Bug 748782 (CVE-2010-4724, CVE-2010-4725, CVE-2010-4727)
| Summary: | CVE-2010-4724 CVE-2010-4725 CVE-2010-4727 php-Smarty: Multiple unspecified vulnerabilities in Smarty 3.0.0 before RC3 | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> | ||||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||
| Status: | CLOSED NOTABUG | QA Contact: | |||||||||
| Severity: | low | Docs Contact: | |||||||||
| Priority: | low | ||||||||||
| Version: | unspecified | CC: | christof, gwync | ||||||||
| Target Milestone: | --- | Keywords: | Security | ||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2011-10-25 14:15:04 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
|
Description
Jan Lieskovsky
2011-10-25 11:09:12 UTC
Relevant Smarty Changelog [2] entries:
===== RC3 =====
15/07/2010
..
20/06/2010
- replace internal get_time() calls with standard PHP5 microtime(true) calls
- closed security hole when php.ini asp_tags = on
..
17/04/2010
- security fix in {math} plugin
..
01/12/2010
- changed back modifer handling in parser. Some restrictions still apply:
if modifiers are used in side {if...} expression or in mathematical expressions
parentheses must be used.
- bugfix the {function..} tag did not accept the name attribute in double quotes
- closed possible security hole at <?php ... ?> tags
- bugfix of config file parser on large config files
and to them related SVN log entries:
r3606 | Uwe.Tews | 2010-06-20 22:37:16 +0200 (Sun, 20 Jun 2010) | 2 lines
- closed security hole when php.ini asp_tags = on
r3555 | Uwe.Tews | 2010-04-17 12:24:44 +0200 (Sat, 17 Apr 2010) | 2 lines
- security fix in {math} plugin
r3451 | Uwe.Tews | 2010-01-12 23:12:19 +0100 (Tue, 12 Jan 2010) | 3 lines
- closed possible security hole at <?php ... ?> tags
- bugfix of config file parser on large config files
Created attachment 530058 [details]
Smarty r3606 SVN repository upstream patch
Created attachment 530059 [details]
Smarty r3555 SVN repository upstream patch
Created attachment 530060 [details]
Smarty r3451 SVN repository upstream patch
Patches from revisions r3606 and r3451 doesn't seem to be applicable to the versions of php-Smarty, as shipped with Fedora release of 14, 15 and as shipped with Fedora EPEL 5 and Fedora EPEL 6 repositories.
--
Patch from revision r3555 (security fix in {math} plugin) is applicable to versions of php-Smarty package, as shipped with Fedora release of 14, 15, and as shipped with Fedora EPEL 5 and Fedora EPEL 6 repositories.
Was wrong here. All of the three below, got their own, dedicated CVE identifiers as follows: (In reply to comment #1) > Relevant Smarty Changelog [2] entries: > > ===== RC3 ===== > > 15/07/2010 > .. > 20/06/2010 > - replace internal get_time() calls with standard PHP5 microtime(true) calls > - closed security hole when php.ini asp_tags = on > .. CVE-2010-4725: Smarty before 3.0.0 RC3 does not properly handle an on value of the asp_tags option in the php.ini file, which has unspecified impact and remote attack vectors. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4725 [2] http://smarty-php.googlecode.com/svn/trunk/distribution/change_log.txt > > 17/04/2010 > - security fix in {math} plugin > .. > CVE-2010-4726: Unspecified vulnerability in the math plugin in Smarty before 3.0.0 RC1 has unknown impact and remote attack vectors. NOTE: this might overlap CVE-2009-1669. References: [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4726 [4] http://smarty-php.googlecode.com/svn/trunk/distribution/change_log.txt This issue is tracked under separated Red Hat Bugzilla issue tracking system entry: [5] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4726 since it also affects the versions of php-Smarty package, as shipped within various Fedora and EPEL releases. > 01/12/2010 > - changed back modifer handling in parser. Some restrictions still apply: > if modifiers are used in side {if...} expression or in mathematical > expressions > parentheses must be used. > - bugfix the {function..} tag did not accept the name attribute in double > quotes > - closed possible security hole at <?php ... ?> tags CVE-2010-4727: Smarty before 3.0.0 beta 7 does not properly handle the <?php and ?> tags, which has unspecified impact and remote attack vectors. References: [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4727 [7] http://smarty-php.googlecode.com/svn/trunk/distribution/change_log.txt > - bugfix of config file parser on large config files > > > and to them related SVN log entries: > > r3606 | Uwe.Tews | 2010-06-20 22:37:16 +0200 (Sun, 20 Jun 2010) | 2 lines > > - closed security hole when php.ini asp_tags = on > > r3555 | Uwe.Tews | 2010-04-17 12:24:44 +0200 (Sat, 17 Apr 2010) | 2 lines > > - security fix in {math} plugin > > r3451 | Uwe.Tews | 2010-01-12 23:12:19 +0100 (Tue, 12 Jan 2010) | 3 lines > > - closed possible security hole at <?php ... ?> tags > - bugfix of config file parser on large config files which means, that CVE-2010-4724 identifier refers to yet 'some other' unspecified security fixes in Smarty between versions 3.0.0 Beta 6 up to 3.0.0 RC3. Resolution due CVE-2010-4724, CVE-2010-4725 and CVE-2010-4726 Smarty / php-Smarty flaws: Not vulnerable. These issues did NOT affect the versions of the php-Smarty package, as shipped with Fedora release of 14, 15, and did NOT affect the versions of the php-Smarty package, as present within Fedora EPEL 5 and Fedora EPEL 6 repositories. |