Bug 435810 (CVE-2008-1066)

Summary: CVE-2008-1066 smarty arbitrary code execution in template
Product: [Other] Security Response Reporter: Red Hat Product Security <security-response-team>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: chris.stone, icon, vdanen
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1066
Whiteboard:
Fixed In Version: 2.6.19-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-16 18:56:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 435811, 435812, 435813, 438058, 438059, 438060, 438062, 438063, 438064    
Bug Blocks:    

Description Lubomir Kundrak 2008-03-03 23:13:48 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1066 to the following vulnerability:

The modifier.regex_replace.php plugin in Smarty before 2.6.19, as used by Serendipity (S9Y) and other products, allows attackers to call arbitrary PHP functions via templates, related to a '\0' character in a search string.

References:

http://blog.s9y.org/archives/191-Serendipity-1.3-beta1-released.html
http://www.phpinsider.com/smarty-forum/viewtopic.php?p=47652
http://www.smarty.net/misc/NEWS
Comment 2 Christopher Stone 2008-03-04 02:29:35 UTC 
(In reply to comment #0)
> The modifier.regex_replace.php plugin in Smarty before 2.6.19
--------------------------------------------------^^^^^^

*before*, as in 2.6.18 and lower, as in this was fixed last week.  Please do me
a favor and close all these bugs for me so I don't have to waste time doing it
myself....

Thanks.
Comment 3 Tomas Hoger 2008-03-05 17:48:49 UTC 
Updates were pushed to Fedora stable as bugfixes:

https://admin.fedoraproject.org/updates/F7/FEDORA-2008-1928
https://admin.fedoraproject.org/updates/F8/FEDORA-2008-1911
Comment 6 Lubomir Kundrak 2008-03-18 20:38:09 UTC 
php-pear-PhpDocumentor and gallery2 should not embed a copy of smarty.
Is there a possibility to make it use code from the php-Smarty package?
Comment 7 Christopher Stone 2008-03-18 22:29:57 UTC 
(In reply to comment #6)
> php-pear-PhpDocumentor and gallery2 should not embed a copy of smarty.
> Is there a possibility to make it use code from the php-Smarty package?

It should be possible, yes.
Comment 8 Fedora Update System 2008-03-21 19:31:50 UTC 
php-pear-PhpDocumentor-1.4.1-2.fc8 has been submitted as an update for Fedora 8
Comment 9 Fedora Update System 2008-03-21 22:08:14 UTC 
gallery2-2.2.4-3.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update gallery2'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F7/FEDORA-2008-2587
Comment 10 Fedora Update System 2008-03-26 17:09:29 UTC 
php-pear-PhpDocumentor-1.4.1-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2008-04-17 03:53:27 UTC 
gallery2-2.2.4-3.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2008-04-17 03:56:57 UTC 
gallery2-2.2.4-3.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 John Berninger 2008-05-04 13:06:24 UTC 
Removing myself (john@ncphotography) from CC list as updated required for my
packages have been pushed.
Comment 15 Red Hat Bugzilla 2009-10-23 19:05:00 UTC 
Reporter changed to security-response-team by request of Jay Turner.