Re: Wheezy update of smarty3?

2018-01-19 Thread Chris Lamb 
Hi Mike,

> […] please go ahead with a Debian LTS upload.

Announced as DLA-1249-1. Thanks for your help.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Re: Wheezy update of smarty3?

2018-01-18 Thread Mike Gabriel 

Hi Chris,

On  Fr 19 Jan 2018 03:52:29 CET, Chris Lamb wrote:


Hi Mike,


Maybe you want to review the j-security patch and see if it applies to
the wheezy version?


It applies to the wheezy version; would you like me to go ahead and
upload? :)  That might be the expedient route to getting this into
Debian LTS :)


If you can confirm that the patch in fact fixes the CVE we are trying  
to resolve, then yes, please go ahead with a Debian LTS upload.


The underlying topic of the patch is: add a file name into a PHP  
comment and if this file name contains "*/" then this  
PHP code gets executed.


Mike
--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de



pgpSmcO0yq3ER.pgp
Description: Digitale PGP-Signatur

Re: Wheezy update of smarty3?

2018-01-18 Thread Chris Lamb 
Hi Mike,

> Maybe you want to review the j-security patch and see if it applies to  
> the wheezy version?

It applies to the wheezy version; would you like me to go ahead and
upload? :)  That might be the expedient route to getting this into
Debian LTS :)


Best wishes,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Re: Wheezy update of smarty3?

2018-01-18 Thread Mike Gabriel 

Hi Chris,

On  Do 18 Jan 2018 23:05:23 CET, Chris Lamb wrote:


Hi Mike,


> Hey, how are you getting on? :)  Can we help?

Thanks for the reminder. Next item on my list now.


Friendly ping on this? :)

Regards,


Upload to unstable done, stretch-security upload done, too, but  
nothing heard back.


Patch submitted to security team for jessie-security version (3.1.21,  
I attach the .debdiff here). Still in process. In need of a test  
application that triggers the flawed code path.


Once the jessie-security patch has been ack'ed, I will go one more  
step back in time and provide a patch for wheezy-security (smarty3  
3.1.10).


Maybe you want to review the j-security patch and see if it applies to  
the wheezy version? Plus, investigate if there is an application based  
on smarty3 that is exploitable?


Looking forward to getting feedback on the derived patch for 3.1.21.
Mike
--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de

diff -Nru smarty3-3.1.21/debian/changelog smarty3-3.1.21/debian/changelog
--- smarty3-3.1.21/debian/changelog 2014-10-20 00:06:58.0 +0200
+++ smarty3-3.1.21/debian/changelog 2018-01-15 11:49:37.0 +0100
@@ -1,3 +1,11 @@
+smarty3 (3.1.21-1+deb8u1) jessie-security; urgency=medium
+
+  * debian/patches:
++ Add 0001_CVE-2017-1000480.patch. Fixes CVE-2017-1000480. (Closes:
+  #886460).
+
+ -- Mike Gabriel   Mon, 15 Jan 2018 11:49:37 +0100
+
 smarty3 (3.1.21-1) unstable; urgency=medium
 
   * New upstream release. (Closes: #765920).
diff -Nru smarty3-3.1.21/debian/patches/0001_CVE-2017-1000480.patch 
smarty3-3.1.21/debian/patches/0001_CVE-2017-1000480.patch
--- smarty3-3.1.21/debian/patches/0001_CVE-2017-1000480.patch   1970-01-01 
01:00:00.0 +0100
+++ smarty3-3.1.21/debian/patches/0001_CVE-2017-1000480.patch   2018-01-15 
11:48:46.0 +0100
@@ -0,0 +1,41 @@
+From 614ad1f8b9b00086efc123e49b7bb8efbfa81b61 Mon Sep 17 00:00:00 2001
+From: Uwe Tews 
+Date: Fri, 21 Jul 2017 05:13:54 +0200
+Subject: [PATCH] - security possible PHP code injection on custom resources at
+ display() or fetch() calls if the resource does not sanitize the template
+ name
+ .
+ v2: Patch rebased against smarty3 3.1.21 by Mike Gabriel 
 
