Bug 435810 (CVE-2008-1066) - CVE-2008-1066 smarty arbitrary code execution in template
Summary: CVE-2008-1066 smarty arbitrary code execution in template
Status: CLOSED ERRATA
Alias: CVE-2008-1066
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
Keywords: Reopened, Security
Depends On: 435811 435812 435813 438058 438059 438060 438062 438063 438064
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-03-03 23:13 UTC by Red Hat Product Security
Modified: 2011-06-16 18:56 UTC (History)
3 users (show)

Fixed In Version: 2.6.19-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-06-16 18:56:02 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Lubomir Kundrak 2008-03-03 23:13:48 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1066 to the following vulnerability:

The modifier.regex_replace.php plugin in Smarty before 2.6.19, as used by Serendipity (S9Y) and other products, allows attackers to call arbitrary PHP functions via templates, related to a '\0' character in a search string.

References:

http://blog.s9y.org/archives/191-Serendipity-1.3-beta1-released.html
http://www.phpinsider.com/smarty-forum/viewtopic.php?p=47652
http://www.smarty.net/misc/NEWS

Comment 2 Christopher Stone 2008-03-04 02:29:35 UTC
(In reply to comment #0)
> The modifier.regex_replace.php plugin in Smarty before 2.6.19
--------------------------------------------------^^^^^^

*before*, as in 2.6.18 and lower, as in this was fixed last week.  Please do me
a favor and close all these bugs for me so I don't have to waste time doing it
myself....

Thanks.


Comment 3 Tomas Hoger 2008-03-05 17:48:49 UTC
Updates were pushed to Fedora stable as bugfixes:

https://admin.fedoraproject.org/updates/F7/FEDORA-2008-1928
https://admin.fedoraproject.org/updates/F8/FEDORA-2008-1911

Comment 6 Lubomir Kundrak 2008-03-18 20:38:09 UTC
php-pear-PhpDocumentor and gallery2 should not embed a copy of smarty.
Is there a possibility to make it use code from the php-Smarty package?

Comment 7 Christopher Stone 2008-03-18 22:29:57 UTC
(In reply to comment #6)
> php-pear-PhpDocumentor and gallery2 should not embed a copy of smarty.
> Is there a possibility to make it use code from the php-Smarty package?

It should be possible, yes.

Comment 8 Fedora Update System 2008-03-21 19:31:50 UTC
php-pear-PhpDocumentor-1.4.1-2.fc8 has been submitted as an update for Fedora 8

Comment 9 Fedora Update System 2008-03-21 22:08:14 UTC
gallery2-2.2.4-3.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update gallery2'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F7/FEDORA-2008-2587

Comment 10 Fedora Update System 2008-03-26 17:09:29 UTC
php-pear-PhpDocumentor-1.4.1-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2008-04-17 03:53:27 UTC
gallery2-2.2.4-3.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2008-04-17 03:56:57 UTC
gallery2-2.2.4-3.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 John Berninger 2008-05-04 13:06:24 UTC
Removing myself (john@ncphotography) from CC list as updated required for my
packages have been pushed.

Comment 15 Red Hat Bugzilla 2009-10-23 19:05:00 UTC
Reporter changed to security-response-team@redhat.com by request of Jay Turner.


Note You need to log in before you can comment on or make changes to this bug.