...
 
smarty3 (3.1.32+20180424.1.ac9d4b58+selfpack1-1) UNRELEASED; urgency=medium
smarty3 (3.1.32+20180424.1.ac9d4b58+selfpack1-1) unstable; urgency=medium
* New upstream release.
* debian/*: White-space clean-up at EOL.
* debian/patches:
+ Drop 0001_CVE-2017-1000480.patch. Applied upstream.
* debian/rules:
+ Avoid using dpkg-parsechangelog.
* debian/copyright:
+ Update copyright attributions.
+ Use secure URI to obtain copyright references.
+ Add global Comment: field. Explain about brokenness of upstream tarballs.
* debian/control:
+ Update Vcs-*: fields. Packaging Git has been migrated to
salsa.debian.org.
+ Bump Standards-Version: to 4.1.4. No changes needed.
* debian/{control,compat}:
+ Bump DH version level to 11.
-- Mike Gabriel <sunweaver@debian.org> Sun, 27 May 2018 21:54:50 +0200
-- Mike Gabriel <sunweaver@debian.org> Sun, 27 May 2018 23:21:33 +0200
smarty3 (3.1.31+20161214.1.c7d42e4+selfpack1-3) unstable; urgency=medium
......@@ -183,11 +198,11 @@ smarty3 (3.1.0-1) experimental; urgency=low
+ added LexerGenerator copyright
+ added ParserGenerator copyright
* Fixed security holes:
+ multiple unspecified vulnerabilities (CVE-2009-5052, CVE-2009-5053,
+ multiple unspecified vulnerabilities (CVE-2009-5052, CVE-2009-5053,
CVE-2010-4722, CVE-2010-4724, CVE-2010-4726)
+ not consider the umask value when setting the permissions of files
(CVE-2009-5054)
+ not prevent access to the dynamic and private object members of an
+ not prevent access to the dynamic and private object members of an
assigned object (CVE-2010-4723)
+ not properly handle an on value of the asp_tags option in the php.ini file
(CVE-2010-4725)
......
......@@ -4,13 +4,13 @@ Priority: optional
Maintainer: Mike Gabriel <sunweaver@debian.org>
Uploaders:
Debian Edu Packaging Team <debian-edu-pkg-team@lists.alioth.debian.org>,
Build-Depends:
Build-Depends:
debhelper (>= 11~),
pkg-php-tools (>= 1.7~),
smarty-lexer (>= 3.1.30+dfsg1-1.1~),
Standards-Version: 4.1.4
Vcs-Browser: https://anonscm.debian.org/git/collab-maint/smarty3.git
Vcs-Git: https://anonscm.debian.org/git/collab-maint/smarty3.git
Vcs-Git: https://salsa.debian.org/debian/smarty3.git
Vcs-Browser: https://salsa.debian.org/debian/smarty3
Homepage: http://www.smarty.net/
Package: smarty3
......
......@@ -4,12 +4,16 @@ Upstream-Contact:
Monte Ohrt <monte@ohrt.com>
Uwe Tews <uwe.tews@googlemail.com>
Source: http://www.smarty.net
Comment:
Tarball self-packed due to broken upstream tarballs (since 3.1.31).
See: https://github.com/smarty-php/smarty/issues/325
Files: change_log.txt
COMPOSER_RELEASE_NOTES.txt
demo/*
lexer/*
libs/*
utilities/*
INHERITANCE_RELEASE_NOTES.txt
NEW_FEATURES.txt
README
......@@ -18,6 +22,7 @@ Files: change_log.txt
SMARTY_3.0_BC_NOTES.txt
SMARTY_3.1_NOTES.txt
composer.json
error_reporting.ini
Copyright:
2001-2008, New Digital Group, Inc.
License: LGPL-3+
......
