Tags Tags

Bug#471158: ships embedded copy of smarty with security bug

March 16th, 2008 - 06:30 am ET by Thijs Kinkhorst | Report spam
Help Create a new topic

Package: moodle
Severity: grave
Tags: security patch

Hi,

A security issue has been discovered in Smarty which is also shipped as part
of Moodle:

| The modifier.regex_replace.php plugin in Smarty before 2.6.19, as used
| by Serendipity (S9Y) and other products, allows attackers to call
| arbitrary PHP functions via templates, related to a '0' character in
| a search string.

Please see the original bug in Smarty here: #469492. The patch is very
straigtforward.

The right solution here is to not ship Smarty as part of Moodle but make use
of the smarty package that is already in the archive, because the security
team now has to issue multiple DSA's for this single issue which is obviously
problematic.

Could you please take the following actions:
* To address this bug for lenny and sid, please prepare a version of Moodle
that works with the archive version of smarty;
* For sarge and etch, please prepare updated packages addressing this bug and
#432264, which is also still open in sarge/etch.



thanks,
Thijs






To UNSUBSCRIBE, email to debian-bugs-rc-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
email Follow the discussionReplies 10 repliesReplies Make a reply

Replies

#1 Christian Perrier
March 19th, 2008 - 01:30 pm ET | Report spam

Quoting Christian Perrier ():

> That means that there's no immediate security problem fortunately, but that
> still leaves the problem of removing the embedded smarty code before this
> package can be released.
>
> As only this one file uses it, either removing it from that file, or making
> that file use the archive copy of smarty are acceptable solutions to this
> bug.


Please note that I recently announced a possible NMU targeted at
fixing longstanding l10n bugs.

I have no clue about this specific bug but in case someone provides a
patch, I'll be happy to include it...in case the package maintainer
doesn't give news in a timely manner.




There are two days left before the end of my normal delay for l10n
NMUs.

I don't really want to interfere with work on security issuesbut I
can't also hold this work for too long: there are other stuff to do
and I'd rather not have this rot in my hard disk.

So, would an NMU *not* covering the security issue interfere with a
security update ?

Again, I'd be happy to do the ecurity update but I need a patch. I
tried to have a look at the issue but it requires skills I don't have.










To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact

Similar topics

Make your own search :