Ubuntu
smarty package

CVE-2008-1066 smarty allows attackers to call arbitrary PHP functions via templates

Bug #202422 reported by Emanuele Gentili on 2008-03-15

264

	Status	Importance	Assigned to
gallery2 (Debian)	Fix Released	Unknown	debbugs #471160
gallery2 (Ubuntu)	Fix Released	Undecided	Unassigned
Dapper	Won't Fix	Undecided	Unassigned
Edgy	Won't Fix	Undecided	Unassigned
Feisty	Won't Fix	Undecided	Unassigned
Gutsy	Won't Fix	Undecided	Unassigned
Hardy	Fix Released	Undecided	Unassigned
smarty (Debian)	Fix Released	Unknown	debbugs #469492
smarty (Ubuntu)	Fix Released	Medium	Emanuele Gentili
Dapper	Fix Released	Medium	Emanuele Gentili
Edgy	Fix Released	Medium	Emanuele Gentili
Feisty	Fix Released	Medium	Emanuele Gentili
Gutsy	Fix Released	Medium	Emanuele Gentili
Hardy	Fix Released	Medium	Emanuele Gentili

Bug Description

The modifier.regex_replace.php plugin in Smarty before 2.6.19, as used by Serendipity (S9Y) and other products, allows attackers to call arbitrary PHP functions via templates, related to a '\0' character in a search string.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469492
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1066

Related branches

lp:ubuntu/karmic/smarty

lp:ubuntu/edgy-security/smarty

lp:ubuntu/dapper-updates/smarty

lp:ubuntu/feisty-security/smarty

lp:ubuntu/gutsy-security/smarty

lp:ubuntu/hardy-security/gallery2

CVE References

Emanuele Gentili (emgent) on 2008-03-15

Changed in smarty:
assignee:	nobody → emgent
importance:	Undecided → Medium
status:	New → Confirmed

Revision history for this message

Emanuele Gentili (emgent) wrote on 2008-03-15:

hardy_smarty_2.6.18-1ubuntu3.debdiff Edit (1.4 KiB, text/plain)

Revision history for this message

Emanuele Gentili (emgent) wrote on 2008-03-15:

gutsy_smarty_2.6.18-1ubuntu2.1.debdiff Edit (1.4 KiB, text/plain)

Revision history for this message

Emanuele Gentili (emgent) wrote on 2008-03-15:

feisty_smarty_2.6.14-1ubuntu0.7.04.debdiff Edit (1.4 KiB, text/plain)

Revision history for this message

Emanuele Gentili (emgent) wrote on 2008-03-15:

edgy_smarty_2.6.14-1ubuntu0.6.10.debdiff Edit (1.4 KiB, text/plain)

Revision history for this message

Emanuele Gentili (emgent) wrote on 2008-03-15:

dapper_smarty_2.6.11-1ubuntu0.1.debdiff Edit (1.4 KiB, text/plain)

Emanuele Gentili (emgent) on 2008-03-15

Changed in smarty:
status:	Confirmed → In Progress

Bug Watch Updater (bug-watch-updater) on 2008-03-15

Changed in smarty:
status:	Unknown → New

Bug Watch Updater (bug-watch-updater) on 2008-03-16

Changed in smarty:
status:	New → Fix Released

Emanuele Gentili (emgent) on 2008-03-16

Changed in smarty:
assignee:	nobody → emgent
importance:	Undecided → Medium
status:	New → In Progress
assignee:	nobody → emgent
importance:	Undecided → Medium
status:	New → In Progress
assignee:	nobody → emgent
importance:	Undecided → Medium
status:	New → In Progress
assignee:	nobody → emgent
importance:	Undecided → Medium
status:	New → In Progress

Revision history for this message

Luca Falavigna (dktrkranz) wrote on 2008-03-19:

Uploaded, thanks ;)

Changed in smarty:
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-03-19:

This bug was fixed in the package smarty - 2.6.18-1ubuntu3

---------------
smarty (2.6.18-1ubuntu3) hardy; urgency=low

  * SECURITY UPDATE: (LP: #202422)
   + libs/plugins/modifier.regex_replace.php
    - The modifier.regex_replace.php plugin in Smarty before 2.6.19, as used
      by Serendipity (S9Y) and other products, allows attackers to call arbitrary
      PHP functions via templates, related to a '\0' character in a search string.

  * References
   + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1066
   + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469492

-- Emanuele Gentili <email address hidden> Sat, 15 Mar 2008 06:54:31 +0100

Changed in smarty:
status:	Fix Committed → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-03-21:

Thanks for supplying the debdiffs for dapper - gutsy, Emanuele. The edgy and feisty diffs do not have the proper version number as specified in https://wiki.ubuntu.com/SecurityUpdateProcedures. Can you update that and resubmit? Thanks again!

