Bug 31794

Summary: php-smarty new security issue CVE-2023-28447
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, mageia, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: php-smarty-4.3.0-1.mga9.src.rpm CVE:
Status comment:

Description David Walser 2023-04-13 18:05:03 CEST 
Fedora has issued an advisory on April 12:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HSAUM3YHWHO4UCJXRGRLQGPJAO3MFOZZ/

The issue is fixed upstream in 4.3.1:
https://github.com/smarty-php/smarty/security/advisories/GHSA-7j98-h7fp-4vwj

Mageia 8 is also affected.
David Walser 2023-04-13 18:05:17 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 4.3.1

Comment 1 Lewis Smith 2023-04-13 21:42:30 CEST 
This is looked after by MarK, so assigning to you.

Assignee: bugsquad => mageia

Comment 2 Marc Krämer 2023-04-13 22:01:24 CEST 
Updated php-smarty packages fix security vulnerabilities:

Update fixes a js cross-site-scripting vulnerability [1,2,3].

Some more errors have been fixed [4,5]


References:
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28447
[2] https://github.com/smarty-php/smarty/security/advisories/GHSA-7j98-h7fp-4vwj
[3] https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HSAUM3YHWHO4UCJXRGRLQGPJAO3MFOZZ/
[4] https://github.com/smarty-php/smarty/releases/tag/v4.3.0
[5] https://github.com/smarty-php/smarty/releases/tag/v4.3.1

========================

Updated packages in core/updates_testing:
========================
php-smarty-4.3.1-1.mga8.noarch.rpm

SRPM:
php-smarty-4.3.1-1.mga8.src.rpm

Assignee: mageia => qa-bugs

Comment 3 David Walser 2023-04-14 01:11:33 CEST 
Note that this is pending a freeze move request for Cauldron.

Status comment: Fixed upstream in 4.3.1 => (none)
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
CC: (none) => mageia

Comment 4 Thomas Andrews 2023-04-17 18:56:32 CEST 
Tested in a VirtualBox mga8-64 Plasma guest. Installed php-smarty, then used qarepo to update it, with no installation issues.

Previous updates have identified this as a developer's tool, and have approved it on a clean update. Since this updated OK, and shows no ill effects on the system, I'm giving it an OK, and validating. Advisory in comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update

Dave Hodgins 2023-04-24 00:00:19 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2023-04-24 02:22:00 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0155.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED