Bug 14465 - php-smarty new security issue CVE-2014-8350
Summary: php-smarty new security issue CVE-2014-8350
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/619213/
Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-11-05 16:42 CET by David Walser
Modified: 2014-11-28 23:55 CET (History)
6 users (show)

See Also:
Source RPM: php-smarty-3.1.19-5.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-11-05 16:42:29 CET
Fedora has issued an advisory on October 27:
https://lists.fedoraproject.org/pipermail/package-announce/2014-November/142696.html

The issue is fixed upstream in 3.1.21.

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-11-05 16:42:43 CET

CC: (none) => guillomovitch
Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-11-05 16:52:30 CET
Oden has informed me that egroupware-gallery and php-pear-PhpDocumentor may also bundle Smarty.

CC: (none) => thomas

Comment 2 David Walser 2014-11-05 17:03:38 CET
For php-pear-PhpDocumentor, it already is patched to use the system smarty, but it also ships its bundled copy because it isn't deleted during the package build.  Oden gave this svn diff to fix it:

Index: SPECS/php-pear-PhpDocumentor.spec
===================================================================
--- SPECS/php-pear-PhpDocumentor.spec   (revision 795826)
+++ SPECS/php-pear-PhpDocumentor.spec   (working copy)
@@ -64,6 +64,9 @@
 %patch -p 1
 mv package.xml %{upstream_name}-%{version}/%{upstream_name}.xml
 
+# nuke bundled smarty
+rm -rf phpDocumentor/Smarty-2.6.0
+
 %install
 cd %{upstream_name}-%{version}
 pear install --nodeps --packagingroot %{buildroot} %{upstream_name}.xml
David Walser 2014-11-05 18:27:26 CET

URL: (none) => http://lwn.net/Vulnerabilities/619213/

Comment 3 Thomas Spuhler 2014-11-06 01:17:31 CET
(In reply to David Walser from comment #2)
> For php-pear-PhpDocumentor, it already is patched to use the system smarty,
> but it also ships its bundled copy because it isn't deleted during the
> package build.  Oden gave this svn diff to fix it:
> 
> Index: SPECS/php-pear-PhpDocumentor.spec
> ===================================================================
> --- SPECS/php-pear-PhpDocumentor.spec   (revision 795826)
> +++ SPECS/php-pear-PhpDocumentor.spec   (working copy)
> @@ -64,6 +64,9 @@
>  %patch -p 1
>  mv package.xml %{upstream_name}-%{version}/%{upstream_name}.xml
>  
> +# nuke bundled smarty
> +rm -rf phpDocumentor/Smarty-2.6.0
> +
>  %install
>  cd %{upstream_name}-%{version}
>  pear install --nodeps --packagingroot %{buildroot} %{upstream_name}.xml

It's not that simple.
That patch was removed because of php-pear-PhpDocumentor crashing using the system smarty.
It was easy to fix because php-pear-PhpDocumentor provided a bundled smarty-2.6.0.
What I see in the report, the security advisory only lists smarty-3
Comment 4 David Walser 2014-11-06 01:25:54 CET
(In reply to Thomas Spuhler from comment #3)
> It's not that simple.
> That patch was removed because of php-pear-PhpDocumentor crashing using the
> system smarty.

I see.

> It was easy to fix because php-pear-PhpDocumentor provided a bundled
> smarty-2.6.0.
> What I see in the report, the security advisory only lists smarty-3

While that's true, smarty2 has several unfixed security vulnerabilities and is unmaintained upstream.  In fact, I removed it from Cauldron today because of that.  Does PhpDocumenter have a solution upstream for using smarty3?
Comment 5 Thomas Spuhler 2014-11-06 01:48:29 CET
(In reply to David Walser from comment #4)
> (In reply to Thomas Spuhler from comment #3)
> > It's not that simple.
> > That patch was removed because of php-pear-PhpDocumentor crashing using the
> > system smarty.
> 
> I see.
> 
> > It was easy to fix because php-pear-PhpDocumentor provided a bundled
> > smarty-2.6.0.
> > What I see in the report, the security advisory only lists smarty-3
> 
> While that's true, smarty2 has several unfixed security vulnerabilities and
> is unmaintained upstream.  In fact, I removed it from Cauldron today because
> of that.  Does PhpDocumenter have a solution upstream for using smarty3?

