Bug 22458

Summary: php-smarty new security issue CVE-2017-1000480
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, guillomovitch, herman.viaene, mageia, marja11, sysadmin-bugs, tarazed25, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK
Source RPM: php-smarty-3.1.31-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2018-01-26 04:51:32 CET 
Debian has issued an advisory on January 22:
https://www.debian.org/security/2018/dsa-4094

The issue was fixed upstream in 3.1.32.

The upstream commit that fixed it is linked from here:
https://security-tracker.debian.org/tracker/CVE-2017-1000480

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-01-26 04:51:42 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-01-26 07:33:06 CET 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => guillomovitch, mageia, marja11

Marc Krämer 2018-01-26 12:39:16 CET

Assignee: pkg-bugs => mageia

Comment 2 Marc Krämer 2018-01-26 12:55:58 CET 
I have uploaded a patched package for Mageia 5/6.

Suggested advisory:
========================

Updated php-smarty packages fix security vulnerabilities:

Smarty 3 before 3.1.32 is vulnerable to a PHP code injection when calling fetch() or display() functions on custom resources that does not sanitize template name(CVE-2017-1000480).

References:
https://security-tracker.debian.org/tracker/CVE-2017-1000480
========================

Updated packages in core/updates_testing:
========================
mga5:
php-smarty-3.1.21-1.1.mga5
php-smarty-doc-3.1.21-1.1.mga5

mga6:
php-smarty-3.1.21-3.mga6
php-smarty-doc-3.1.21-3.mga6


Source RPMs: 
php-smarty-3.1.21-1.1.mga5.src.rpm
php-smarty-3.1.21-3.mga6.src.rpm
Marc Krämer 2018-01-26 12:56:36 CET

Assignee: mageia => qa-bugs

Thomas Backlund 2018-01-26 13:35:58 CET

Version: Cauldron => 6
CC: (none) => tmb
Whiteboard: MGA6TOO => (none)

Comment 3 David Walser 2018-01-26 14:39:54 CET 
Note that this update only affects fusiondirectory, galette, and kolab-webadmin (at least on Mageia 5), so I don't consider it critical there, so don't feel the need to put a lot of effort into testing it.  The commit diff confirms that the patch has been applied, so as long as the package installs (which it should), that should be sufficient.

Whiteboard: (none) => MGA5TOO

Comment 4 Marc Krämer 2018-01-26 14:42:53 CET 
since this patch is really short and adds only a regex for the filename (shortend to 25 chars), I don't assume there is not much to test.
Comment 5 Herman Viaene 2018-02-01 15:23:12 CET 
MGA5-32 on Dell Latitude D600 Xfce.
No installation isues
This is a celan install and apparently it does not break anything else, so OK.

Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
CC: (none) => herman.viaene

Comment 6 Len Lawrence 2018-02-02 19:53:27 CET 
Mageia 6 :: x86_64

Clean install.
# updatedb
$ locate -i smarty
That showed that the /usr/share/smarty directories are all populated, including doc folders.

CC: (none) => tarazed25

Comment 7 Len Lawrence 2018-02-02 19:56:03 CET 
Correction - /usr/share/php/Smarty and /usr/share/doc/php-smarty directories.

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK

Comment 8 Dave Hodgins 2018-02-06 04:48:54 CET 
Looks like a problem in Mageia 6.

Core release has
http://mirrors.kernel.org/mageia/distrib/6/x86_64/media/core/release/php-smarty-3.1.21-3.mga6.noarch.rpm

Core updates testing has
http://mirrors.kernel.org/mageia/distrib/6/x86_64/media/core/updates_testing/php-smarty-3.1.21-3.mga6.noarch.rpm

So the update will not get installed when it's moved from testing to updates.

Needs to have the version bumped.

Removing the mga6-64-ok and adding the feedback marker.

Noticed the problem while preparing to add the advisory to svn.

Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK => MGA5TOO MGA5-32-OK
CC: (none) => davidwhodgins
Keywords: (none) => feedback

Comment 9 Dave Hodgins 2018-02-06 04:53:45 CET 
Advisory added to svn, but it will need to be updated once the mageia 6 srpm
version is known.
Comment 10 Marc Krämer 2018-02-06 10:55:18 CET 
@David: thanks, forgotten the subrel for mga6.

Pushed php-smarty-3.1.21-3-1.mga6.src.rpm (only changed the subrel)

Keywords: feedback => (none)

Comment 11 Herman Viaene 2018-02-06 13:35:34 CET 
MGA6-64 on Lenovo B50 Plasma
No installation issues.
Found files as indicated above (this laptop did not have a previous version).

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK

Comment 12 Dave Hodgins 2018-02-06 14:12:04 CET 
Thanks. Updated advisory, validating the update.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 13 Mageia Robot 2018-02-06 16:35:59 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0118.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED