Joined: 12 May 2004
|Posted: Wed Jun 02, 2010 10:26 pm Post subject: [ GLSA 201006-13 ] Smarty: Multiple vulnerabilities
|Gentoo Linux Security Advisory
Title: Smarty: Multiple vulnerabilities (GLSA 201006-13)
Date: June 02, 2010
Bug(s): #212147, #243856, #270494
Multiple vulnerabilities in the Smarty template engine might allow remote
attackers to execute arbitrary PHP code.
Smarty is a template engine for PHP.
Vulnerable: < 2.6.23
Unaffected: >= 2.6.23
Architectures: All supported architectures
Multiple vulnerabilities have been discovered in Smarty:
- The vendor reported that the modifier.regex_replace.php plug-in
contains an input sanitation flaw related to the ASCII NUL character
- The vendor reported that the
_expand_quoted_text() function in libs/Smarty_Compiler.class.php
contains an input sanitation flaw via multiple vectors (CVE-2008-4810,
- Nine:Situations:Group::bookoo reported that
the smarty_function_math() function in libs/plugins/function.math.php
contains input sanitation flaw (CVE-2009-1669).
These issues might allow a remote attacker to execute arbitrary PHP
There is no known workaround at this time.
All Smarty users should upgrade to an unaffected version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-php/smarty-2.6.23"
NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since June 2, 2009. It is likely that your system is already
no longer affected by this issue.
Last edited by GLSA on Mon Mar 10, 2014 4:30 am; edited 2 times in total