This package is not maintained upstream anymore except for bug fixes. My take this isn't true either.
It has been replaced with PhpDocumenter-2.8.0. I don't see smarty in there. Let me try to see if it builds.
Comment 6 David Walser 2014-11-07 19:02:53 CET
Fixed in Cauldron in php-smarty-3.1.21-1.mga5.

Version: Cauldron => 4
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 7 David Walser 2014-11-14 18:32:36 CET
Updated packages uploaded for Mageia 3 and Mageia 4.

Note to QA, there is a PoC here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765920

Advisory:
========================

Updated php-smarty packages fix security vulnerability:

Smarty before 3.1.21 allows remote attackers to bypass the secure mode
restrictions and execute arbitrary PHP code as demonstrated by
"{literal}<{/literal}script language=php>" in a template (CVE-2014-8350).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8350
https://lists.fedoraproject.org/pipermail/package-announce/2014-November/142696.html
========================

Updated packages in core/updates_testing:
========================
php-smarty-3.1.21-1.mga3
php-smarty-doc-3.1.21-1.mga3
php-smarty-3.1.21-1.mga4
php-smarty-doc-3.1.21-1.mga4

from SRPMS:
php-smarty-3.1.21-1.mga3
php-smarty-3.1.21-1.mga4

CC: (none) => oe
Assignee: oe => qa-bugs

David Walser 2014-11-14 19:54:01 CET

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 8 claire robinson 2014-11-17 18:50:45 CET
Testing complete mga4 64

Using modified PoC for our php-smarty path.

$ mkdir -p testing/templates
$ cd testing

$ cat test.php 
<?php
require_once('/usr/share/php/Smarty/SmartyBC.class.php');
$smarty = new Smarty();

$smarty->setTemplateDir('templates/');
$smarty->setCompileDir('templates_c/');
$smarty->enableSecurity();
$smarty->force_compile = true;
$tpl = $smarty->createTemplate('test.tpl');
$tpl->compileTemplateSource();
$smarty->display('test.tpl');
?>

$ cat templates/test.tpl 
{literal}<{/literal}script language=php>echo 1+1;</script>


Before
------
$ php ./test.php 
2

This shows it has executed the script, echoing the result of 1 + 1.

After
-----
$ rm -rf templates_c
$ php ./test.php 
<script language=php>echo 1+1;</script>

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok

Comment 9 David Walser 2014-11-17 19:06:24 CET
Testing complete Mageia 3 i586 and Mageia 4 i586 using Claire's procedure in Comment 8.  I was able to reproduce the same results as she had, both before and after the update.

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok

Comment 10 olivier charles 2014-11-17 21:48:06 CET
Testing on Mageia3-64 real HW

Using Claire's procedure in comment 8.

Current packages :
----------------
- php-smarty-3.1.11-4.mga3.noarch
- php-smarty-doc-3.1.11-4.mga3.noarch

$ php ./test.php 
2

Updated testing packages :
------------------------
- php-smarty-3.1.21-1.mga3.noarch
- php-smarty-doc-3.1.21-1.mga3.noarch
$ php ./test.php 
<script language=php>echo 1+1;</script>

CC: (none) => olchal
Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok MGA3-64-OK

Comment 11 David Walser 2014-11-18 13:45:29 CET
Thomas, Oden just informed me that php-pear-PhpDocumentor bundles more than just smarty, for instance php-ZendFramework2 as well.  I see nothing requires php-pear-PhpDocumentor.  Could we drop it from Cauldron?
Comment 12 Oden Eriksson 2014-11-18 13:56:59 CET
(In reply to David Walser from comment #11)
> Thomas, Oden just informed me that php-pear-PhpDocumentor bundles more than
> just smarty, for instance php-ZendFramework2 as well.  I see nothing
> requires php-pear-PhpDocumentor.  Could we drop it from Cauldron?

