Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4724 to the following vulnerability: Multiple unspecified vulnerabilities in the parser implementation in Smarty before 3.0.0 RC3 have unknown impact and remote attack vectors. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4724 [2] http://smarty-php.googlecode.com/svn/trunk/distribution/change_log.txt
Relevant Smarty Changelog [2] entries: ===== RC3 ===== 15/07/2010 .. 20/06/2010 - replace internal get_time() calls with standard PHP5 microtime(true) calls - closed security hole when php.ini asp_tags = on .. 17/04/2010 - security fix in {math} plugin .. 01/12/2010 - changed back modifer handling in parser. Some restrictions still apply: if modifiers are used in side {if...} expression or in mathematical expressions parentheses must be used. - bugfix the {function..} tag did not accept the name attribute in double quotes - closed possible security hole at <?php ... ?> tags - bugfix of config file parser on large config files and to them related SVN log entries: r3606 | Uwe.Tews | 2010-06-20 22:37:16 +0200 (Sun, 20 Jun 2010) | 2 lines - closed security hole when php.ini asp_tags = on r3555 | Uwe.Tews | 2010-04-17 12:24:44 +0200 (Sat, 17 Apr 2010) | 2 lines - security fix in {math} plugin r3451 | Uwe.Tews | 2010-01-12 23:12:19 +0100 (Tue, 12 Jan 2010) | 3 lines - closed possible security hole at <?php ... ?> tags - bugfix of config file parser on large config files
Created attachment 530058 [details] Smarty r3606 SVN repository upstream patch
Created attachment 530059 [details] Smarty r3555 SVN repository upstream patch
Created attachment 530060 [details] Smarty r3451 SVN repository upstream patch
Patches from revisions r3606 and r3451 doesn't seem to be applicable to the versions of php-Smarty, as shipped with Fedora release of 14, 15 and as shipped with Fedora EPEL 5 and Fedora EPEL 6 repositories. -- Patch from revision r3555 (security fix in {math} plugin) is applicable to versions of php-Smarty package, as shipped with Fedora release of 14, 15, and as shipped with Fedora EPEL 5 and Fedora EPEL 6 repositories.
Was wrong here. All of the three below, got their own, dedicated CVE identifiers as follows: (In reply to comment #1) > Relevant Smarty Changelog [2] entries: > > ===== RC3 ===== > > 15/07/2010 > .. > 20/06/2010 > - replace internal get_time() calls with standard PHP5 microtime(true) calls > - closed security hole when php.ini asp_tags = on > .. CVE-2010-4725: Smarty before 3.0.0 RC3 does not properly handle an on value of the asp_tags option in the php.ini file, which has unspecified impact and remote attack vectors. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4725 [2] http://smarty-php.googlecode.com/svn/trunk/distribution/change_log.txt > > 17/04/2010 > - security fix in {math} plugin > .. > CVE-2010-4726: Unspecified vulnerability in the math plugin in Smarty before 3.0.0 RC1 has unknown impact and remote attack vectors. NOTE: this might overlap CVE-2009-1669. References: [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4726 [4] http://smarty-php.googlecode.com/svn/trunk/distribution/change_log.txt This issue is tracked under separated Red Hat Bugzilla issue tracking system entry: [5] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4726 since it also affects the versions of php-Smarty package, as shipped within various Fedora and EPEL releases. > 01/12/2010 > - changed back modifer handling in parser. Some restrictions still apply: > if modifiers are used in side {if...} expression or in mathematical > expressions > parentheses must be used. > - bugfix the {function..} tag did not accept the name attribute in double > quotes > - closed possible security hole at <?php ... ?> tags CVE-2010-4727: Smarty before 3.0.0 beta 7 does not properly handle the <?php and ?> tags, which has unspecified impact and remote attack vectors. References: [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4727 [7] http://smarty-php.googlecode.com/svn/trunk/distribution/change_log.txt > - bugfix of config file parser on large config files > > > and to them related SVN log entries: > > r3606 | Uwe.Tews | 2010-06-20 22:37:16 +0200 (Sun, 20 Jun 2010) | 2 lines > > - closed security hole when php.ini asp_tags = on > > r3555 | Uwe.Tews | 2010-04-17 12:24:44 +0200 (Sat, 17 Apr 2010) | 2 lines > > - security fix in {math} plugin > > r3451 | Uwe.Tews | 2010-01-12 23:12:19 +0100 (Tue, 12 Jan 2010) | 3 lines > > - closed possible security hole at <?php ... ?> tags > - bugfix of config file parser on large config files which means, that CVE-2010-4724 identifier refers to yet 'some other' unspecified security fixes in Smarty between versions 3.0.0 Beta 6 up to 3.0.0 RC3.
Resolution due CVE-2010-4724, CVE-2010-4725 and CVE-2010-4726 Smarty / php-Smarty flaws: Not vulnerable. These issues did NOT affect the versions of the php-Smarty package, as shipped with Fedora release of 14, 15, and did NOT affect the versions of the php-Smarty package, as present within Fedora EPEL 5 and Fedora EPEL 6 repositories.