Fedora has issued an advisory on October 27: https://lists.fedoraproject.org/pipermail/package-announce/2014-November/142696.html The issue is fixed upstream in 3.1.21. Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
CC: (none) => guillomovitchWhiteboard: (none) => MGA4TOO, MGA3TOO
Oden has informed me that egroupware-gallery and php-pear-PhpDocumentor may also bundle Smarty.
CC: (none) => thomas
For php-pear-PhpDocumentor, it already is patched to use the system smarty, but it also ships its bundled copy because it isn't deleted during the package build. Oden gave this svn diff to fix it: Index: SPECS/php-pear-PhpDocumentor.spec =================================================================== --- SPECS/php-pear-PhpDocumentor.spec (revision 795826) +++ SPECS/php-pear-PhpDocumentor.spec (working copy) @@ -64,6 +64,9 @@ %patch -p 1 mv package.xml %{upstream_name}-%{version}/%{upstream_name}.xml +# nuke bundled smarty +rm -rf phpDocumentor/Smarty-2.6.0 + %install cd %{upstream_name}-%{version} pear install --nodeps --packagingroot %{buildroot} %{upstream_name}.xml
URL: (none) => http://lwn.net/Vulnerabilities/619213/
(In reply to David Walser from comment #2) > For php-pear-PhpDocumentor, it already is patched to use the system smarty, > but it also ships its bundled copy because it isn't deleted during the > package build. Oden gave this svn diff to fix it: > > Index: SPECS/php-pear-PhpDocumentor.spec > =================================================================== > --- SPECS/php-pear-PhpDocumentor.spec (revision 795826) > +++ SPECS/php-pear-PhpDocumentor.spec (working copy) > @@ -64,6 +64,9 @@ > %patch -p 1 > mv package.xml %{upstream_name}-%{version}/%{upstream_name}.xml > > +# nuke bundled smarty > +rm -rf phpDocumentor/Smarty-2.6.0 > + > %install > cd %{upstream_name}-%{version} > pear install --nodeps --packagingroot %{buildroot} %{upstream_name}.xml It's not that simple. That patch was removed because of php-pear-PhpDocumentor crashing using the system smarty. It was easy to fix because php-pear-PhpDocumentor provided a bundled smarty-2.6.0. What I see in the report, the security advisory only lists smarty-3
(In reply to Thomas Spuhler from comment #3) > It's not that simple. > That patch was removed because of php-pear-PhpDocumentor crashing using the > system smarty. I see. > It was easy to fix because php-pear-PhpDocumentor provided a bundled > smarty-2.6.0. > What I see in the report, the security advisory only lists smarty-3 While that's true, smarty2 has several unfixed security vulnerabilities and is unmaintained upstream. In fact, I removed it from Cauldron today because of that. Does PhpDocumenter have a solution upstream for using smarty3?
(In reply to David Walser from comment #4) > (In reply to Thomas Spuhler from comment #3) > > It's not that simple. > > That patch was removed because of php-pear-PhpDocumentor crashing using the > > system smarty. > > I see. > > > It was easy to fix because php-pear-PhpDocumentor provided a bundled > > smarty-2.6.0. > > What I see in the report, the security advisory only lists smarty-3 > > While that's true, smarty2 has several unfixed security vulnerabilities and > is unmaintained upstream. In fact, I removed it from Cauldron today because > of that. Does PhpDocumenter have a solution upstream for using smarty3? This package is not maintained upstream anymore except for bug fixes. My take this isn't true either. It has been replaced with PhpDocumenter-2.8.0. I don't see smarty in there. Let me try to see if it builds.
Fixed in Cauldron in php-smarty-3.1.21-1.mga5.
Version: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Updated packages uploaded for Mageia 3 and Mageia 4. Note to QA, there is a PoC here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765920 Advisory: ======================== Updated php-smarty packages fix security vulnerability: Smarty before 3.1.21 allows remote attackers to bypass the secure mode restrictions and execute arbitrary PHP code as demonstrated by "{literal}<{/literal}script language=php>" in a template (CVE-2014-8350). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8350 https://lists.fedoraproject.org/pipermail/package-announce/2014-November/142696.html ======================== Updated packages in core/updates_testing: ======================== php-smarty-3.1.21-1.mga3 php-smarty-doc-3.1.21-1.mga3 php-smarty-3.1.21-1.mga4 php-smarty-doc-3.1.21-1.mga4 from SRPMS: php-smarty-3.1.21-1.mga3 php-smarty-3.1.21-1.mga4
CC: (none) => oeAssignee: oe => qa-bugs
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Testing complete mga4 64 Using modified PoC for our php-smarty path. $ mkdir -p testing/templates $ cd testing $ cat test.php <?php require_once('/usr/share/php/Smarty/SmartyBC.class.php'); $smarty = new Smarty(); $smarty->setTemplateDir('templates/'); $smarty->setCompileDir('templates_c/'); $smarty->enableSecurity(); $smarty->force_compile = true; $tpl = $smarty->createTemplate('test.tpl'); $tpl->compileTemplateSource(); $smarty->display('test.tpl'); ?> $ cat templates/test.tpl {literal}<{/literal}script language=php>echo 1+1;</script> Before ------ $ php ./test.php 2 This shows it has executed the script, echoing the result of 1 + 1. After ----- $ rm -rf templates_c $ php ./test.php <script language=php>echo 1+1;</script>
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok
Testing complete Mageia 3 i586 and Mageia 4 i586 using Claire's procedure in Comment 8. I was able to reproduce the same results as she had, both before and after the update.