No, I meant php-pear-phpDocumentor that's in svn only. Not the same thing.
Comment 13 David Walser 2014-11-18 14:08:47 CET
(In reply to Oden Eriksson from comment #12)
> (In reply to David Walser from comment #11)
> > Thomas, Oden just informed me that php-pear-PhpDocumentor bundles more than
> > just smarty, for instance php-ZendFramework2 as well.  I see nothing
> > requires php-pear-PhpDocumentor.  Could we drop it from Cauldron?
> 
> No, I meant php-pear-phpDocumentor that's in svn only. Not the same thing.

Oh, I see.  OK.  I just dropped that one from SVN then.
Comment 14 Oden Eriksson 2014-11-19 11:27:05 CET
Note. For mga3 you also have:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4437
Comment 15 David Walser 2014-11-19 13:34:00 CET
Thanks Oden.

Use the Comment 7 advisory for Mageia 4.

For Mageia 3, use below:

Advisory (Mageia 3):
========================

Updated php-smarty packages fix security vulnerability:

Cross-site scripting (XSS) vulnerability in the SmartyException class in
Smarty (aka smarty-php) before 3.1.12 allows remote attackers to inject
arbitrary web script or HTML via unspecified vectors that trigger a Smarty
exception (CVE-2012-4437).

Smarty before 3.1.21 allows remote attackers to bypass the secure mode
restrictions and execute arbitrary PHP code as demonstrated by
"{literal}<{/literal}script language=php>" in a template (CVE-2014-8350).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4437
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8350
https://lists.fedoraproject.org/pipermail/package-announce/2014-November/142696.html
Comment 16 Rémi Verschelde 2014-11-19 13:47:17 CET
Validating, advisories uploaded as 14465.mga3.adv and 14465.mga4.adv.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok MGA3-64-OK => MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok MGA3-64-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 17 Mageia Robot 2014-11-21 13:45:38 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0468.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 18 Mageia Robot 2014-11-21 13:45:40 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0469.html
Comment 19 David Walser 2014-11-24 20:46:14 CET
LWN reference for CVE-2012-4437:
http://lwn.net/Vulnerabilities/622956/
Comment 20 Thomas Spuhler 2014-11-28 23:41:06 CET
(In reply to Thomas Spuhler from comment #5)
> (In reply to David Walser from comment #4)
> > (In reply to Thomas Spuhler from comment #3)
> > > It's not that simple.
> > > That patch was removed because of php-pear-PhpDocumentor crashing using the
> > > system smarty.
> > 
> > I see.
> > 
> > > It was easy to fix because php-pear-PhpDocumentor provided a bundled
> > > smarty-2.6.0.
> > > What I see in the report, the security advisory only lists smarty-3
> > 
> > While that's true, smarty2 has several unfixed security vulnerabilities and
> > is unmaintained upstream.  In fact, I removed it from Cauldron today because
> > of that.  Does PhpDocumenter have a solution upstream for using smarty3?
> 
> This package is not maintained upstream anymore except for bug fixes. My
> take this isn't true either.
> It has been replaced with PhpDocumenter-2.8.0. I don't see smarty in there.
> Let me try to see if it builds.

I upgraded cauldron to phpDocumentor-2.8.1 (notice the spelling change) and obsoleted PhpDocumentor. I am not quite sure how to handle on mga4 (mga3 = EOL)
Reopening the bug report

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)
Assignee: qa-bugs => thomas

Comment 21 David Walser 2014-11-28 23:55:23 CET
This bug is closed, php-smarty is fixed.  Feel free to open a new bug for phpDocumentor if you wish.

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED
Assignee: thomas => qa-bugs


Note You need to log in before you can comment on or make changes to this bug.