Your message dated Wed, 04 Nov 2009 21:05:22 +0000
with message-id <[email protected]>
and subject line Bug#529810: fixed in smarty 2.6.26-0.1
has caused the Debian Bug report #529810,
regarding CVE-2009-1669
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
529810: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529810
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: smarty
Version: 2.6.22-1
Severity: normal
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for smarty.
CVE-2009-1669[0]:
| The smarty_function_math function in libs/plugins/function.math.php in
| Smarty 2.6.22 allows context-dependent attackers to execute arbitrary
| commands via shell metacharacters in the equation attribute of the
| math function. NOTE: some of these details are obtained from third
| party information.
With Windows you can launch commands like this:
{math equation="`^C^A^L^C`"}
^C^A^L^C is equivalent to calc.exe, this isn't true in Linux.
However in Linux after putting an empty file with a command as name ('uptime'
for example):
{math equation="`*u*`"}
This will launch the "uptime" command.
I doubt this can be considered an issue, to exploit it at least one file
must be written and shell_exec() must not to be disabled.
At this point writing a simple .php file with shell_exec('whatever I want') is
equivalent and simplest...
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1669
http://security-tracker.debian.net/tracker/CVE-2009-1669
http://www.milw0rm.com/exploits/8659
Patch:
http://groups.google.com/group/smarty-svn/browse_thread/thread/b2da2e5d1ef8b462
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoVhkUACgkQNxpp46476aowxQCfZxInNMa6dJXPEZ7dfpbUHD+3
5KcAn0eH02pLJkpg8IR4GlnowS5ZRww/
=ia44
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: smarty
Source-Version: 2.6.26-0.1
We believe that the bug you reported is fixed in the latest version of
smarty, which is due to be installed in the Debian FTP archive:
smarty_2.6.26-0.1.diff.gz
to main/s/smarty/smarty_2.6.26-0.1.diff.gz
smarty_2.6.26-0.1.dsc
to main/s/smarty/smarty_2.6.26-0.1.dsc
smarty_2.6.26-0.1_all.deb
to main/s/smarty/smarty_2.6.26-0.1_all.deb
smarty_2.6.26.orig.tar.gz
to main/s/smarty/smarty_2.6.26.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <[email protected]> (supplier of updated smarty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 24 Oct 2009 12:40:12 +0200
Source: smarty
Binary: smarty
Architecture: source all
Version: 2.6.26-0.1
Distribution: unstable
Urgency: low
Maintainer: Dimitri Fontaine <[email protected]>
Changed-By: Thijs Kinkhorst <[email protected]>
Description:
smarty - Template engine for PHP
Closes: 504328 529810
Changes:
smarty (2.6.26-0.1) unstable; urgency=low
.
* Non-maintainer upload.
* New upstream release to address open security issues.
(CVE-2008-4810, CVE-2008-4811, CVE-2009-1669,
closes: #529810, #504328)
* Remove installation of smarty_icon.README and unit_test,
dropped upstream.
Checksums-Sha1:
72f0ef983a60fd91a3fad61b3f05252f761e15f3 1412 smarty_2.6.26-0.1.dsc
040245f979e759d9b80c35de04035f010ed6d158 153034 smarty_2.6.26.orig.tar.gz
82cfd17888fc252ff8dd8d8ebd7ef9c56fdf0615 4501 smarty_2.6.26-0.1.diff.gz
7fde38359420618906f9ad76ff36427f7594651a 201342 smarty_2.6.26-0.1_all.deb
Checksums-Sha256:
460579a9b081360e27bce26915ca6226d21d3b0029d0411a7049f85a0242e5a5 1412
smarty_2.6.26-0.1.dsc
99185a967a6cebdc00f29feb70b113a9970572751892c12673c27dd765d43f99 153034
smarty_2.6.26.orig.tar.gz
57de0dc0bdb7e84df99fab3930c34dce228cdf4af05f9143f9e7bc923dc59efd 4501
smarty_2.6.26-0.1.diff.gz
a8958067c110675b9eb5501ad0d86763d6bd2d70edc1ea6f4e65985754d819d0 201342
smarty_2.6.26-0.1_all.deb
Files:
555de39317d1031acce8108ab94f2a00 1412 web optional smarty_2.6.26-0.1.dsc
e0da351443b8613e1013c481ab30cb84 153034 web optional smarty_2.6.26.orig.tar.gz
fb52a8723695be8bf6fb67a38780e3a7 4501 web optional smarty_2.6.26-0.1.diff.gz
77b4e11dc4cce086fcd9cc8be95e87d1 201342 web optional smarty_2.6.26-0.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBCAAGBQJK4tvBAAoJECIIoQCMVaAcnGAH/iORX16UwuuHRMJ74/Sm6bmz
0jIfdMJfxS5NJ/dGaPKwg3f6mAgxxpfEMFAbrdj8k63K7wGIqs+EkgyYuSeYTSqV
qxd6cjQcA+HD8/NyW6n97C7c/+63f2ZzDlwQ/1X7Dtxm7Jd09XQdL7p4zk7ulx1i
K/OxYr3gHdsTdOEUwnK6yG5/na698m263pmTYC34OQv/xYKhWzwIV0zyhluIPLWz
t1iKFZM28QiFjn3gkbElYjR1CB+69eXPVZgyM5bNz76Vcj3ZBsrRdGTLFmGYrRE/
Iv3rCY1GbzopfxXAc9hvPK5cnbNv41GfSkVvvxW76DALVUn/WZF50rs7zZlYLn4=
=wbJB
-----END PGP SIGNATURE-----
--- End Message ---