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok
Testing on Mageia3-64 real HW Using Claire's procedure in comment 8. Current packages : ---------------- - php-smarty-3.1.11-4.mga3.noarch - php-smarty-doc-3.1.11-4.mga3.noarch $ php ./test.php 2 Updated testing packages : ------------------------ - php-smarty-3.1.21-1.mga3.noarch - php-smarty-doc-3.1.21-1.mga3.noarch $ php ./test.php <script language=php>echo 1+1;</script>
CC: (none) => olchalWhiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok MGA3-64-OK
Thomas, Oden just informed me that php-pear-PhpDocumentor bundles more than just smarty, for instance php-ZendFramework2 as well. I see nothing requires php-pear-PhpDocumentor. Could we drop it from Cauldron?
(In reply to David Walser from comment #11) > Thomas, Oden just informed me that php-pear-PhpDocumentor bundles more than > just smarty, for instance php-ZendFramework2 as well. I see nothing > requires php-pear-PhpDocumentor. Could we drop it from Cauldron? No, I meant php-pear-phpDocumentor that's in svn only. Not the same thing.
(In reply to Oden Eriksson from comment #12) > (In reply to David Walser from comment #11) > > Thomas, Oden just informed me that php-pear-PhpDocumentor bundles more than > > just smarty, for instance php-ZendFramework2 as well. I see nothing > > requires php-pear-PhpDocumentor. Could we drop it from Cauldron? > > No, I meant php-pear-phpDocumentor that's in svn only. Not the same thing. Oh, I see. OK. I just dropped that one from SVN then.
Note. For mga3 you also have: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4437
Thanks Oden. Use the Comment 7 advisory for Mageia 4. For Mageia 3, use below: Advisory (Mageia 3): ======================== Updated php-smarty packages fix security vulnerability: Cross-site scripting (XSS) vulnerability in the SmartyException class in Smarty (aka smarty-php) before 3.1.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors that trigger a Smarty exception (CVE-2012-4437). Smarty before 3.1.21 allows remote attackers to bypass the secure mode restrictions and execute arbitrary PHP code as demonstrated by "{literal}<{/literal}script language=php>" in a template (CVE-2014-8350). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4437 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8350 https://lists.fedoraproject.org/pipermail/package-announce/2014-November/142696.html
Validating, advisories uploaded as 14465.mga3.adv and 14465.mga4.adv.
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok MGA3-64-OK => MGA3TOO has_procedure mga4-32-ok mga4-64-ok mga3-32-ok MGA3-64-OK advisoryCC: (none) => remi, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0468.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0469.html
LWN reference for CVE-2012-4437: http://lwn.net/Vulnerabilities/622956/
(In reply to Thomas Spuhler from comment #5) > (In reply to David Walser from comment #4) > > (In reply to Thomas Spuhler from comment #3) > > > It's not that simple. > > > That patch was removed because of php-pear-PhpDocumentor crashing using the > > > system smarty. > > > > I see. > > > > > It was easy to fix because php-pear-PhpDocumentor provided a bundled > > > smarty-2.6.0. > > > What I see in the report, the security advisory only lists smarty-3 > > > > While that's true, smarty2 has several unfixed security vulnerabilities and > > is unmaintained upstream. In fact, I removed it from Cauldron today because > > of that. Does PhpDocumenter have a solution upstream for using smarty3? > > This package is not maintained upstream anymore except for bug fixes. My > take this isn't true either. > It has been replaced with PhpDocumenter-2.8.0. I don't see smarty in there. > Let me try to see if it builds. I upgraded cauldron to phpDocumentor-2.8.1 (notice the spelling change) and obsoleted PhpDocumentor. I am not quite sure how to handle on mga4 (mga3 = EOL) Reopening the bug report
Status: RESOLVED => REOPENEDResolution: FIXED => (none)Assignee: qa-bugs => thomas
This bug is closed, php-smarty is fixed. Feel free to open a new bug for phpDocumentor if you wish.
Status: REOPENED => RESOLVEDResolution: (none) => FIXEDAssignee: thomas => qa-bugs