Debian has issued an advisory on January 22: https://www.debian.org/security/2018/dsa-4094 The issue was fixed upstream in 3.1.32. The upstream commit that fixed it is linked from here: https://security-tracker.debian.org/tracker/CVE-2017-1000480 Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugsCC: (none) => guillomovitch, mageia, marja11
Assignee: pkg-bugs => mageia
I have uploaded a patched package for Mageia 5/6. Suggested advisory: ======================== Updated php-smarty packages fix security vulnerabilities: Smarty 3 before 3.1.32 is vulnerable to a PHP code injection when calling fetch() or display() functions on custom resources that does not sanitize template name(CVE-2017-1000480). References: https://security-tracker.debian.org/tracker/CVE-2017-1000480 ======================== Updated packages in core/updates_testing: ======================== mga5: php-smarty-3.1.21-1.1.mga5 php-smarty-doc-3.1.21-1.1.mga5 mga6: php-smarty-3.1.21-3.mga6 php-smarty-doc-3.1.21-3.mga6 Source RPMs: php-smarty-3.1.21-1.1.mga5.src.rpm php-smarty-3.1.21-3.mga6.src.rpm
Assignee: mageia => qa-bugs
Version: Cauldron => 6CC: (none) => tmbWhiteboard: MGA6TOO => (none)
Note that this update only affects fusiondirectory, galette, and kolab-webadmin (at least on Mageia 5), so I don't consider it critical there, so don't feel the need to put a lot of effort into testing it. The commit diff confirms that the patch has been applied, so as long as the package installs (which it should), that should be sufficient.
Whiteboard: (none) => MGA5TOO
since this patch is really short and adds only a regex for the filename (shortend to 25 chars), I don't assume there is not much to test.
MGA5-32 on Dell Latitude D600 Xfce. No installation isues This is a celan install and apparently it does not break anything else, so OK.
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OKCC: (none) => herman.viaene
Mageia 6 :: x86_64 Clean install. # updatedb $ locate -i smarty That showed that the /usr/share/smarty directories are all populated, including doc folders.
CC: (none) => tarazed25
Correction - /usr/share/php/Smarty and /usr/share/doc/php-smarty directories.
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK
Looks like a problem in Mageia 6. Core release has http://mirrors.kernel.org/mageia/distrib/6/x86_64/media/core/release/php-smarty-3.1.21-3.mga6.noarch.rpm Core updates testing has http://mirrors.kernel.org/mageia/distrib/6/x86_64/media/core/updates_testing/php-smarty-3.1.21-3.mga6.noarch.rpm So the update will not get installed when it's moved from testing to updates. Needs to have the version bumped. Removing the mga6-64-ok and adding the feedback marker. Noticed the problem while preparing to add the advisory to svn.
Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK => MGA5TOO MGA5-32-OKCC: (none) => davidwhodginsKeywords: (none) => feedback
Advisory added to svn, but it will need to be updated once the mageia 6 srpm version is known.
@David: thanks, forgotten the subrel for mga6. Pushed php-smarty-3.1.21-3-1.mga6.src.rpm (only changed the subrel)
Keywords: feedback => (none)
MGA6-64 on Lenovo B50 Plasma No installation issues. Found files as indicated above (this laptop did not have a previous version).
Thanks. Updated advisory, validating the update.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0118.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED