[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1040449: marked as done (bookworm-pu: package smarty4/4.3.0-1+deb12u1)

Your message dated Sat, 22 Jul 2023 13:19:42 +0000
with message-id <E1qNCWM-005rrK-Iu@coccia.debian.org>
and subject line Released with 12.1
has caused the Debian Bug report #1040449,
regarding bookworm-pu: package smarty4/4.3.0-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1040449: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040449
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: smarty4@packages.debian.org
Control: affects -1 + src:smarty4

[ Reason ]
Resolve CVE-2023-28447 for smarty4 in bookworm.

[ Impact ]
Closure of vulnerability to execute arbitrary JavaScript code in the
context of the user's browser session.

[ Tests ]
Smoketest on system running GOsa² (smarty4 consumer).

[ Risks ]
Breakage of web packages in Debian that use smarty4.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

+  * debian/patches:
+    + Add CVE-2023-28447.patch. Prohibit execution of arbitrary JavaScript code
+      in the context of the user's browser session. (Closes: #1033965,
+      CVE-2023-28447).

[ Other info ]
None.

diff -Nru smarty4-4.3.0/debian/changelog smarty4-4.3.0/debian/changelog
--- smarty4-4.3.0/debian/changelog	2023-01-14 23:22:18.000000000 +0100
+++ smarty4-4.3.0/debian/changelog	2023-07-06 06:04:52.000000000 +0200
@@ -1,3 +1,12 @@
+smarty4 (4.3.0-1+deb12u1) bookworm; urgency=medium
+
+  * debian/patches:
+    + Add CVE-2023-28447.patch. Prohibit execution of arbitrary JavaScript code
+      in the context of the user's browser session. (Closes: #1033965,
+      CVE-2023-28447).
+
+ -- Mike Gabriel <sunweaver@debian.org>  Thu, 06 Jul 2023 06:04:52 +0200
+
 smarty4 (4.3.0-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru smarty4-4.3.0/debian/patches/CVE-2023-28447.patch smarty4-4.3.0/debian/patches/CVE-2023-28447.patch
--- smarty4-4.3.0/debian/patches/CVE-2023-28447.patch	1970-01-01 01:00:00.000000000 +0100
+++ smarty4-4.3.0/debian/patches/CVE-2023-28447.patch	2023-07-06 06:01:34.000000000 +0200
@@ -0,0 +1,81 @@
+From e75165565e9e5956a73365c24d650ba40570ae72 Mon Sep 17 00:00:00 2001
+From: Simon Wisselink <s.wisselink@iwink.nl>
+Date: Fri, 24 Mar 2023 12:19:34 +0100
+Subject: [PATCH] Implement fix and tests
+
+---
+ libs/plugins/modifier.escape.php              |  4 +++-
+ libs/plugins/modifiercompiler.escape.php      |  4 +++-
+# .../PluginModifierEscapeTest.php              | 21 +++++++++++++++++++
+ .../Operators/templates_c/.gitignore          |  2 ++
+ 4 files changed, 29 insertions(+), 2 deletions(-)
+ create mode 100644 tests/UnitTests/TemplateSource/ValueTests/Operators/templates_c/.gitignore
+
+diff --git a/libs/plugins/modifier.escape.php b/libs/plugins/modifier.escape.php
+index 11e44682e..e168679c3 100644
+--- a/libs/plugins/modifier.escape.php
++++ b/libs/plugins/modifier.escape.php
+@@ -115,7 +115,9 @@ function smarty_modifier_escape($string, $esc_type = 'html', $char_set = null, $
+                     // see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
+                     '<!--' => '<\!--',
+                     '<s'   => '<\s',
+-                    '<S'   => '<\S'
++                    '<S'   => '<\S',
++	                "`" => "\\\\`",
++	                "\${" => "\\\\\\$\\{"
+                 )
+             );
