Re: Wheezy update of smarty3?
Hi Mike, > […] please go ahead with a Debian LTS upload. Announced as DLA-1249-1. Thanks for your help. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Re: Wheezy update of smarty3?
Hi Chris, On Fr 19 Jan 2018 03:52:29 CET, Chris Lamb wrote: Hi Mike, Maybe you want to review the j-security patch and see if it applies to the wheezy version? It applies to the wheezy version; would you like me to go ahead and upload? :) That might be the expedient route to getting this into Debian LTS :) If you can confirm that the patch in fact fixes the CVE we are trying to resolve, then yes, please go ahead with a Debian LTS upload. The underlying topic of the patch is: add a file name into a PHP comment and if this file name contains "*/" then this PHP code gets executed. Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpSmcO0yq3ER.pgp Description: Digitale PGP-Signatur
Re: Wheezy update of smarty3?
Hi Mike, > Maybe you want to review the j-security patch and see if it applies to > the wheezy version? It applies to the wheezy version; would you like me to go ahead and upload? :) That might be the expedient route to getting this into Debian LTS :) Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Re: Wheezy update of smarty3?
Hi Chris, On Do 18 Jan 2018 23:05:23 CET, Chris Lamb wrote: Hi Mike, > Hey, how are you getting on? :) Can we help? Thanks for the reminder. Next item on my list now. Friendly ping on this? :) Regards, Upload to unstable done, stretch-security upload done, too, but nothing heard back. Patch submitted to security team for jessie-security version (3.1.21, I attach the .debdiff here). Still in process. In need of a test application that triggers the flawed code path. Once the jessie-security patch has been ack'ed, I will go one more step back in time and provide a patch for wheezy-security (smarty3 3.1.10). Maybe you want to review the j-security patch and see if it applies to the wheezy version? Plus, investigate if there is an application based on smarty3 that is exploitable? Looking forward to getting feedback on the derived patch for 3.1.21. Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de diff -Nru smarty3-3.1.21/debian/changelog smarty3-3.1.21/debian/changelog --- smarty3-3.1.21/debian/changelog 2014-10-20 00:06:58.0 +0200 +++ smarty3-3.1.21/debian/changelog 2018-01-15 11:49:37.0 +0100 @@ -1,3 +1,11 @@ +smarty3 (3.1.21-1+deb8u1) jessie-security; urgency=medium + + * debian/patches: ++ Add 0001_CVE-2017-1000480.patch. Fixes CVE-2017-1000480. (Closes: + #886460). + + -- Mike GabrielMon, 15 Jan 2018 11:49:37 +0100 + smarty3 (3.1.21-1) unstable; urgency=medium * New upstream release. (Closes: #765920). diff -Nru smarty3-3.1.21/debian/patches/0001_CVE-2017-1000480.patch smarty3-3.1.21/debian/patches/0001_CVE-2017-1000480.patch --- smarty3-3.1.21/debian/patches/0001_CVE-2017-1000480.patch 1970-01-01 01:00:00.0 +0100 +++ smarty3-3.1.21/debian/patches/0001_CVE-2017-1000480.patch 2018-01-15 11:48:46.0 +0100 @@ -0,0 +1,41 @@ +From 614ad1f8b9b00086efc123e49b7bb8efbfa81b61 Mon Sep 17 00:00:00 2001 +From: Uwe Tews +Date: Fri, 21 Jul 2017 05:13:54 +0200 +Subject: [PATCH] - security possible PHP code injection on custom resources at + display() or fetch() calls if the resource does not sanitize the template + name + . + v2: Patch rebased against smarty3 3.1.21 by Mike Gabriel + +--- a/libs/sysplugins/smarty_resource_custom.php b/libs/sysplugins/smarty_resource_custom.php +@@ -47,7 +47,7 @@ + */ + public function populate(Smarty_Template_Source $source, Smarty_Internal_Template $_template = null) + { +-$source->filepath = $source->type . ':' . $source->name; ++$source->filepath = $source->type . ':' . substr(preg_replace('/[^A-Za-z0-9.]/','',$source->name),0,25); + $source->uid = sha1($source->type . ':' . $source->name); + + $mtime = $this->fetchTimestamp($source->name); +@@ -90,6 +90,6 @@ + */ + protected function getBasename(Smarty_Template_Source $source) + { +-return basename($source->name); ++return basename(substr(preg_replace('/[^A-Za-z0-9.]/','',$source->name),0,25)); + } + } +--- a/libs/sysplugins/smarty_internal_templatecompilerbase.php b/libs/sysplugins/smarty_internal_templatecompilerbase.php +@@ -241,8 +241,8 @@ + // template header code + $template_header = ''; + if (!$this->suppressHeader) { +-$template_header .= "template->source->filepath . "\" */ ?>\n"; ++$template_header .= "source->filepath) . "\" */ ?>\n"; + } + + if (empty($this->template->source->components)) { diff -Nru smarty3-3.1.21/debian/patches/series smarty3-3.1.21/debian/patches/series --- smarty3-3.1.21/debian/patches/series1970-01-01 01:00:00.0 +0100 +++ smarty3-3.1.21/debian/patches/series2018-01-15 11:24:42.0 +0100 @@ -0,0 +1 @@ +0001_CVE-2017-1000480.patch pgpJdhlETZcUI.pgp Description: Digitale PGP-Signatur
Re: Wheezy update of smarty3?
Hi Mike, > > Hey, how are you getting on? :) Can we help? > > Thanks for the reminder. Next item on my list now. Friendly ping on this? :) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Re: Wheezy update of smarty3?
Hi Chris, On Sunday, January 14, 2018, Chris Lamb wrote: > Hey Mike, > > > I will take over fixing the open CVE for smarty3 on wheezy during the > > week in the course of getting the other versions fixed, too. > > > > Ping me again in a week, if no upload has occurred. > > Hey, how are you getting on? :) Can we help? > > > Best wishes, Thanks for the reminder. Next item on my list now. Mike -- Sent from my Fairphone 2 (running Sailfish OS)
Re: Wheezy update of smarty3?
Hey Mike, > I will take over fixing the open CVE for smarty3 on wheezy during the > week in the course of getting the other versions fixed, too. > > Ping me again in a week, if no upload has occurred. Hey, how are you getting on? :) Can we help? Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Re: Wheezy update of smarty3?
Hi Chris, On So 07 Jan 2018 09:30:16 CET, Chris Lamb wrote: Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of smarty3: https://security-tracker.debian.org/tracker/source-package/smarty3 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of smarty3 updates for the LTS releases. Thank you very much. Chris Lamb, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt I will take over fixing the open CVE for smarty3 on wheezy during the week in the course of getting the other versions fixed, too. Ping me again in a week, if no upload has occurred. Thanks, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpSYDnvkbJYG.pgp Description: Digitale PGP-Signatur