Bug 1155846 (CVE-2014-8350) - CVE-2014-8350 php-Smarty: secure mode bypass
Summary: CVE-2014-8350 php-Smarty: secure mode bypass
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2014-8350
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1155847 1155848 1155849
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-10-23 02:40 UTC by Murray McAllister
Modified: 2019-09-29 13:23 UTC (History)
5 users (show)

Fixed In Version: php-Smarty 3.1.21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-22 05:18:18 UTC

Attachments (Terms of Use)

Description Murray McAllister 2014-10-23 02:40:32 UTC 
The 3.1.21 release fixes the following issue:

""
Smarty 3.1.21 minor bug fixes and improvements. Also following up a
security bug fix where <script language="php"> tags still worked in
secure mode. To note, this only affects users using Smarty in secure
mode and exposing templates to untrusted third parties.
""

It is not clear if the 2.x versions are affected or not.

CVE request:

http://seclists.org/oss-sec/2014/q4/420

References:

https://code.google.com/p/smarty-php/source/browse/trunk/distribution/change_log.txt?r=4902
https://bugs.debian.org/765920
Comment 1 Murray McAllister 2014-10-23 02:41:28 UTC 
Created php-Smarty2 tracking bugs for this issue:

Affects: fedora-all [bug 1155848]
Comment 2 Murray McAllister 2014-10-23 02:41:31 UTC 
Created php-Smarty tracking bugs for this issue:

Affects: fedora-all [bug 1155847]
Affects: epel-all [bug 1155849]
Comment 3 Martin Prpič 2014-10-23 12:32:43 UTC 
MITRE assigned CVE-2014-8350 to this issue:

http://seclists.org/oss-sec/2014/q4/421
Comment 4 Johan Cwiklinski 2014-10-23 17:27:17 UTC 
(In reply to Murray McAllister from comment #0)
> It is not clear if the 2.x versions are affected or not.

According to https://security-tracker.debian.org/tracker/CVE-2014-8350, 2.x are also affected, but 2.x does not seems to be maintained anymore.

Code differs a lot beetween 2.x and 3.x releases; and I do not use 2.x; I'll not fix that.

Maybe we can consider to migrate to 3.x releases for EL-6 (seems that the default PHP version is OK)?
Comment 5 Salvatore Bonaccorso 2014-10-24 20:37:02 UTC 
Hi Johan, hi Murray,

(In reply to Johan Cwiklinski from comment #4)
> (In reply to Murray McAllister from comment #0)
> > It is not clear if the 2.x versions are affected or not.
> 
> According to https://security-tracker.debian.org/tracker/CVE-2014-8350, 2.x
> are also affected, but 2.x does not seems to be maintained anymore.

Actually I don't know (yet) if 2.x is also affected. Is marked as unfixed (and probably should be undetermined) as it is not verified to also affect 2.x series.

Regards,
Salvatore
Comment 6 Thue Janus Kristensen 2014-10-30 01:51:15 UTC 
I reported the original bug to the smarty project, and helped fix it. The bug does not exist in Smarty 2.x.
Comment 7 Fedora Update System 2014-11-05 03:55:29 UTC 
php-Smarty-3.1.21-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2014-11-05 03:57:12 UTC 
php-Smarty-3.1.21-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2014-11-10 06:28:47 UTC 
php-Smarty-3.1.21-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2015-01-12 17:40:25 UTC 
php-Smarty-3.1.21-1.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.