Thursday, April 13, 2023

[USN-6012-1] Smarty vulnerability

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsDNBGQufKwBDACr34Bd761+YH7R1o7Y0ae7JkQgf7snx8Ta7hXwSm2+cy7kl/wH
9aUZhLetqo5Fr15nKnQke9aSyQ58b0OTRKj9W4uOUyVY49ms+REwv+j+7uNMcwYu
OLtVJtY8jeTkpCUT/vawWe4gQxEA6Snpgs3IcWm06YCEYK53i8bHfHM5kwmcqj9M
Jyj7Pm7KXN4bbeut/bpl3/1CkeSjAAxfMBk4M7Ll4L5PKUhalZKOr61j5eG/5GTH
yoSVwcfI3esvX0z0sd19QeazjkM0RqZ8U4QZI0b2rXzJSjIpjn/o7syFaFPZsmbq
NXbv3jqnb2wpBajpJHBxE0aiQ17trsm/h6PUS7ZzwuRTABQFZ1Vx4rXAHdBEl/G6
+6CcZgrh8Vd8N2+YmbrjFo0KHg9sRmAnTapGhWZENUrsz1IzOjVlpm+7G6AQrZB3
JXoOfa4D59OB0LTQeIBWmeubtnR7Ww18lm3UDWLH49D5YelcfB1HN51nO4WH2WM6
EPJsJEv0IKSw678AEQEAAc0wR2VvcmdlLUFuZHJlaSBJb3NpZiA8YW5kcmVpLmlv
c2lmQGNhbm9uaWNhbC5jb20+wsEUBBMBCgA+FiEEnymTT1agqOK+NCniIRw68nMw
l3AFAmQufKwCGwMFCQPCZwAFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQIRw6
8nMwl3COiwwAmjTBks6Gf91HARwtljHzYNTa9UH91s/NO1jN++YfDbDrXV2z8NhT
oVR6JUi3cGTemG5hbZbAXTxpzGY69dlITBIGBLdG+TAtYuVsuPFthFGNfCujzea8
1PeKom1q/hzZClX+nVnKLz+oDBZfxCnKZB7k29FO4q1WKI95kxq/Waq5bOni+gyp
g+9yNA/PHIdYFN8rK1y7Ky+A4SjanxEQliYM6Zo3oQVSdr8q3u4uNCJxyyBK4aL6
92Wl9PSG3VBiMvjin5ZeLlLnBCJ3AnpySvWsBhmLQ602L6GufT+/dAKmNqqYPcUB
bxQfz9hthdKKirDXNs2uAlWXbZNmXGn19wkW8jboPisKhvj1JDe/z6CFLCCUg1bN
EAol4llMUUCDIA4uheQwdO8JYoLOfiE9Q3uSPLrB2vOEjsm24lPCG+n25jpEMWAz
asMfT+dW+sUzhSB6KHY8KYwPeuQiXBiHmA0KkPKN9eY0QCZO0kVKxHs138vMMGAq
i5aPopj4sH1HzsDNBGQufKwBDADR5rwDnlG0uWyKybev82bmCe4Ru3hyKwhnQQi2
xDUgGSLU/ct1dInV/Q2kcc96xZL6y3Y0wTKrq67+0dyuXdbMSxBwgIDuSXsYPABk
WGY0+2YIOLeSBLdvxJJUVigtvA98JoYRmzysv10uCEgM3D8vi/KP8JJJmDsB0z8s
rG6TIzkao78R+LvB0mLaz1xsKHP46y5GtrVScs+d+8F3yHR+LU5XlNb+d5m+6K41
yAk2MzF20xjTl8c8DDWHxqfOjvmIeNKPan21C6Q4RjbOp4+lYGRnjxQWo+8EbcRD
bfI2oTZ8mHrl/59EFlCmVvliKfjroHGs1UG1ABKvnY47evP8NDEjzrjh83nfuEtB
09ITPw/YjINWzH8xZWgLTFQaVVtNXWf8dXf6EPOEQ2CTz9aKVyXq7/aneS/4Boto
BMV1c/YAmxhWFg7yQIV247hg6hPN1AJ7SBorOWg5722PgGQB07R5+LkLctWpggkS
Tn8njoKuxyUOm1YjYfUsnmIA1icAEQEAAcLA/AQYAQoAJhYhBJ8pk09WoKjivjQp
4iEcOvJzMJdwBQJkLnysAhsMBQkDwmcAAAoJECEcOvJzMJdwDXAMAJ1ImVNj0mKv
0ctFsUSoJWrXxF2IrKAJNBXntkFNpVUgSwxrUm1RDiCrx+66eupGkLQDTG/zm81T
8Whzs9fGQeevvzEe5C9vkP4HN/5Asak/5qOjdQrA/X2JsRCXxlOpjtHrRI3Vc6Ga
gZu6YU/mO3MCial/RplLvTnCseP8AgMH1+eqhzVA8xOx3uBkvz+1b2aIM1xwM4mO
Idj9cKeQ5A84SDBF117fw1/Y+U5+LfCjLEPtfwNeTEtRdMbBve6UfpKrWPmJ5vsc
4qzGaarsLOWBAKDomEjE6XGfitNpdhj9FGitRTPxlnhiT06ZOrsMZDKmU73311ZE
SSgi9a71SLjS1z+ygAWAP5DYo3nwJAMoA9+BXhurmIN1uRkSMVFFRFt1soxph1vt
f4PfvPmwqiwxVtuCYvavyYxVQXwiFoh7tfATFVvPFxcjjUGGKNUqC+p33Q5R91n+
EbTPALgIUlmCqIDI7sUUx4Vn38cruPJaIwnV0H/c5HpCSsXik/dlkQ==
=AwA5
-----END PGP PUBLIC KEY BLOCK-----
==========================================================================
Ubuntu Security Notice USN-6012-1
April 13, 2023

smarty3 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10
- Ubuntu 22.04 LTS

Summary:

Smarty could be made to crash or run programs if it received a specially
crafted template.

Software Description:
- smarty3: The compiling PHP template engine

Details:

It was discovered that Smarty incorrectly parsed blocks' names and
included files' names. A remote attacker with template writing permissions
could use this issue to execute arbitrary PHP code. (CVE-2022-29221)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
  smarty3                         3.1.39-2ubuntu1.22.10.1

Ubuntu 22.04 LTS:
  smarty3                         3.1.39-2ubuntu1.22.04.1

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6012-1
  CVE-2022-29221

Package Information:
  https://launchpad.net/ubuntu/+source/smarty3/3.1.39-2ubuntu1.22.10.1
  https://launchpad.net/ubuntu/+source/smarty3/3.1.39-2ubuntu1.22.04.1

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)