Debian Bug report logs - #469492
smarty: CVE-2008-1066 allows to call arbitrary PHP functions via templates

version graph

Package: smarty; Maintainer for smarty is Debian QA Group <packages@qa.debian.org>;

Reported by: Nico Golde <nion@debian.org>

Date: Wed, 5 Mar 2008 14:39:02 UTC

Severity: important

Tags: security

Found in version smarty/2.6.18-1

Fixed in versions smarty/2.6.18-1.1, smarty/2.6.19-1, smarty/2.6.9-1sarge1, smarty/2.6.14-1etch1

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Dimitri Fontaine <dim@tapoueh.org>:
Bug#469492; Package smarty. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Dimitri Fontaine <dim@tapoueh.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: smarty: CVE-2008-1066 allows to call arbitrary PHP functions via templates
Date: Wed, 5 Mar 2008 15:36:23 +0100
[Message part 1 (text/plain, inline)]
Package: smarty
Version: 2.6.18-1
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for smarty.

CVE-2008-1066[0]:
| The modifier.regex_replace.php plugin in Smarty before 2.6.19, as used
| by Serendipity (S9Y) and other products, allows attackers to call
| arbitrary PHP functions via templates, related to a '0' character in
| a search string.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1066

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Dimitri Fontaine <dim@tapoueh.org>:
Bug#469492; Package smarty. Full text and rfc822 format available.

Acknowledgement sent to Christoph Lehnberger <linux-dev@internetists.de>:
Extra info received and forwarded to list. Copy sent to Dimitri Fontaine <dim@tapoueh.org>. Full text and rfc822 format available.

Message #10 received at 469492@bugs.debian.org (full text, mbox):

From: Christoph Lehnberger <linux-dev@internetists.de>
To: 469492@bugs.debian.org
Subject: Patch added
Date: Wed, 5 Mar 2008 21:34:07 +0100
tag 469492 patch

Hi,

the changeset can be found under:

http://code.google.com/p/smarty-php/source/detail?r=2750

Best regards,

Chris




Information forwarded to debian-bugs-dist@lists.debian.org, Dimitri Fontaine <dim@tapoueh.org>:
Bug#469492; Package smarty. Full text and rfc822 format available.

Acknowledgement sent to Christoph Lehnberger <linux-dev@internetists.de>:
Extra info received and forwarded to list. Copy sent to Dimitri Fontaine <dim@tapoueh.org>. Full text and rfc822 format available.

Message #15 received at 469492@bugs.debian.org (full text, mbox):

From: Christoph Lehnberger <linux-dev@internetists.de>
To: 469492@bugs.debian.org
Subject: Tag added
Date: Wed, 5 Mar 2008 21:47:02 +0100
Tags: 469492 patch

Tag added.....




Information forwarded to debian-bugs-dist@lists.debian.org, Dimitri Fontaine <dim@tapoueh.org>:
Bug#469492; Package smarty. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Dimitri Fontaine <dim@tapoueh.org>. Full text and rfc822 format available.

Message #20 received at 469492@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 469492@bugs.debian.org
Subject: intent to NMU
Date: Sat, 15 Mar 2008 15:15:31 +0100
[Message part 1 (text/plain, inline)]
Hi,
since there was no reaction by the maintainer for 10 days I am going to 
upload a 0-day NMU now.
The attached patch fixes the issue.
It will be also archived on:
http://people.debian.org/~nion/nmu-diff/smarty-2.6.18-1_2.6.18-1.1.patch

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[smarty-2.6.18-1_2.6.18-1.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #25 received at 469492-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 469492-close@bugs.debian.org
Subject: Bug#469492: fixed in smarty 2.6.18-1.1
Date: Sat, 15 Mar 2008 14:32:06 +0000
Source: smarty
Source-Version: 2.6.18-1.1

