Bug 1155846 (CVE-2014-8350)

Summary: CVE-2014-8350 php-Smarty: secure mode bypass
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, christof, fedora, gwync, thuejk
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php-Smarty 3.1.21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-22 05:18:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1155847, 1155848, 1155849    
Bug Blocks:    

Description Murray McAllister 2014-10-23 02:40:32 UTC 
The 3.1.21 release fixes the following issue:

""
Smarty 3.1.21 minor bug fixes and improvements. Also following up a
security bug fix where <script language="php"> tags still worked in
secure mode. To note, this only affects users using Smarty in secure
mode and exposing templates to untrusted third parties.
""

It is not clear if the 2.x versions are affected or not.

CVE request:

http://seclists.org/oss-sec/2014/q4/420

References:

https://code.google.com/p/smarty-php/source/browse/trunk/distribution/change_log.txt?r=4902
https://bugs.debian.org/765920
Comment 1 Murray McAllister 2014-10-23 02:41:28 UTC 
Created php-Smarty2 tracking bugs for this issue:

Affects: fedora-all [bug 1155848]
Comment 2 Murray McAllister 2014-10-23 02:41:31 UTC 
Created php-Smarty tracking bugs for this issue:

Affects: fedora-all [bug 1155847]
Affects: epel-all [bug 1155849]
Comment 3 Martin Prpič 2014-10-23 12:32:43 UTC 
MITRE assigned CVE-2014-8350 to this issue:

http://seclists.org/oss-sec/2014/q4/421
Comment 4 Johan Cwiklinski 2014-10-23 17:27:17 UTC 
(In reply to Murray McAllister from comment #0)
> It is not clear if the 2.x versions are affected or not.

According to https://security-tracker.debian.org/tracker/CVE-2014-8350, 2.x are also affected, but 2.x does not seems to be maintained anymore.

Code differs a lot beetween 2.x and 3.x releases; and I do not use 2.x; I'll not fix that.

Maybe we can consider to migrate to 3.x releases for EL-6 (seems that the default PHP version is OK)?
Comment 5 Salvatore Bonaccorso 2014-10-24 20:37:02 UTC 
Hi Johan, hi Murray,

(In reply to Johan Cwiklinski from comment #4)
> (In reply to Murray McAllister from comment #0)
> > It is not clear if the 2.x versions are affected or not.
> 
> According to https://security-tracker.debian.org/tracker/CVE-2014-8350, 2.x
> are also affected, but 2.x does not seems to be maintained anymore.

Actually I don't know (yet) if 2.x is also affected. Is marked as unfixed (and probably should be undetermined) as it is not verified to also affect 2.x series.

Regards,
Salvatore
Comment 6 Thue Janus Kristensen 2014-10-30 01:51:15 UTC 
I reported the original bug to the smarty project, and helped fix it. The bug does not exist in Smarty 2.x.
Comment 7 Fedora Update System 2014-11-05 03:55:29 UTC 
php-Smarty-3.1.21-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2014-11-05 03:57:12 UTC 
php-Smarty-3.1.21-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2014-11-10 06:28:47 UTC 
php-Smarty-3.1.21-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2015-01-12 17:40:25 UTC 
php-Smarty-3.1.21-1.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.