Bug 469648 (CVE-2008-4811)

Summary: CVE-2008-4811 php-Smarty: PHP code execution via templates with \ escaped $ sign
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: chris.stone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4811
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-26 08:20:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2008-11-03 09:01:21 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4811 to the following vulnerability:

The _expand_quoted_text function in libs/Smarty_Compiler.class.php in
Smarty 2.6.20 r2797 and earlier allows remote attackers to execute
arbitrary PHP code via vectors related to templates and a \
(backslash) before a dollar-sign character.

References:
http://www.openwall.com/lists/oss-security/2008/10/25/2
http://securityvulns.ru/Udocument746.html
http://secunia.com/advisories/32329
Comment 1 Christopher Stone 2008-11-03 16:43:14 UTC 
Again, this bug description is confusing an inaccurate.

If I understand this correctly, r2797 *fixes* the problem, and the bug description should say "...in Smarty 2.6.20 r2796 and earlier..."
Comment 2 Fedora Update System 2008-11-03 17:29:38 UTC 
php-Smarty-2.6.20-2.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/php-Smarty-2.6.20-2.fc9
Comment 3 Fedora Update System 2008-11-03 17:30:22 UTC 
php-Smarty-2.6.20-2.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/php-Smarty-2.6.20-2.fc8
Comment 4 Fedora Update System 2008-11-07 02:50:15 UTC 
php-Smarty-2.6.20-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2008-11-07 02:52:00 UTC 
php-Smarty-2.6.20-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2008-11-23 18:57:08 UTC 
php-Smarty-2.6.20-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/php-Smarty-2.6.20-2.fc10
Comment 7 Fedora Update System 2008-11-26 06:24:58 UTC 
php-Smarty-2.6.20-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Red Hat Product Security 2008-11-26 08:20:07 UTC 
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-9401
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-9420
  https://admin.fedoraproject.org/updates/f10/FEDORA-2008-10409