Fedora 37 : php-Smarty (2022-d5fc9dcdd7)

critical Nessus Plugin ID 211188

Synopsis

The remote Fedora host is missing one or more security updates.

Description

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2022-d5fc9dcdd7 advisory.

## [3.1.47] - 2022-09-14

### Security
- Applied appropriate javascript and html escaping in mailto plugin to counter injection attacks [#454](https://github.com/smarty-php/smarty/issues/454)

### Fixed
- Fixed use of `rand()` without a parameter in math function [#794](https://github.com/smarty- php/smarty/issues/794)
- Fixed unselected year/month/day not working in html_select_date [#395](https://github.com/smarty- php/smarty/issues/395)

## [3.1.46] - 2022-08-01

### Fixed
- Fixed problems with smarty_mb_str_replace [#549](https://github.com/smarty-php/smarty/issues/549)
- Fixed second parameter of unescape modifier not working [#777](https://github.com/smarty- php/smarty/issues/777)

## [3.1.45] - 2022-05-17

### Security
- Prevent PHP injection through malicious block name or include file name. This addresses CVE-2022-29221

### Fixed
- Math equation `max(x, y)` didn't work anymore [#721](https://github.com/smarty-php/smarty/issues/721)

## [3.1.44] - 2022-01-18

### Fixed
- Fixed illegal characters bug in math function security check [#702](https://github.com/smarty- php/smarty/issues/702)

## [3.1.43] - 2022-01-10

### Security
- Prevent evasion of the `static_classes` security policy. This addresses CVE-2021-21408

## [3.1.42] - 2022-01-10

### Security
- Prevent arbitrary PHP code execution through maliciously crafted expression for the math function. This addresses CVE-2021-29454

## [3.1.41] - 2022-01-09

### Security
- Rewrote the mailto function to not use `eval` when encoding with javascript

## [3.1.40] - 2021-10-13

### Changed
- modifier escape now triggers a E_USER_NOTICE when an unsupported escape type is used https://github.com/smarty-php/smarty/pull/649

### Security
- More advanced javascript escaping to handle https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements thanks to m-haritonov

## [3.1.39] - 2021-02-17

### Security
- Prevent access to `$smarty.template_object` in sandbox mode. This addresses CVE-2021-26119.
- Fixed code injection vulnerability by using illegal function names in `{function name='blah'}{/function}`. This addresses CVE-2021-26120.

## [3.1.38] - 2021-01-08

### Fixed
- Smarty::SMARTY_VERSION wasn't updated https://github.com/smarty-php/smarty/issues/628

## [3.1.37] - 2021-01-07

### Changed
- Changed error handlers and handling of undefined constants for php8-compatibility (set $errcontext argument optional) https://github.com/smarty-php/smarty/issues/605
- Changed expected error levels in unit tests for php8-compatibility
- Travis unit tests now run for all php versions >= 5.3, including php8
- Travis runs on Xenial where possible

### Fixed
- PHP5.3 compatibility fixes
- Brought lexer source functionally up-to-date with compiled version

## [3.1.36] - 2020-04-14

### Fixed
- Smarty::SMARTY_VERSION wasn't updated in v3.1.35 https://github.com/smarty-php/smarty/issues/584

## [3.1.35] - 2020-04-14
- remove whitespaces after comments https://github.com/smarty-php/smarty/issues/447
- fix foreachelse on arrayiterators https://github.com/smarty-php/smarty/issues/506
- fix files contained in git export archive for package maintainers https://github.com/smarty- php/smarty/issues/325
- throw SmartyException when setting caching attributes for cacheable plugin https://github.com/smarty- php/smarty/issues/457
- fix errors that occured where isset was replaced with null check such as https://github.com/smarty- php/smarty/issues/453
- unit tests are now in the repository

## 3.1.34 release - 05.11.2019 13.01.2020
- fix typo in exception message (JercSi)
- fix typehint warning with callable (bets4breakfast)
- add travis badge and compatability info to readme (matks)
- fix stdClass cast when compiling foreach (carpii)
- fix wrong set/get methods for memcached (IT-Experte)
- fix pborm assigning value to object variables in smarty_internal_compile_assign (Hunman)
- exclude error_reporting.ini from git export (glensc)

## 3.1.34-dev-6 - 30.10.2018
- bugfix a nested subblock in an inheritance child template was not replace by outer level block with same name in same child template https://github.com/smarty-php/smarty/issues/500

29.10.2018
- bugfix Smarty::$php_handling == PHP_PASSTHRU (default) did eat the \n (newline) character if it did directly followed a PHP tag like ?> or other https://github.com/smarty-php/smarty/issues/501

14.10.2018
- bugfix autoloader exit shortcut https://github.com/smarty-php/smarty/issues/467

11.10.2018
- bugfix {insert} not works when caching is enabled and included template is present https://github.com/smarty-php/smarty/issues/496
- bugfix in date-format modifier; NULL at date string or default_date did not produce correct output https://github.com/smarty-php/smarty/pull/458

09.10.2018
- bugfix fix of 26.8.2017 https://github.com/smarty-php/smarty/issues/327 modifier is applied to sum expression https://github.com/smarty-php/smarty/issues/491
- bugfix indexed arrays could not be defined array(...)

18.09.2018
- bugfix large plain text template sections without a Smarty tag > 700kB could could fail in version 3.1.32 and 3.1.33 because PHP preg_match() restrictions https://github.com/smarty-php/smarty/issues/488

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected php-Smarty package.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2022-d5fc9dcdd7

Plugin Details

Severity: Critical

ID: 211188

File Name: fedora_2022-d5fc9dcdd7.nasl

Version: 1.1

Type: local

Agent: unix

Published: 11/14/2024

Updated: 11/14/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-26120

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:php-smarty, cpe:/o:fedoraproject:fedora:37

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/15/2022

Vulnerability Publication Date: 2/22/2021

Reference Information

CVE: CVE-2021-21408, CVE-2021-26119, CVE-2021-26120, CVE-2021-29454, CVE-2022-29221