From 614ad1f8b9b00086efc123e49b7bb8efbfa81b61 Mon Sep 17 00:00:00 2001
From: Uwe Tews <uwe.tews@googlemail.com>
Date: Fri, 21 Jul 2017 05:13:54 +0200
Subject: [PATCH] - security possible PHP code injection on custom resources at
display() or fetch() calls if the resource does not sanitize the template
name
---
change_log.txt | 4 ++++
libs/Smarty.class.php | 2 +-
libs/sysplugins/smarty_internal_runtime_codeframe.php | 4 ++--
libs/sysplugins/smarty_resource_custom.php | 4 ++--
4 files changed, 9 insertions(+), 5 deletions(-)
#diff --git a/change_log.txt b/change_log.txt
#index 3db0cd9e..7ab4888f 100644
#--- a/change_log.txt
#+++ b/change_log.txt
#@@ -1,4 +1,8 @@
# ===== 3.1.32 - dev ===
#+21.7.2017
#+ - security possible PHP code injection on custom resources at display() or fetch()
#+ calls if the resource does not sanitize the template name
#+
# 27.5.2017
# - bugfix change compiled code for registered function and modifiers to called as callable to allow closures
# https://github.com/smarty-php/smarty/pull/368, https://github.com/smarty-php/smarty/issues/273
#diff --git a/libs/Smarty.class.php b/libs/Smarty.class.php
#index 38c274b4..c3e57297 100644
#--- a/libs/Smarty.class.php
#+++ b/libs/Smarty.class.php
#@@ -108,7 +108,7 @@ class Smarty extends Smarty_Internal_TemplateBase
# /**
# * smarty version
# */
#- const SMARTY_VERSION = '3.1.32-dev-11';
#+ const SMARTY_VERSION = '3.1.32-dev-12';
#
# /**
# * define variable scopes
diff --git a/libs/sysplugins/smarty_internal_runtime_codeframe.php b/libs/sysplugins/smarty_internal_runtime_codeframe.php
index e363712a..ceb386ff 100644
--- a/libs/sysplugins/smarty_internal_runtime_codeframe.php
+++ b/libs/sysplugins/smarty_internal_runtime_codeframe.php
@@ -41,8 +41,8 @@ public function create(Smarty_Internal_Template $_template, $content = '', $func
$properties[ 'cache_lifetime' ] = $_template->cache_lifetime;
}
$output = "<?php\n";
- $output .= "/* Smarty version " . Smarty::SMARTY_VERSION . ", created on " . strftime("%Y-%m-%d %H:%M:%S") .
- "\n from \"" . $_template->source->filepath . "\" */\n\n";
+ $output .= "/* Smarty version {Smarty::SMARTY_VERSION}, created on " . strftime("%Y-%m-%d %H:%M:%S") .
+ "\n from \"" . str_replace('*/','* /',$_template->source->filepath) . "\" */\n\n";
$output .= "/* @var Smarty_Internal_Template \$_smarty_tpl */\n";
$dec = "\$_smarty_tpl->_decodeProperties(\$_smarty_tpl, " . var_export($properties, true) . ',' .
($cache ? 'true' : 'false') . ")";
diff --git a/libs/sysplugins/smarty_resource_custom.php b/libs/sysplugins/smarty_resource_custom.php
index 619f2d6f..77f619ec 100644
--- a/libs/sysplugins/smarty_resource_custom.php
+++ b/libs/sysplugins/smarty_resource_custom.php
@@ -47,7 +47,7 @@ protected function fetchTimestamp($name)
*/
public function populate(Smarty_Template_Source $source, Smarty_Internal_Template $_template = null)
{
- $source->filepath = $source->type . ':' . $source->name;
+ $source->filepath = $source->type . ':' . substr(preg_replace('/[^A-Za-z0-9.]/','',$source->name),0,25);
$source->uid = sha1($source->type . ':' . $source->name);
$mtime = $this->fetchTimestamp($source->name);
@@ -90,6 +90,6 @@ public function getContent(Smarty_Template_Source $source)
*/
public function getBasename(Smarty_Template_Source $source)
{
- return basename($source->name);
+ return basename(substr(preg_replace('/[^A-Za-z0-9.]/','',$source->name),0,25));
}
}
0001_CVE-2017-1000480.patch
......@@ -3,6 +3,8 @@
#export DH_VERBOSE=1
include /usr/share/dpkg/pkg-info.mk
%:
dh $@ --with phpcomposer
......@@ -58,8 +60,8 @@ override_dh_installchangelogs:
dh_installchangelogs change_log.txt
PKD = $(word 1,$(abspath $(dir $(MAKEFILE_LIST))))
PKG = $(word 2,$(shell dpkg-parsechangelog -l$(PKD)/changelog | grep ^Source))
UVER = $(shell dpkg-parsechangelog -l$(PKD)/changelog | perl -ne 'print $$1 if m{^Version:\s+(?:\d+:)?(\d.*)(?:\-\d+.*)};')
PKG = $(DEB_SOURCE)
UVER = $(shell echo $(DEB_VERSION) | cut -d "-" -f1)
DTYPE = +selfpack1
VER ?= $(subst $(DTYPE),,$(UVER))
......