Hello. I've prepared a build according to what you've said. Build available here[1]. Please take a look. Debdiff attached.
--abhijith [1] - https://people.debian.org/~abhijith/upload/vda/smarty3_3.1.31+20161214.1.c7d42e4+selfpack1-2+deb9u4.dsc
diff -Nru smarty3-3.1.31+20161214.1.c7d42e4+selfpack1/debian/changelog smarty3-3.1.31+20161214.1.c7d42e4+selfpack1/debian/changelog --- smarty3-3.1.31+20161214.1.c7d42e4+selfpack1/debian/changelog 2021-04-15 15:18:24.000000000 +0530 +++ smarty3-3.1.31+20161214.1.c7d42e4+selfpack1/debian/changelog 2021-09-04 23:49:02.000000000 +0530 @@ -1,3 +1,10 @@ +smarty3 (3.1.31+20161214.1.c7d42e4+selfpack1-2+deb9u4) UNRELEASED; urgency=medium + + * Non-maintainer upload by the LTS Security Team. + * Test build for regression test #989141. + + -- Abhijith PA <abhij...@debian.org> Sat, 04 Sep 2021 23:49:02 +0530 + smarty3 (3.1.31+20161214.1.c7d42e4+selfpack1-2+deb9u3) stretch-security; urgency=medium * Non-maintainer upload by the Debian LTS Team. diff -Nru smarty3-3.1.31+20161214.1.c7d42e4+selfpack1/debian/patches/CVE-2018-13982-2.patch smarty3-3.1.31+20161214.1.c7d42e4+selfpack1/debian/patches/CVE-2018-13982-2.patch --- smarty3-3.1.31+20161214.1.c7d42e4+selfpack1/debian/patches/CVE-2018-13982-2.patch 2021-04-04 12:45:17.000000000 +0530 +++ smarty3-3.1.31+20161214.1.c7d42e4+selfpack1/debian/patches/CVE-2018-13982-2.patch 2021-09-04 23:47:25.000000000 +0530 @@ -2,8 +2,8 @@ Origin: https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8 Last-Update: 2021-04-04 ---- smarty3-3.1.31+20161214.1.c7d42e4+selfpack1.orig/libs/Smarty.class.php -+++ smarty3-3.1.31+20161214.1.c7d42e4+selfpack1/libs/Smarty.class.php +--- a/libs/Smarty.class.php ++++ b/libs/Smarty.class.php @@ -978,7 +978,7 @@ class Smarty extends Smarty_Internal_Tem $this->plugins_dir = (array) $this->plugins_dir; } @@ -48,8 +48,8 @@ // resolve '..DIRECTORY_SEPARATOR' pattern, smallest first if (strpos($path, '..' . $this->ds) != false && preg_match_all('#[\\\\/]([.][.][\\\\/])+#u', $path, $match) ---- smarty3-3.1.31+20161214.1.c7d42e4+selfpack1.orig/libs/sysplugins/smarty_security.php -+++ smarty3-3.1.31+20161214.1.c7d42e4+selfpack1/libs/sysplugins/smarty_security.php +--- a/libs/sysplugins/smarty_security.php ++++ b/libs/sysplugins/smarty_security.php @@ -258,8 +258,6 @@ class Smarty_Security public function __construct($smarty) { @@ -71,7 +71,7 @@ } - } - if ($isConfig !== false) { -+ ++ $_dir = $this->smarty->getConfigDir(); if ($this->_config_dir !== $_dir) { $this->_updateResourceDir($this->_config_dir, $_dir) @@ -82,7 +82,7 @@ $this->secure_dir = (array)$this->secure_dir; foreach($this->secure_dir as $k => $d) { - $this->secure_dir[$k] = $this->smarty->_realpath($d.DIRECTORY_SEPARATOR,true); -+ $this->secure_dir[$k] = $this->smarty->_realpath($d. $this->ds,true); ++ $this->secure_dir[$k] = $this->smarty->_realpath($d. DIRECTORY_SEPARATOR,true); } $this->_updateResourceDir($this->_secure_dir, $this->secure_dir); $this->_secure_dir = $this->secure_dir; @@ -123,7 +123,7 @@ - } - $filepath = $this->smarty->_realpath($filepath, true); - $directory = dirname($filepath) . DIRECTORY_SEPARATOR; -+ $directory = dirname($this->smarty->_realpath($filepath, true)) . $this->ds; ++ $directory = dirname($this->smarty->_realpath($filepath, true)) . DIRECTORY_SEPARATOR; $_directory = array(); while (true) { // test if the directory is trusted diff -Nru smarty3-3.1.31+20161214.1.c7d42e4+selfpack1/debian/patches/CVE-2018-13982-3.patch smarty3-3.1.31+20161214.1.c7d42e4+selfpack1/debian/patches/CVE-2018-13982-3.patch --- smarty3-3.1.31+20161214.1.c7d42e4+selfpack1/debian/patches/CVE-2018-13982-3.patch 2021-04-15 15:17:32.000000000 +0530 +++ smarty3-3.1.31+20161214.1.c7d42e4+selfpack1/debian/patches/CVE-2018-13982-3.patch 2021-09-04 23:48:41.000000000 +0530 @@ -75,7 +75,7 @@ --- a/libs/sysplugins/smarty_security.php +++ b/libs/sysplugins/smarty_security.php @@ -527,7 +527,7 @@ class Smarty_Security - + $_dir = $this->smarty->getConfigDir(); if ($this->_config_dir !== $_dir) { - $this->_updateResourceDir($this->_config_dir, $_dir) @@ -85,7 +85,7 @@ if ($this->_secure_dir !== $this->secure_dir) { @@ -639,7 +639,8 @@ class Smarty_Security { - $directory = dirname($this->smarty->_realpath($filepath, true)) . $this->ds; + $directory = dirname($this->smarty->_realpath($filepath, true)) . DIRECTORY_SEPARATOR; $_directory = array(); - while (true) { + if (!preg_match('#[\\\\/][.][.][\\\\/]#',$directory)) { @@ -103,8 +103,7 @@ // remember the directory to add it to _resource_dir in case we're successful $_directory[ $directory ] = true; // bubble up one level -- $directory = preg_replace('#[\\\/][^\\\/]+[\\\/]$#', '/', $directory); -+ $directory = preg_replace('#[\\\/][^\\\/]+[\\\/]$#', $this->ds, $directory); + $directory = preg_replace('#[\\\/][^\\\/]+[\\\/]$#', '/', $directory); + } } + // give up