31794 – php-smarty new security issue CVE-2023-28447

Bug 31794 - php-smarty new security issue CVE-2023-28447

Summary: php-smarty new security issue CVE-2023-28447

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2023-04-13 18:05 CEST by David Walser
Modified:	2023-04-24 02:22 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	php-smarty-4.3.0-1.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-04-13 18:05:03 CEST

Fedora has issued an advisory on April 12:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HSAUM3YHWHO4UCJXRGRLQGPJAO3MFOZZ/

The issue is fixed upstream in 4.3.1:
https://github.com/smarty-php/smarty/security/advisories/GHSA-7j98-h7fp-4vwj

Mageia 8 is also affected.

David Walser 2023-04-13 18:05:17 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 4.3.1

Comment 1 Lewis Smith 2023-04-13 21:42:30 CEST

This is looked after by MarK, so assigning to you.

Assignee: bugsquad => mageia

Comment 2 Marc Krämer 2023-04-13 22:01:24 CEST

Updated php-smarty packages fix security vulnerabilities:

Update fixes a js cross-site-scripting vulnerability [1,2,3].

Some more errors have been fixed [4,5]


References:
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28447
[2] https://github.com/smarty-php/smarty/security/advisories/GHSA-7j98-h7fp-4vwj
[3] https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HSAUM3YHWHO4UCJXRGRLQGPJAO3MFOZZ/
[4] https://github.com/smarty-php/smarty/releases/tag/v4.3.0
[5] https://github.com/smarty-php/smarty/releases/tag/v4.3.1

========================

Updated packages in core/updates_testing:
========================
php-smarty-4.3.1-1.mga8.noarch.rpm

SRPM:
php-smarty-4.3.1-1.mga8.src.rpm

Assignee: mageia => qa-bugs

Comment 3 David Walser 2023-04-14 01:11:33 CEST

Note that this is pending a freeze move request for Cauldron.

Status comment: Fixed upstream in 4.3.1 => (none)
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
CC: (none) => mageia

Comment 4 Thomas Andrews 2023-04-17 18:56:32 CEST

Tested in a VirtualBox mga8-64 Plasma guest. Installed php-smarty, then used qarepo to update it, with no installation issues.

Previous updates have identified this as a developer's tool, and have approved it on a clean update. Since this updated OK, and shows no ill effects on the system, I'm giving it an OK, and validating. Advisory in comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update

Dave Hodgins 2023-04-24 00:00:19 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2023-04-24 02:22:00 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0155.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.