Bug 858987 (CVE-2012-4437)

Summary: CVE-2012-4437 php-Smarty: XSS due improper sanitization of messages within SmartyException
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: christof, fedora, gwync, jrusnack
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-22 05:15:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 858989, 920149    
Bug Blocks:    
Attachments:
Description Flags
Local copy of Debian's patch for php-Smarty v2 none

Description Jan Lieskovsky 2012-09-20 09:54:18 UTC 
A cross-site scripting (XSS) flaw was found in the way SmartyException class of Smarty (php-Smarty), template / presentation framework for PHP language, performed sanitization of exception messages. A remote attacker could use this flaw to execute arbitrary HTML or webscript in the context of Smarty user session if the victim visited a specially-crafted web page.

References:
[1] http://secunia.com/advisories/50589/
[2] http://code.google.com/p/smarty-php/source/browse/trunk/distribution/change_log.txt
[3] http://www.openwall.com/lists/oss-security/2012/09/19/1
[4] http://www.openwall.com/lists/oss-security/2012/09/20/3

Upstream patch:
[5] http://code.google.com/p/smarty-php/source/detail?r=4658
Comment 1 Jan Lieskovsky 2012-09-20 09:56:55 UTC 
This issue affects the version of the php-Smarty package, as shipped with Fedora Rawhide. Please schedule an update.

--

This issue did NOT affect the versions of the php-Smarty package, as shipped with Fedora release of 16 and 17 (as they did not include support for SmartyException class yet).

--

This issue did NOT affect the versions of the php-Smarty package, as shipped with Fedora EPEL 5 and Fedora EPEL 6 (as they did not include support for SmartyException class yet).
Comment 2 Jan Lieskovsky 2012-09-20 09:58:25 UTC 
Created php-Smarty tracking bugs for this issue

Affects: fedora-rawhide [bug 858989]
Comment 3 Gwyn Ciesla 2012-09-20 12:34:02 UTC 
Affects f18 also, will update.
Comment 4 Jan Lieskovsky 2012-09-26 08:38:08 UTC 
(In reply to comment #3)
> Affects f18 also, will update.

Thanks, Jon.

Looks this issue has been corrected in both Rawhide and Fedora 18. Closing this bug (feel free to reopen if still needed).

Regards, Jan.
Comment 5 Jan Lieskovsky 2013-03-11 13:07:52 UTC 
This issue affects the (current) version (php-Smarty-2.6.26-1.el5.2) of the php-Smarty package, as shipped with Fedora EPEL-5 => reopening the bug.

Relevant patch for php-Smarty v2.6 version (from corresponding Debian bug):
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702710#10
Comment 6 Jan Lieskovsky 2013-03-11 13:10:09 UTC 
Created attachment 708356 [details]
Local copy of Debian's patch for php-Smarty v2

(from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702710#10)
Comment 7 Jan Lieskovsky 2013-03-11 13:11:19 UTC 
Created php-Smarty tracking bugs for this issue

Affects: epel-5 [bug 920149]