Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4722 to the following vulnerability: Unspecified vulnerability in the fetch plugin in Smarty before 3.0.2 has unknown impact and remote attack vectors. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4722 [2] http://smarty-php.googlecode.com/svn/trunk/distribution/change_log.txt
Relevant Smarty Changelog entry: ===== Smarty 3.0.2 ===== 12/11/2010 - reactivated $error_reporting property handling - fixed typo in compile_continue - fixed security in {fetch} plugin - changed back plugin parameters to two. second is template object with transparent access to Smarty object - fixed {config_load} scoping form compile time to run time and related SVN log entry: r3774 | uwe.tews | 2010-11-13 00:42:32 +0100 (Sat, 13 Nov 2010) | 7 lines - reactivated $error_reporting property handling - fixed typo in compile_continue - fixed security in {fetch} plugin - changed back plugin parameters to two. second is template object with transparent access to Smarty object - fixed {config_load} scoping form compile time to run time
Created attachment 530055 [details] Smarty r3774 SVN repository upstream patch
This issue affects the versions of the php-Smarty package, as shipped with Fedora release of 14 and 15. Please schedule an update. -- This issue affects the versions of the php-Smarty package, as shipped with Fedora EPEL 5 and Fedora EPEL 6 repositories. Please schedule an update. Note: Relevant change from upstream SVN r3774 revision is the following one: Index: distribution/libs/plugins/function.fetch.php =================================================================== --- distribution/libs/plugins/function.fetch.php (revision 3773) +++ distribution/libs/plugins/function.fetch.php (revision 3774) @@ -21,7 +21,7 @@ * @return string|null if the assign parameter is passed, Smarty assigns the * result to a template variable */ -function smarty_function_fetch($params, $smarty, $template) +function smarty_function_fetch($params, $template) { if (empty($params['file'])) { trigger_error("[plugin] fetch parameter 'file' cannot be empty",E_USER_NOTICE); @@ -29,8 +29,8 @@ } $content = ''; - if ($template->security && !preg_match('!^(http|ftp)://!i', $params['file'])) { - if(!$smarty->security_handler->isTrustedResourceDir($params['file'])) { + if (isset($template->security_policy) && !preg_match('!^(http|ftp)://!i', $params['file'])) { + if(!$template->security_policy->isTrustedResourceDir($params['file'])) { return; }
Created php-Smarty tracking bugs for this issue Affects: fedora-all [bug 748909] Affects: epel-6 [bug 748910] Affects: epel-5 [bug 748911]
This patch doesn't apply against 2.6.26. Does this impact everything pre-3.0.2 or only 3.x.y pre-3.0.2?