We believe that the bug you reported is fixed in the latest version of
smarty, which is due to be installed in the Debian FTP archive:

smarty_2.6.18-1.1.diff.gz
  to pool/main/s/smarty/smarty_2.6.18-1.1.diff.gz
smarty_2.6.18-1.1.dsc
  to pool/main/s/smarty/smarty_2.6.18-1.1.dsc
smarty_2.6.18-1.1_all.deb
  to pool/main/s/smarty/smarty_2.6.18-1.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 469492@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated smarty package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 15 Mar 2008 15:10:58 +0100
Source: smarty
Binary: smarty
Architecture: source all
Version: 2.6.18-1.1
Distribution: unstable
Urgency: high
Maintainer: Dimitri Fontaine <dim@tapoueh.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 smarty     - Template engine for PHP
Closes: 469492
Changes: 
 smarty (2.6.18-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * A null character in a search string
     allows an attacker to call arbitrary php functions via
     templates. Add patch to return the string after the null
     in a string (CVE-2008-1066; Closes: #469492).
Files: 
 9e8db1c79952351ca5862015430e5dd8 696 web optional smarty_2.6.18-1.1.dsc
 b373ab2b38d3d0f14335a22341954c1e 4001 web optional smarty_2.6.18-1.1.diff.gz
 50b75a3fef40eca050c298fae9816f35 198974 web optional smarty_2.6.18-1.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH29oSHYflSXNkfP8RAq3UAJ4kxiIQovpo5cPYZFzuJAMEKRZcfwCeLaHP
9XLB08Cg8q+r3t0oh28u5jo=
=sMjS
-----END PGP SIGNATURE-----





Reply sent to Thierry Randrianiriana <randrianiriana@gmail.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #30 received at 469492-close@bugs.debian.org (full text, mbox):

From: Thierry Randrianiriana <randrianiriana@gmail.com>
To: 469492-close@bugs.debian.org
Subject: Bug#469492: fixed in smarty 2.6.19-1
Date: Tue, 18 Mar 2008 22:47:04 +0000
Source: smarty
Source-Version: 2.6.19-1

We believe that the bug you reported is fixed in the latest version of
smarty, which is due to be installed in the Debian FTP archive:

smarty_2.6.19-1.diff.gz
  to pool/main/s/smarty/smarty_2.6.19-1.diff.gz
smarty_2.6.19-1.dsc
  to pool/main/s/smarty/smarty_2.6.19-1.dsc
smarty_2.6.19-1_all.deb
  to pool/main/s/smarty/smarty_2.6.19-1_all.deb
smarty_2.6.19.orig.tar.gz
  to pool/main/s/smarty/smarty_2.6.19.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 469492@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thierry Randrianiriana <randrianiriana@gmail.com> (supplier of updated smarty package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 18 Mar 2008 23:54:50 +0300
Source: smarty
Binary: smarty
Architecture: source all
Version: 2.6.19-1
Distribution: unstable
Urgency: low
Maintainer: Dimitri Fontaine <dim@tapoueh.org>
Changed-By: Thierry Randrianiriana <randrianiriana@gmail.com>
Description: 
 smarty     - Template engine for PHP
Closes: 469492
Changes: 
 smarty (2.6.19-1) unstable; urgency=low
 .
   * New upstream release
   * Acknowledged NMU. (Closes: #469492)
   * debian/control:
     + bumped Standards-Version to 3.7.3
     + installed php5 first in Depends
     + used the Homepage field
   * Added a lintian override for the empty directory in demo
Files: 
 ed0c919e2186357def50eef74f98e6fa 725 web optional smarty_2.6.19-1.dsc
 c1cfb5db154e6bc02d296c824a1949fc 157803 web optional smarty_2.6.19.orig.tar.gz
 ad0b7397470d4994b0e75ffe41f6fc2f 3904 web optional smarty_2.6.19-1.diff.gz
 40b2a623aa8ca425a56f2cd7c8e7fd31 204634 web optional smarty_2.6.19-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH4ESOx2zlrBLK36URAoqKAJwJJQHZyH2qD3poYlIrcm2RSxLi5ACfbZhq
vWCODwrzTLm8JCEzrVt/7L8=
=BtzV
-----END PGP SIGNATURE-----





Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #35 received at 469492-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 469492-close@bugs.debian.org
Subject: Bug#469492: fixed in smarty 2.6.9-1sarge1
Date: Fri, 21 Mar 2008 07:52:25 +0000
Source: smarty
Source-Version: 2.6.9-1sarge1

