedure in comment 8.

Current packages :
----------------
- php-smarty-3.1.11-4.mga3.noarch
- php-smarty-doc-3.1.11-4.mga3.noarch

$ php ./test.php 
2

Updated testing packages :
------------------------
- php-smarty-3.1.21-1.mga3.noarch
- php-smarty-doc-3.1.21-1.mga3.noarch
$ php ./test.php 
<script language=php>echo 1+1;</script>

CC: (none) => olchal
Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok MGA3-64-OK

Thomas, Oden just informed me that php-pear-PhpDocumentor bundles more than just smarty, for instance php-ZendFramework2 as well.  I see nothing requires php-pear-PhpDocumentor.  Could we drop it from Cauldron?

(In reply to David Walser from comment #11)
> Thomas, Oden just informed me that php-pear-PhpDocumentor bundles more than
> just smarty, for instance php-ZendFramework2 as well.  I see nothing
> requires php-pear-PhpDocumentor.  Could we drop it from Cauldron?

No, I meant php-pear-phpDocumentor that's in svn only. Not the same thing.

(In reply to Oden Eriksson from comment #12)
> (In reply to David Walser from comment #11)
> > Thomas, Oden just informed me that php-pear-PhpDocumentor bundles more than
> > just smarty, for instance php-ZendFramework2 as well.  I see nothing
> > requires php-pear-PhpDocumentor.  Could we drop it from Cauldron?
> 
> No, I meant php-pear-phpDocumentor that's in svn only. Not the same thing.

Oh, I see.  OK.  I just dropped that one from SVN then.

Note. For mga3 you also have:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4437

Thanks Oden.

Use the Comment 7 advisory for Mageia 4.

For Mageia 3, use below:

Advisory (Mageia 3):
========================

Updated php-smarty packages fix security vulnerability:

Cross-site scripting (XSS) vulnerability in the SmartyException class in
Smarty (aka smarty-php) before 3.1.12 allows remote attackers to inject
arbitrary web script or HTML via unspecified vectors that trigger a Smarty
exception (CVE-2012-4437).

Smarty before 3.1.21 allows remote attackers to bypass the secure mode
restrictions and execute arbitrary PHP code as demonstrated by
"{literal}<{/literal}script language=php>" in a template (CVE-2014-8350).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4437
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8350
https://lists.fedoraproject.org/pipermail/package-announce/2014-November/142696.html

Validating, advisories uploaded as 14465.mga3.adv and 14465.mga4.adv.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok MGA3-64-OK => MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok MGA3-64-OK advisory
CC: (none) => remi, sysadmin-bugs

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0468.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0469.html

LWN reference for CVE-2012-4437:
http://lwn.net/Vulnerabilities/622956/

(In reply to Thomas Spuhler from comment #5)
> (In reply to David Walser from comment #4)
> > (In reply to Thomas Spuhler from comment #3)
> > > It's not that simple.
> > > That patch was removed because of php-pear-PhpDocumentor crashing using the
> > > system smarty.
> > 
> > I see.
> > 
> > > It was easy to fix because php-pear-PhpDocumentor provided a bundled
> > > smarty-2.6.0.
> > > What I see in the report, the security advisory only lists smarty-3
> > 
> > While that's true, smarty2 has several unfixed security vulnerabilities and
> > is unmaintained upstream.  In fact, I removed it from Cauldron today because
> > of that.  Does PhpDocumenter have a solution upstream for using smarty3?
> 
> This package is not maintained upstream anymore except for bug fixes. My
> take this isn't true either.
> It has been replaced with PhpDocumenter-2.8.0. I don't see smarty in there.
> Let me try to see if it builds.

I upgraded cauldron to phpDocumentor-2.8.1 (notice the spelling change) and obsoleted PhpDocumentor. I am not quite sure how to handle on mga4 (mga3 = EOL)
Reopening the bug report

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)
Assignee: qa-bugs => thomas

This bug is closed, php-smarty is fixed.  Feel free to open a new bug for phpDocumentor if you wish.

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED
Assignee: thomas => qa-bugs