+         case 'mail':
+diff --git a/libs/plugins/modifiercompiler.escape.php b/libs/plugins/modifiercompiler.escape.php
+index 602c3dbfc..21b1b4c2a 100644
+--- a/libs/plugins/modifiercompiler.escape.php
++++ b/libs/plugins/modifiercompiler.escape.php
+@@ -64,7 +64,9 @@ function smarty_modifiercompiler_escape($params, Smarty_Internal_TemplateCompile
+                 // see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
+                 return 'strtr((string)' .
+                        $params[ 0 ] .
+-                       ', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r", "\\n" => "\\\n", "</" => "<\/", "<!--" => "<\!--", "<s" => "<\s", "<S" => "<\S" ))';
++                       ', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r", 
++                       "\\n" => "\\\n", "</" => "<\/", "<!--" => "<\!--", "<s" => "<\s", "<S" => "<\S",
++                       "`" => "\\\\`", "\${" => "\\\\\\$\\{"))';
+         }
+     } catch (SmartyException $e) {
+         // pass through to regular plugin fallback
+#diff --git a/tests/UnitTests/TemplateSource/TagTests/PluginModifier/PluginModifierEscapeTest.php b/tests/UnitTests/TemplateSource/TagTests/PluginModifier/PluginModifierEscapeTest.php
+#index 309a71ab8..073f9fcfa 100644
+#--- a/tests/UnitTests/TemplateSource/TagTests/PluginModifier/PluginModifierEscapeTest.php
+#+++ b/tests/UnitTests/TemplateSource/TagTests/PluginModifier/PluginModifierEscapeTest.php
+#@@ -237,4 +237,25 @@ public function testNonstdWithoutMbstring()
+#         $this->assertEquals("sma'rty@&#187;example&#171;.com", $this->smarty->fetch($tpl));
+#         Smarty::$_MBSTRING = true;
+#     }
+#+
+#+	public function testTemplateLiteralBackticks()
+#+	{
+#+		$tpl = $this->smarty->createTemplate('string:{"`Hello, World!`"|escape:"javascript"}');
+#+		$this->assertEquals("\\`Hello, World!\\`", $this->smarty->fetch($tpl));
+#+	}
+#+
+#+	public function testTemplateLiteralInterpolation()
+#+	{
+#+		$tpl = $this->smarty->createTemplate('string:{$vector|escape:"javascript"}');
+#+		$this->smarty->assign('vector', "`Hello, \${name}!`");
+#+		$this->assertEquals("\\`Hello, \\\$\\{name}!\\`", $this->smarty->fetch($tpl));
+#+	}
+#+
+#+	public function testTemplateLiteralBackticksAndInterpolation()
+#+	{
+#+		$this->smarty->assign('vector', '`${alert(`Hello, ${name}!`)}${`\n`}`');
+#+		$tpl = $this->smarty->createTemplate('string:{$vector|escape:"javascript"}');
+#+		$this->assertEquals("\\`\\\$\\{alert(\\`Hello, \\\$\\{name}!\\`)}\\\$\\{\\`\\\\n\\`}\\`", $this->smarty->fetch($tpl));
+#+	}
+#+
+# }
+#diff --git a/tests/UnitTests/TemplateSource/ValueTests/Operators/templates_c/.gitignore b/tests/UnitTests/TemplateSource/ValueTests/Operators/templates_c/.gitignore
+#new file mode 100644
+#index 000000000..d88cc1446
+#--- /dev/null
+#+++ b/tests/UnitTests/TemplateSource/ValueTests/Operators/templates_c/.gitignore
+#@@ -0,0 +1,2 @@
+#+# Ignore anything in here, but keep this directory
+#+*
diff -Nru smarty4-4.3.0/debian/patches/series smarty4-4.3.0/debian/patches/series
--- smarty4-4.3.0/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ smarty4-4.3.0/debian/patches/series	2023-07-06 06:00:13.000000000 +0200
@@ -0,0 +1 @@
+CVE-2023-28447.patch

--- End Message ---
--- Begin Message --- 
Version: 12.1

The upload requested in this bug has been released as part of 12.1.

--- End Message ---
Reply to: