Bug 636620 - pgpoolAdmin: multiple vulnerabilities in embedded Smarty (2.6.13)
pgpoolAdmin: multiple vulnerabilities in embedded Smarty (2.6.13)
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20100924,reported=20100922,sou...
: Security
Depends On: 847367 637226
Blocks:
  Show dependency treegraph
 
Reported: 2010-09-22 13:53 EDT by Vincent Danen
Modified: 2015-07-31 08:22 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 636615
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2010-09-22 13:53:01 EDT
Silvio Cesare reported that pgpoolAdmin includes an embedded copy of the Smarty PHP template engine that is vulnerable to a number of security-related issues.  The version of Smarty bundled in pgpoolAdmin 2.2 is 2.6.13, while the current version of Smarty is 2.6.25.  This would make the embedded version of Smarty, and thus pgpoolAdmin, vulnerable to a number of issues with CVE names, including:

CVE-2009-1669
CVE-2008-4811
CVE-2008-4810
CVE-2008-1066

There may be others as well.  The Smarty changelog [1] does identify a number of fixes since the 2.6.2 release.

Ideally, we should update the embedded version of Smarty to 2.6.25, however I have no idea if that will break anything as that is quite the jump.  We may have to identify and backport all the security fixes.

[1] http://www.smarty.net/changelog.php
Comment 1 Vincent Danen 2010-09-22 13:54:17 EDT
Used upstream's contact form to make them aware of the issue.  Will wait a bit to see if we get a response before making this public.
Comment 2 Vincent Danen 2010-09-24 11:44:00 EDT
Upstream has reported that version 2.3.1 and 3.0.1 have been released, that embed Smarty 2.6.26:

http://pgfoundry.org/frs/download.php/2804/pgpoolAdmin-2.3.1.tar.gz
http://pgfoundry.org/frs/download.php/2805/pgpoolAdmin-3.0.1.tar.gz

They also note that version 2.2 is no longer maintained, so we should upgrade to one of the above versions.
Comment 3 Vincent Danen 2010-09-24 11:48:57 EDT
Created postgresql-pgpoolAdmin tracking bugs for this issue

Affects: fedora-all [bug 637226]
Comment 4 Devrim GÜNDÜZ 2010-09-24 16:16:40 EDT
Ok, I'm on it.
Comment 5 Vincent Danen 2010-10-13 16:37:48 EDT
(In reply to comment #4)
> Ok, I'm on it.

Any progress on this yet?
Comment 6 Vincent Danen 2011-06-14 12:58:43 EDT
This is still unfixed in Fedora from what I can see.  Can this be taken care of soon?  It's quite old.
Comment 7 Fedora Update System 2012-05-08 00:14:50 EDT
postgresql-pgpoolAdmin-3.1.1-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2012-05-12 21:59:51 EDT
postgresql-pgpoolAdmin-3.1.1-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Vincent Danen 2012-08-10 14:16:38 EDT
EPEL5 still contains version 2.2, which is vulnerable.  Fedora is ok.
Comment 10 Vincent Danen 2012-08-10 14:17:16 EDT
Created postgresql-pgpoolAdmin tracking bugs for this issue

Affects: epel-5 [bug 847367]

Note You need to log in before you can comment on or make changes to this bug.