Revision history for this message

Emanuele Gentili (emgent) wrote on 2008-03-21:

feisty_smarty_2.6.14-1ubuntu0.7.04.1.debdiff Edit (1.4 KiB, text/plain)

Revision history for this message

Emanuele Gentili (emgent) wrote on 2008-03-21:

#10

edgy_smarty_2.6.14-1ubuntu0.6.10.1.debdiff Edit (1.4 KiB, text/plain)

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-03-21:

#11

Thanks Emanuele!

Changed in smarty:
status:	In Progress → Fix Committed
status:	In Progress → Fix Committed
status:	In Progress → Fix Committed
status:	In Progress → Fix Committed

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-03-24:

#12

smarty (2.6.11-1ubuntu0.1) dapper-security; urgency=low

  * References
   + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1066
   + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469492

-- Emanuele Gentili <email address hidden> Sat, 15 Mar 2008 07:33:32 +0100

Changed in smarty:
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-03-24:

#13

This bug was fixed in the package smarty - 2.6.18-1ubuntu2.1

---------------
smarty (2.6.18-1ubuntu2.1) gutsy-security; urgency=low

  * References
   + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1066
   + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469492

-- Emanuele Gentili <email address hidden> Sat, 15 Mar 2008 07:09:26 +0100

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-03-24:

#14

This bug was fixed in the package smarty - 2.6.14-1ubuntu0.7.04.1

---------------
smarty (2.6.14-1ubuntu0.7.04.1) feisty-security; urgency=low

  * References
   + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1066
   + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469492

-- Emanuele Gentili <email address hidden> Sat, 15 Mar 2008 07:21:09 +0100

Changed in smarty:
status:	Fix Committed → Fix Released
status:	Fix Committed → Fix Released

Jamie Strandboge (jdstrand) on 2008-03-24

Changed in smarty:
status:	Fix Committed → Fix Released

Revision history for this message

William Grant (wgrant) wrote on 2008-06-24:

#15

gallery2 is also affected, as it has a vulnerable embedded copy. It's fixed in Intrepid.

Changed in gallery2:
status:	New → Fix Released

Bug Watch Updater (bug-watch-updater) on 2008-06-24

Changed in gallery2:
status:	Unknown → New

Bug Watch Updater (bug-watch-updater) on 2008-07-11

Changed in gallery2:
status:	New → Fix Released

Revision history for this message

Hew (hew) wrote on 2008-07-24:

#16

Ubuntu Edgy Eft is no longer supported, so a SRU will not be issued for this release. Marking Edgy as Won't Fix.

Changed in gallery2:
status:	New → Won't Fix

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-09-09:

#17

This bug was fixed in the package gallery2 - 2.2.4-1ubuntu0.1

---------------
gallery2 (2.2.4-1ubuntu0.1) hardy-security; urgency=low

  * SECURITY UPDATE: multiple cross-site scripting, information disclosure,
    and restriction bypass vulnerabilities (LP: #242671), and arbitrary code
    execution (LP: #202422)
    - lib/smarty/plugins/modifier.regex_replace.php: Don't look past a NULL in
      the search string. Fixes possible arbitrary code execution. Patch from
      smarty upstream.
    - modules/core/ItemAdd.inc: Flatten the contents of ZIP archives if they
      are being uploaded by a user without subalbum privileges. Patch from
      upstream svn.
    - modules/core/classes/GalleryUrlGenerator.class,
      modules/rewrite/classes/parsers/modrewrite/ModRewriteUrlGenerator:
      Properly remove illegal characters from URLs. Patch from upstream svn.
    - modules/core/classes/Gallery{Embed,PhpVm}.class: More thoroughly verify
      that the remote address isn't being spoofed. Patch from upstream svn.
    - modules/password/PasswordOption.inc: Only allow password protection of
      items already password protected or albums, as single items cannot
      reliably be password protected. Patch from upstream svn.
    - modules/albumselect/Callbacks.inc: Add session permissions to keys for
      the album list cache, to avoid hidden album disclosure. Patch from
      upstream svn.
    - */MANIFEST: Drop modified files to please the browser-based installer.
    - References:
      + CVE-2008-1066
      + CVE-2008-2720
      + CVE-2008-2721
      + CVE-2008-2722
      + CVE-2008-2723
      + CVE-2008-2724

-- William Grant <email address hidden> Wed, 25 Jun 2008 13:47:58 +1000

Changed in gallery2:
status:	New → Fix Released

Revision history for this message

Hew (hew) wrote on 2008-12-15:

#18

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in gallery2:
status:	New → Won't Fix

Revision history for this message

Sergio Zanchetta (primes2h) wrote on 2009-05-07:

#19

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in gallery2 (Ubuntu Gutsy):
status:	New → Won't Fix

Hew (hew) on 2009-07-18

Changed in gallery2 (Ubuntu Dapper):
status:	New → Won't Fix

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicates of this bug

Bug #203457

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

debbugs #469492
[done important security] Edit
debbugs #471160
[done grave security patch] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntusmarty package

CVE-2008-1066 smarty allows attackers to call arbitrary PHP functions via templates

Bug Description

Related branches

CVE References

Duplicates of this bug

Other bug subscribers

Patches

Remote bug watches

Ubuntu
smarty package