We believe that the bug you reported is fixed in the latest version of
smarty, which is due to be installed in the Debian FTP archive:

smarty_2.6.9-1sarge1.diff.gz
  to pool/main/s/smarty/smarty_2.6.9-1sarge1.diff.gz
smarty_2.6.9-1sarge1.dsc
  to pool/main/s/smarty/smarty_2.6.9-1sarge1.dsc
smarty_2.6.9-1sarge1_all.deb
  to pool/main/s/smarty/smarty_2.6.9-1sarge1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 469492@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated smarty package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 16 Mar 2008 12:05:07 +0100
Source: smarty
Binary: smarty
Architecture: source all
Version: 2.6.9-1sarge1
Distribution: oldstable-security
Urgency: high
Maintainer: Dimitri Fontaine <dfontaine@cvf.fr>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 smarty     - Template engine for PHP
Closes: 469492
Changes: 
 smarty (2.6.9-1sarge1) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the security team.
   * A \0 character in a search string could be abused to
     call arbitrary PHP functions via templates.
     CVE-2008-1066, closes: #469492
Files: 
 3c1955d0151a53532dab661fb9a9b7b3 870 web optional smarty_2.6.9-1sarge1.dsc
 4ee0048de6a9b35f1b11b458493327f2 141694 web optional smarty_2.6.9.orig.tar.gz
 b1835fb9b611eb5ef3f26f23c21fbdbb 3502 web optional smarty_2.6.9-1sarge1.diff.gz
 39408bb8ec42a25956990f2e81bd2d7e 177048 web optional smarty_2.6.9-1sarge1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR9z/o2z0hbPcukPfAQK8uQf/cBjknFAnsHD1mlHhfslvUDjYAuZOeipW
Y+cgaVzKItxnQRHpnv9ZPTgW7HruMnoKHSPTh6Ks6q+sVXrPGIu0s10mD8YeqjkL
I6wMgD5/JGQHfcZ7rm2COlJQl+1jWDt4Am9m/+Aip0++v02c07CIpkyNvIU5V7E5
70150+FUyljMkfuJOa6MgnOmk+Yd9UGencNDKXlWy+3LfSJ2dPUK1ZN6uwgnrNRp
bwb9TM3RB3zTiS5WWJqqE1/J7oHAGV/sT1sa1bWYJFa1drx0s5H0TffWSy6Ixr+W
7ZB2P89tKpVVaXA6aFHUqOBdxRZPMBLQmqcxlcfvDUrhB6zSiBnwEg==
=IxNY
-----END PGP SIGNATURE-----





Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #40 received at 469492-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 469492-close@bugs.debian.org
Subject: Bug#469492: fixed in smarty 2.6.14-1etch1
Date: Fri, 21 Mar 2008 07:52:16 +0000
Source: smarty
Source-Version: 2.6.14-1etch1

We believe that the bug you reported is fixed in the latest version of
smarty, which is due to be installed in the Debian FTP archive:

