Bug 748782 (CVE-2010-4724, CVE-2010-4725, CVE-2010-4727) - CVE-2010-4724 CVE-2010-4725 CVE-2010-4727 php-Smarty: Multiple unspecified vulnerabilities in Smarty 3.0.0 before RC3
Summary: CVE-2010-4724 CVE-2010-4725 CVE-2010-4727 php-Smarty: Multiple unspecified vu...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2010-4724, CVE-2010-4725, CVE-2010-4727
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-10-25 11:09 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:48 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-10-25 14:15:04 UTC


Attachments (Terms of Use)
Smarty r3606 SVN repository upstream patch (236.11 KB, patch)
2011-10-25 11:20 UTC, Jan Lieskovsky
no flags Details | Diff
Smarty r3555 SVN repository upstream patch (767 bytes, patch)
2011-10-25 11:20 UTC, Jan Lieskovsky
no flags Details | Diff
Smarty r3451 SVN repository upstream patch (12.59 KB, patch)
2011-10-25 11:21 UTC, Jan Lieskovsky
no flags Details | Diff

Description Jan Lieskovsky 2011-10-25 11:09:12 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4724 to
the following vulnerability:

Multiple unspecified vulnerabilities in the parser implementation in Smarty before 3.0.0 RC3 have unknown impact and remote attack vectors. 

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4724
[2] http://smarty-php.googlecode.com/svn/trunk/distribution/change_log.txt

Comment 1 Jan Lieskovsky 2011-10-25 11:15:19 UTC
Relevant Smarty Changelog [2] entries:

=====  RC3 =====

15/07/2010
..
20/06/2010
- replace internal get_time() calls with standard PHP5 microtime(true) calls
- closed security hole when php.ini asp_tags = on
..

17/04/2010
- security fix in {math} plugin
..

01/12/2010
- changed back modifer handling in parser. Some restrictions still apply:
    if modifiers are used in side {if...} expression or in mathematical expressions 
    parentheses must be used.
- bugfix the {function..} tag did not accept the name attribute in double quotes
- closed possible security hole at <?php ... ?> tags
- bugfix of config file parser on large config files


and to them related SVN log entries:

r3606 | Uwe.Tews | 2010-06-20 22:37:16 +0200 (Sun, 20 Jun 2010) | 2 lines

- closed security hole when php.ini asp_tags = on

r3555 | Uwe.Tews | 2010-04-17 12:24:44 +0200 (Sat, 17 Apr 2010) | 2 lines

- security fix in {math} plugin

r3451 | Uwe.Tews | 2010-01-12 23:12:19 +0100 (Tue, 12 Jan 2010) | 3 lines

- closed possible security hole at <?php ... ?> tags
- bugfix of config file parser on large config files

Comment 2 Jan Lieskovsky 2011-10-25 11:20:04 UTC
Created attachment 530058 [details]
Smarty r3606 SVN repository upstream patch

Comment 3 Jan Lieskovsky 2011-10-25 11:20:43 UTC
Created attachment 530059 [details]
Smarty r3555 SVN repository upstream patch

Comment 4 Jan Lieskovsky 2011-10-25 11:21:28 UTC
Created attachment 530060 [details]
Smarty r3451 SVN repository upstream patch

Comment 5 Jan Lieskovsky 2011-10-25 11:26:30 UTC
Patches from revisions r3606 and r3451 doesn't seem to be applicable to the versions of php-Smarty, as shipped with Fedora release of 14, 15 and as shipped with Fedora EPEL 5 and Fedora EPEL 6 repositories.

--

Patch from revision r3555 (security fix in {math} plugin) is applicable to versions of php-Smarty package, as shipped with Fedora release of 14, 15, and as shipped with Fedora EPEL 5 and Fedora EPEL 6 repositories.

Comment 6 Jan Lieskovsky 2011-10-25 14:11:34 UTC
Was wrong here. All of the three below, got their own, dedicated CVE identifiers
as follows:

(In reply to comment #1)
> Relevant Smarty Changelog [2] entries:
> 
> =====  RC3 =====
> 
> 15/07/2010
> ..
> 20/06/2010
> - replace internal get_time() calls with standard PHP5 microtime(true) calls
> - closed security hole when php.ini asp_tags = on
> ..

CVE-2010-4725:

Smarty before 3.0.0 RC3 does not properly handle an on value of the asp_tags option in the php.ini file, which has unspecified impact and remote attack vectors.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4725
[2] http://smarty-php.googlecode.com/svn/trunk/distribution/change_log.txt

> 
> 17/04/2010
> - security fix in {math} plugin
> ..
> 

CVE-2010-4726:
Unspecified vulnerability in the math plugin in Smarty before 3.0.0 RC1 has unknown impact and remote attack vectors. NOTE: this might overlap CVE-2009-1669. 

References:
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4726
[4] http://smarty-php.googlecode.com/svn/trunk/distribution/change_log.txt

This issue is tracked under separated Red Hat Bugzilla issue tracking system entry:
[5] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4726

since it also affects the versions of php-Smarty package, as shipped within various Fedora and EPEL releases.

> 01/12/2010
> - changed back modifer handling in parser. Some restrictions still apply:
>     if modifiers are used in side {if...} expression or in mathematical
> expressions 
>     parentheses must be used.
> - bugfix the {function..} tag did not accept the name attribute in double
> quotes
> - closed possible security hole at <?php ... ?> tags

CVE-2010-4727:
Smarty before 3.0.0 beta 7 does not properly handle the <?php and ?> tags, which has unspecified impact and remote attack vectors. 

References:
[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4727
[7] http://smarty-php.googlecode.com/svn/trunk/distribution/change_log.txt

> - bugfix of config file parser on large config files
> 
> 
> and to them related SVN log entries:
> 
> r3606 | Uwe.Tews | 2010-06-20 22:37:16 +0200 (Sun, 20 Jun 2010) | 2 lines
> 
> - closed security hole when php.ini asp_tags = on
> 
> r3555 | Uwe.Tews | 2010-04-17 12:24:44 +0200 (Sat, 17 Apr 2010) | 2 lines
> 
> - security fix in {math} plugin
> 
> r3451 | Uwe.Tews | 2010-01-12 23:12:19 +0100 (Tue, 12 Jan 2010) | 3 lines
> 
> - closed possible security hole at <?php ... ?> tags
> - bugfix of config file parser on large config files

which means, that CVE-2010-4724 identifier refers to yet 'some other' unspecified security fixes in Smarty between versions 3.0.0 Beta 6 up to 3.0.0 RC3.

Comment 7 Jan Lieskovsky 2011-10-25 14:15:04 UTC
Resolution due CVE-2010-4724, CVE-2010-4725 and CVE-2010-4726 Smarty / php-Smarty flaws:

Not vulnerable. These issues did NOT affect the versions of the php-Smarty package, as shipped with Fedora release of 14, 15, and did NOT affect the versions of the php-Smarty package, as present within Fedora EPEL 5 and Fedora EPEL 6 repositories.


Note You need to log in before you can comment on or make changes to this bug.