Common Vulnerabilities and Exposures assigned an identifier CVE-2009-5054 to the following vulnerability: Smarty before 3.0.0 beta 4 does not consider the umask value when setting the permissions of files, which might allow attackers to bypass intended access restrictions via standard filesystem operations. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5054 [2] http://smarty-php.googlecode.com/svn/trunk/distribution/change_log.txt
Relevant Changelog entry: ------- beta 4 11/18/2009 - observe umask settings when setting file permissions And particular SVN log entry to it: r3351 | Uwe.Tews | 2009-11-18 18:25:18 +0100 (Wed, 18 Nov 2009) | 3 lines - observe umask settings when setting file permissions - avoide unneeded cache file creation for subtemplates which did occur in some situations
Created attachment 530046 [details] Smarty r3351 upstream patch
This issue did NOT affect the versions of the php-Smarty package, as shipped with Fedora release of 14 and 15 (the particular code in question is not present in those versions yet). -- This issue did NOT affect the versions of the php-Smarty package, as shipped with Fedora EPEL 5 and Fedora EPEL 6 repositories (the particular code in question is not present in those versions yet).