Bug 28996

Summary: php-smarty new security issues CVE-2021-26119 and CVE-2021-26120
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, herman.viaene, ouaurelien, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Source RPM: php-smarty-3.1.33-3.mga8.src.rpm CVE: CVE-2021-26119, CVE-2021-26120
Status comment:

Description David Walser 2021-05-28 22:49:29 CEST 
Debian-LTS has issued an advisory on April 8:
https://www.debian.org/lts/security/2021/dla-2618

The issues are fixed upstream in 3.1.39.

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-05-28 22:49:52 CEST

CC: (none) => mageia
Whiteboard: (none) => MGA8TOO, MGA7TOO
Status comment: (none) => Fixed upstream in 3.1.39

Comment 1 Lewis Smith 2021-05-29 21:20:27 CEST 
Assigning to Marc for this SRPm (removed CC).

Assignee: bugsquad => mageia
CC: mageia => (none)

Comment 2 David Walser 2021-06-28 18:22:52 CEST 
Ping Marc.
Comment 3 Marc Krämer 2021-06-29 10:58:45 CEST 
pushed an update.

Updated php-smarty packages fix security vulnerabilities:

It was possible to inject code into the template engine. This is fixed now.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26119
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26120
https://github.com/smarty-php/smarty/releases/tag/v3.1.39
========================

Updated packages in core/updates_testing:
========================
php-smarty-3.1.39-1.mga7.noarch.rpm
php-smarty-3.1.39-1.mga8.noarch.rpm


SPRM:
php-smarty-3.1.39-1.mga7.src.rpm
php-smarty-3.1.39-1.mga8.src.rpm

Assignee: mageia => qa-bugs
CVE: (none) => CVE-2021-26119, CVE-2021-26120

Comment 4 Herman Viaene 2021-06-29 14:47:12 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Read about this package and it seems a developers tool. I cann't find any "normal" package depending on it.
So, seeing no ill effects on the system, I give it OK on clean install.

CC: (none) => herman.viaene
Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO, MGA7TOO MGA7-64-OK

Comment 5 Aurelien Oudelet 2021-06-29 15:33:06 CEST 
Already pushed on Cauldron.
> r1728954 | mokraemer | 2021-05-31 11:08:22 +0200 (lun. 31 mai 2021) | 1 ligne
>
> new version 3.1.39

Status comment: Fixed upstream in 3.1.39 => (none)
Whiteboard: MGA8TOO, MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK
Version: Cauldron => 8
CC: (none) => ouaurelien

Comment 6 Herman Viaene 2021-07-10 14:59:09 CEST 
MGA8-64 Plasma on Lenovo B50
No installation issues.
OK on clean install.
Herman Viaene 2021-07-10 15:00:18 CEST

Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 7 Thomas Andrews 2021-07-10 15:47:52 CEST 
Validating. Advisory information in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 8 Aurelien Oudelet 2021-07-10 16:55:31 CEST 
type: security
subject: Updated php-smarty package fixes security vulnerabilities
CVE:
 - CVE-2021-26119
 - CVE-2021-26120
src:
  7:
   core:
     - php-smarty-3.1.39-1.mga7
  8:
   core:
     - php-smarty-3.1.39-1.mga8
description: |
  Smarty before 3.1.39 allows a Sandbox Escape because $smarty.template_object
  can be accessed in sandbox mode (CVE-2021-26119).
  
  Smarty before 3.1.39 allows code injection via an unexpected function name
  after a {function name= substring (CVE-2021-26120).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=28996
 - https://github.com/smarty-php/smarty/releases/tag/v3.1.39
 - https://www.debian.org/lts/security/2021/dla-2618

Keywords: (none) => advisory

Comment 9 Mageia Robot 2021-07-10 22:01:56 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0335.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED