Your message dated Sun, 25 Oct 2009 19:57:38 +0000
with message-id <[email protected]>
and subject line Bug#529810: fixed in smarty 2.6.20-1.2
has caused the Debian Bug report #529810,
regarding CVE-2009-1669
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
529810: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529810
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: smarty
Version: 2.6.22-1
Severity: normal
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for smarty.
CVE-2009-1669[0]:
| The smarty_function_math function in libs/plugins/function.math.php in
| Smarty 2.6.22 allows context-dependent attackers to execute arbitrary
| commands via shell metacharacters in the equation attribute of the
| math function. NOTE: some of these details are obtained from third
| party information.
With Windows you can launch commands like this:
{math equation="`^C^A^L^C`"}
^C^A^L^C is equivalent to calc.exe, this isn't true in Linux.
However in Linux after putting an empty file with a command as name ('uptime'
for example):
{math equation="`*u*`"}
This will launch the "uptime" command.
I doubt this can be considered an issue, to exploit it at least one file
must be written and shell_exec() must not to be disabled.
At this point writing a simple .php file with shell_exec('whatever I want') is
equivalent and simplest...
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1669
http://security-tracker.debian.net/tracker/CVE-2009-1669
http://www.milw0rm.com/exploits/8659
Patch:
http://groups.google.com/group/smarty-svn/browse_thread/thread/b2da2e5d1ef8b462
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoVhkUACgkQNxpp46476aowxQCfZxInNMa6dJXPEZ7dfpbUHD+3
5KcAn0eH02pLJkpg8IR4GlnowS5ZRww/
=ia44
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: smarty
Source-Version: 2.6.20-1.2
We believe that the bug you reported is fixed in the latest version of
smarty, which is due to be installed in the Debian FTP archive:
smarty_2.6.20-1.2.diff.gz
to pool/main/s/smarty/smarty_2.6.20-1.2.diff.gz
smarty_2.6.20-1.2.dsc
to pool/main/s/smarty/smarty_2.6.20-1.2.dsc
smarty_2.6.20-1.2_all.deb
to pool/main/s/smarty/smarty_2.6.20-1.2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <[email protected]> (supplier of updated smarty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 25 Oct 2009 16:11:04 +0100
Source: smarty
Binary: smarty
Architecture: source all
Version: 2.6.20-1.2
Distribution: stable-security
Urgency: high
Maintainer: Dimitri Fontaine <[email protected]>
Changed-By: Thijs Kinkhorst <[email protected]>
Description:
smarty - Template engine for PHP
Closes: 504328 529810
Changes:
smarty (2.6.20-1.2) stable-security; urgency=high
.
* Non-maintainer upload for security issues.
* CVE-2008-4810: Expand_quoted_text security bypass (closes: #504328).
* CVE-2009-1669: Shell execution via math function (closes: #529810).
Checksums-Sha1:
317727381fffeb2ed8aedd8a922091f581cba7ee 1409 smarty_2.6.20-1.2.dsc
aa6102342ec55c1fa90893929bdf2b8212224744 158091 smarty_2.6.20.orig.tar.gz
872989015830419ce4f82cbdaeeebe93251ff799 4876 smarty_2.6.20-1.2.diff.gz
ce08222373cb552b7489018d104a935a1be2a05b 204412 smarty_2.6.20-1.2_all.deb
Checksums-Sha256:
a988b396967c067428b22a8853aa26f048b8e382e015cd09b35e2a263cdfea5d 1409
smarty_2.6.20-1.2.dsc
8be2cea977ae095198b26fe63ca239f74bc388d9f025723d988c8e011bb98519 158091
smarty_2.6.20.orig.tar.gz
ac902d94ae3c7d13e0fbeeca3bcba0e5d3cde589945179cbc60ecb067be3efbf 4876
smarty_2.6.20-1.2.diff.gz
4fbaa3a41d9afd9631ddb0f3dbecdad7b8dbe3aebee3cf1022f168430336a1d7 204412
smarty_2.6.20-1.2_all.deb
Files:
f280e2733ef52ff621891f99b26386f3 1409 web optional smarty_2.6.20-1.2.dsc
35f405b2418a26a895302a2ce5bf89d2 158091 web optional smarty_2.6.20.orig.tar.gz
4d729d18d7efe68e1ce3023149436c01 4876 web optional smarty_2.6.20-1.2.diff.gz
1e8e85b298b97176359dd15731e0dc88 204412 web optional smarty_2.6.20-1.2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJK5GxyAAoJECIIoQCMVaAcH8kIAJKUpNB0/fgzSwPoLQ7YZREh
FXS3mwpsjWme50fGVgcQnVBg/Gg2GZhSKhAaSI/cKtMrUR8K/8292JYOTWq2jbXB
U8ttlm9oo9KA1tQGRz/ma5/zam4LHj4xO84V18k25i+r1BMFzrGRxcwF93wr1luu
Wzs965mAdFoXK47ES6wbpi8g2KJQnsMNhUqYhB3KJzMXWc1gs3AYbqvRdfAdzXGF
+1Ce1Wd9H3qVGthYi67phv4C5XKhHITi8+rWYCYG7N/dTWqYFZMp00Sm0VeJj2Qd
e0VnjAn75v+/mZc4y7hr3DobtbGr07o0yhbi6225kWouDEQa1UJm6o8BAyLsclc=
=CIn+
-----END PGP SIGNATURE-----
--- End Message ---