smarty_2.6.14-1etch1.diff.gz
  to pool/main/s/smarty/smarty_2.6.14-1etch1.diff.gz
smarty_2.6.14-1etch1.dsc
  to pool/main/s/smarty/smarty_2.6.14-1etch1.dsc
smarty_2.6.14-1etch1_all.deb
  to pool/main/s/smarty/smarty_2.6.14-1etch1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 469492@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated smarty package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 16 Mar 2008 11:49:56 +0100
Source: smarty
Binary: smarty
Architecture: source all
Version: 2.6.14-1etch1
Distribution: stable-security
Urgency: high
Maintainer: Dimitri Fontaine <dim@tapoueh.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 smarty     - Template engine for PHP
Closes: 469492
Changes: 
 smarty (2.6.14-1etch1) stable-security; urgency=high
 .
   * Non-maintainer upload by the security team.
   * A \0 character in a search string could be abused to
     call arbitrary PHP functions via templates.
     CVE-2008-1066, closes: #469492
Files: 
 fa71b68819fe520b5616eec683276fdf 950 web optional smarty_2.6.14-1etch1.dsc
 9186796ddbc29191306338dea9d632a0 144986 web optional smarty_2.6.14.orig.tar.gz
 8544db24358f72e091898f45c9fbc961 3814 web optional smarty_2.6.14-1etch1.diff.gz
 d2c9b4a558a052ab1c96bbdadfedafa5 184654 web optional smarty_2.6.14-1etch1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR9z8L2z0hbPcukPfAQJMywgAq9k4FZMsIIYMjV6RVAAIzcjJhu7oFGQ5
ddSSV5jT5K0NzSdFEm6keDU2mYuRsDCJnzJ8U+Qllquchmv8kO2lTpHGKa1VeQby
7BqiYUxB7JblH7FYtuHcpMCtAr9emJOlRKKUh27fXGPj3cYr42PQ1Epfz2Rys5nw
nuwZ61uIvXUIkBTgBDi9UcjvMFepVatpUMQsZJxKFTSsQTXIzoD8PqK93Wcbno4b
6h2oZT/eZSuZH5YdBoBdDHOrQjP0e9iZtsayb/V7xUeAmOlCzbP9KWuZsA+VGSRs
YGZ9KOcg+FR6nfwP83DHGTmX9GT2tgV50ahWgJXypLvUnaAuFKGoVA==
=LWDn
-----END PGP SIGNATURE-----





Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #45 received at 469492-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 469492-close@bugs.debian.org
Subject: Bug#469492: fixed in smarty 2.6.9-1sarge1
Date: Sat, 12 Apr 2008 17:54:55 +0000
Source: smarty
Source-Version: 2.6.9-1sarge1

We believe that the bug you reported is fixed in the latest version of
smarty, which is due to be installed in the Debian FTP archive:

smarty_2.6.9-1sarge1.diff.gz
  to pool/main/s/smarty/smarty_2.6.9-1sarge1.diff.gz
smarty_2.6.9-1sarge1.dsc
  to pool/main/s/smarty/smarty_2.6.9-1sarge1.dsc
smarty_2.6.9-1sarge1_all.deb
  to pool/main/s/smarty/smarty_2.6.9-1sarge1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 469492@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated smarty package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 16 Mar 2008 12:05:07 +0100
Source: smarty
Binary: smarty
Architecture: source all
Version: 2.6.9-1sarge1
Distribution: oldstable-security
Urgency: high
Maintainer: Dimitri Fontaine <dfontaine@cvf.fr>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 smarty     - Template engine for PHP
Closes: 469492
Changes: 
 smarty (2.6.9-1sarge1) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the security team.
   * A \0 character in a search string could be abused to
     call arbitrary PHP functions via templates.
     CVE-2008-1066, closes: #469492
Files: 
 3c1955d0151a53532dab661fb9a9b7b3 870 web optional smarty_2.6.9-1sarge1.dsc
 4ee0048de6a9b35f1b11b458493327f2 141694 web optional smarty_2.6.9.orig.tar.gz
 b1835fb9b611eb5ef3f26f23c21fbdbb 3502 web optional smarty_2.6.9-1sarge1.diff.gz
 39408bb8ec42a25956990f2e81bd2d7e 177048 web optional smarty_2.6.9-1sarge1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR9z/o2z0hbPcukPfAQK8uQf/cBjknFAnsHD1mlHhfslvUDjYAuZOeipW
Y+cgaVzKItxnQRHpnv9ZPTgW7HruMnoKHSPTh6Ks6q+sVXrPGIu0s10mD8YeqjkL
I6wMgD5/JGQHfcZ7rm2COlJQl+1jWDt4Am9m/+Aip0++v02c07CIpkyNvIU5V7E5
70150+FUyljMkfuJOa6MgnOmk+Yd9UGencNDKXlWy+3LfSJ2dPUK1ZN6uwgnrNRp
bwb9TM3RB3zTiS5WWJqqE1/J7oHAGV/sT1sa1bWYJFa1drx0s5H0TffWSy6Ixr+W
7ZB2P89tKpVVaXA6aFHUqOBdxRZPMBLQmqcxlcfvDUrhB6zSiBnwEg==
=IxNY
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 11 May 2008 07:54:49 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 18:16:04 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.