Your message dated Sun, 25 Oct 2009 19:57:51 +0000
with message-id <[email protected]>
and subject line Bug#529810: fixed in smarty 2.6.14-1etch2
has caused the Debian Bug report #529810,
regarding CVE-2009-1669
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
529810: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529810
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: smarty
Version: 2.6.22-1
Severity: normal
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for smarty.
CVE-2009-1669[0]:
| The smarty_function_math function in libs/plugins/function.math.php in
| Smarty 2.6.22 allows context-dependent attackers to execute arbitrary
| commands via shell metacharacters in the equation attribute of the
| math function. NOTE: some of these details are obtained from third
| party information.
With Windows you can launch commands like this:
{math equation="`^C^A^L^C`"}
^C^A^L^C is equivalent to calc.exe, this isn't true in Linux.
However in Linux after putting an empty file with a command as name ('uptime'
for example):
{math equation="`*u*`"}
This will launch the "uptime" command.
I doubt this can be considered an issue, to exploit it at least one file
must be written and shell_exec() must not to be disabled.
At this point writing a simple .php file with shell_exec('whatever I want') is
equivalent and simplest...
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1669
http://security-tracker.debian.net/tracker/CVE-2009-1669
http://www.milw0rm.com/exploits/8659
Patch:
http://groups.google.com/group/smarty-svn/browse_thread/thread/b2da2e5d1ef8b462
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoVhkUACgkQNxpp46476aowxQCfZxInNMa6dJXPEZ7dfpbUHD+3
5KcAn0eH02pLJkpg8IR4GlnowS5ZRww/
=ia44
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: smarty
Source-Version: 2.6.14-1etch2
We believe that the bug you reported is fixed in the latest version of
smarty, which is due to be installed in the Debian FTP archive:
smarty_2.6.14-1etch2.diff.gz
to pool/main/s/smarty/smarty_2.6.14-1etch2.diff.gz
smarty_2.6.14-1etch2.dsc
to pool/main/s/smarty/smarty_2.6.14-1etch2.dsc
smarty_2.6.14-1etch2_all.deb
to pool/main/s/smarty/smarty_2.6.14-1etch2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <[email protected]> (supplier of updated smarty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 25 Oct 2009 16:23:09 +0100
Source: smarty
Binary: smarty
Architecture: source all
Version: 2.6.14-1etch2
Distribution: oldstable-security
Urgency: high
Maintainer: Dimitri Fontaine <[email protected]>
Changed-By: Thijs Kinkhorst <[email protected]>
Description:
smarty - Template engine for PHP
Closes: 504328 529810
Changes:
smarty (2.6.14-1etch2) oldstable-security; urgency=high
.
* Non-maintainer upload for security issues.
* CVE-2008-4810: Expand_quoted_text security bypass (closes: #504328).
* CVE-2009-1669: Shell execution via math function (closes: #529810).
Files:
f061c466cef93df89e677aeb72101910 958 web optional smarty_2.6.14-1etch2.dsc
0ef9a669c127818f5ff084e2829738e9 4290 web optional smarty_2.6.14-1etch2.diff.gz
d0ac954aad344f20b5933b09593b2968 183300 web optional
smarty_2.6.14-1etch2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJK5G4TAAoJECIIoQCMVaAc48MH/RCIhw2PszZAAYxbpxA3KXVJ
wcPSAD3eugqX/yqMG/Ou35hU+Ba/LcXong8K06cgL1ZTX1L7Jvueek7w1drq1bzk
lBdxvzD4Khtka9VrWQbvFTI51hzcgm4quq6PJknS3NvONL3BIBbR1sorveL27811
+hSEe0H8vau0mdrQH1PTVGbyueTguPl37YM0VJWYkvUoBNkqfmpw7VaWh8F0SIbB
n1Iygm61H3ug8p3mQcDtF78pftGhawk57B7PGws7qq88KBy0roBY8snhzSM6ptrg
k/swqN9ws87aensNmCkuWQhpSoM92NGFRQKoEft2l7Ixwh/9xkuzChbyFxHdSB4=
=t5gk
-----END PGP SIGNATURE-----
--- End Message ---
