Bug 435810 - (CVE-2008-1066) CVE-2008-1066 smarty arbitrary code execution in template
CVE-2008-1066 smarty arbitrary code execution in template
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
: Reopened, Security
Depends On: 435811 435812 435813 438058 438059 438060 438062 438063 438064
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-03 18:13 EST by Red Hat Product Security
Modified: 2011-06-16 14:56 EDT (History)
3 users (show)

See Also:
Fixed In Version: 2.6.19-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-06-16 14:56:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Lubomir Kundrak 2008-03-03 18:13:48 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1066 to the following vulnerability:

The modifier.regex_replace.php plugin in Smarty before 2.6.19, as used by Serendipity (S9Y) and other products, allows attackers to call arbitrary PHP functions via templates, related to a '\0' character in a search string.

References:

http://blog.s9y.org/archives/191-Serendipity-1.3-beta1-released.html
http://www.phpinsider.com/smarty-forum/viewtopic.php?p=47652
http://www.smarty.net/misc/NEWS
Comment 2 Christopher Stone 2008-03-03 21:29:35 EST
(In reply to comment #0)
> The modifier.regex_replace.php plugin in Smarty before 2.6.19
--------------------------------------------------^^^^^^

*before*, as in 2.6.18 and lower, as in this was fixed last week.  Please do me
a favor and close all these bugs for me so I don't have to waste time doing it
myself....

Thanks.
Comment 3 Tomas Hoger 2008-03-05 12:48:49 EST
Updates were pushed to Fedora stable as bugfixes:

https://admin.fedoraproject.org/updates/F7/FEDORA-2008-1928
https://admin.fedoraproject.org/updates/F8/FEDORA-2008-1911
Comment 6 Lubomir Kundrak 2008-03-18 16:38:09 EDT
php-pear-PhpDocumentor and gallery2 should not embed a copy of smarty.
Is there a possibility to make it use code from the php-Smarty package?
Comment 7 Christopher Stone 2008-03-18 18:29:57 EDT
(In reply to comment #6)
> php-pear-PhpDocumentor and gallery2 should not embed a copy of smarty.
> Is there a possibility to make it use code from the php-Smarty package?

It should be possible, yes.
Comment 8 Fedora Update System 2008-03-21 15:31:50 EDT
php-pear-PhpDocumentor-1.4.1-2.fc8 has been submitted as an update for Fedora 8
Comment 9 Fedora Update System 2008-03-21 18:08:14 EDT
gallery2-2.2.4-3.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update gallery2'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F7/FEDORA-2008-2587
Comment 10 Fedora Update System 2008-03-26 13:09:29 EDT
php-pear-PhpDocumentor-1.4.1-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2008-04-16 23:53:27 EDT
gallery2-2.2.4-3.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2008-04-16 23:56:57 EDT
gallery2-2.2.4-3.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 John Berninger 2008-05-04 09:06:24 EDT
Removing myself (john@ncphotography) from CC list as updated required for my
packages have been pushed.
Comment 15 Red Hat Bugzilla 2009-10-23 15:05:00 EDT
Reporter changed to security-response-team@redhat.com by request of Jay Turner.

Note You need to log in before you can comment on or make changes to this bug.