+
+--- a/libs/sysplugins/smarty_resource_custom.php
 b/libs/sysplugins/smarty_resource_custom.php
+@@ -47,7 +47,7 @@
+  */
+ public function populate(Smarty_Template_Source $source, 
Smarty_Internal_Template $_template = null)
+ {
+-$source->filepath = $source->type . ':' . $source->name;
++$source->filepath = $source->type . ':' . 
substr(preg_replace('/[^A-Za-z0-9.]/','',$source->name),0,25);
+ $source->uid = sha1($source->type . ':' . $source->name);
+ 
+ $mtime = $this->fetchTimestamp($source->name);
+@@ -90,6 +90,6 @@
+  */
+ protected function getBasename(Smarty_Template_Source $source)
+ {
+-return basename($source->name);
++return 
basename(substr(preg_replace('/[^A-Za-z0-9.]/','',$source->name),0,25));
+ }
+ }
+--- a/libs/sysplugins/smarty_internal_templatecompilerbase.php
 b/libs/sysplugins/smarty_internal_templatecompilerbase.php
+@@ -241,8 +241,8 @@
+ // template header code
+ $template_header = '';
+ if (!$this->suppressHeader) {
+-$template_header .= "template->source->filepath . "\" */ ?>\n";
++$template_header .= "source->filepath) . "\" */ ?>\n";
+ }
+ 
+ if (empty($this->template->source->components)) {
diff -Nru smarty3-3.1.21/debian/patches/series 
smarty3-3.1.21/debian/patches/series
--- smarty3-3.1.21/debian/patches/series1970-01-01 01:00:00.0 
+0100
+++ smarty3-3.1.21/debian/patches/series2018-01-15 11:24:42.0 
+0100
@@ -0,0 +1 @@
+0001_CVE-2017-1000480.patch


pgpJdhlETZcUI.pgp
Description: Digitale PGP-Signatur

Re: Wheezy update of smarty3?

2018-01-18 Thread Chris Lamb 
Hi Mike,

> > Hey, how are you getting on? :)  Can we help?
> 
> Thanks for the reminder. Next item on my list now.

Friendly ping on this? :)

Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Re: Wheezy update of smarty3?

2018-01-14 Thread mike . gabriel 
Hi Chris,

On Sunday, January 14, 2018, Chris Lamb wrote:
> Hey Mike,
> 
> > I will take over fixing the open CVE for smarty3 on wheezy during the  
> > week in the course of getting the other versions fixed, too.
> > 
> > Ping me again in a week, if no upload has occurred.
> 
> Hey, how are you getting on? :)  Can we help?
> 
> 
> Best wishes,

Thanks for the reminder. Next item on my list now.

Mike

-- 
Sent from my Fairphone 2 (running Sailfish OS)

Re: Wheezy update of smarty3?

2018-01-13 Thread Chris Lamb 
Hey Mike,

> I will take over fixing the open CVE for smarty3 on wheezy during the  
> week in the course of getting the other versions fixed, too.
> 
> Ping me again in a week, if no upload has occurred.

Hey, how are you getting on? :)  Can we help?


Best wishes,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Re: Wheezy update of smarty3?

2018-01-07 Thread Mike Gabriel 

Hi Chris,

On  So 07 Jan 2018 09:30:16 CET, Chris Lamb wrote:


Dear maintainer(s),

The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of smarty3:
https://security-tracker.debian.org/tracker/source-package/smarty3

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
https://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of smarty3 updates
for the LTS releases.

Thank you very much.

Chris Lamb,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt


I will take over fixing the open CVE for smarty3 on wheezy during the  
week in the course of getting the other versions fixed, too.


Ping me again in a week, if no upload has occurred.

Thanks,
Mike


--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de



pgpSYDnvkbJYG.pgp
Description: Digitale PGP-Signatur