Bug 636620

Summary: pgpoolAdmin: multiple vulnerabilities in embedded Smarty (2.6.13)
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: devrim, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: public=20100924,reported=20100922,source=researcher,impact=moderate,fedora-all/postgresql-pgpoolAdmin=affected,epel-5/postgresql-pgpoolAdmin=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 636615 Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 847367, 637226    
Bug Blocks:    

Description Vincent Danen 2010-09-22 13:53:01 EDT
Silvio Cesare reported that pgpoolAdmin includes an embedded copy of the Smarty PHP template engine that is vulnerable to a number of security-related issues.  The version of Smarty bundled in pgpoolAdmin 2.2 is 2.6.13, while the current version of Smarty is 2.6.25.  This would make the embedded version of Smarty, and thus pgpoolAdmin, vulnerable to a number of issues with CVE names, including:

CVE-2009-1669
CVE-2008-4811
CVE-2008-4810
CVE-2008-1066

There may be others as well.  The Smarty changelog [1] does identify a number of fixes since the 2.6.2 release.

Ideally, we should update the embedded version of Smarty to 2.6.25, however I have no idea if that will break anything as that is quite the jump.  We may have to identify and backport all the security fixes.

[1] http://www.smarty.net/changelog.php
Comment 1 Vincent Danen 2010-09-22 13:54:17 EDT
Used upstream's contact form to make them aware of the issue.  Will wait a bit to see if we get a response before making this public.
Comment 2 Vincent Danen 2010-09-24 11:44:00 EDT
Upstream has reported that version 2.3.1 and 3.0.1 have been released, that embed Smarty 2.6.26:

http://pgfoundry.org/frs/download.php/2804/pgpoolAdmin-2.3.1.tar.gz
http://pgfoundry.org/frs/download.php/2805/pgpoolAdmin-3.0.1.tar.gz

They also note that version 2.2 is no longer maintained, so we should upgrade to one of the above versions.
Comment 3 Vincent Danen 2010-09-24 11:48:57 EDT
Created postgresql-pgpoolAdmin tracking bugs for this issue

Affects: fedora-all [bug 637226]
Comment 4 Devrim GÜNDÜZ 2010-09-24 16:16:40 EDT
Ok, I'm on it.
Comment 5 Vincent Danen 2010-10-13 16:37:48 EDT
(In reply to comment #4)
> Ok, I'm on it.

Any progress on this yet?
Comment 6 Vincent Danen 2011-06-14 12:58:43 EDT
This is still unfixed in Fedora from what I can see.  Can this be taken care of soon?  It's quite old.
Comment 7 Fedora Update System 2012-05-08 00:14:50 EDT
postgresql-pgpoolAdmin-3.1.1-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2012-05-12 21:59:51 EDT
postgresql-pgpoolAdmin-3.1.1-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Vincent Danen 2012-08-10 14:16:38 EDT
EPEL5 still contains version 2.2, which is vulnerable.  Fedora is ok.
Comment 10 Vincent Danen 2012-08-10 14:17:16 EDT
Created postgresql-pgpoolAdmin tracking bugs for this issue

Affects: epel-5 [bug 847367]