Hi Chris, On Do 18 Jan 2018 23:05:23 CET, Chris Lamb wrote:
Hi Mike,> Hey, how are you getting on? :) Can we help? Thanks for the reminder. Next item on my list now.Friendly ping on this? :) Regards,
Upload to unstable done, stretch-security upload done, too, but nothing heard back.
Patch submitted to security team for jessie-security version (3.1.21, I attach the .debdiff here). Still in process. In need of a test application that triggers the flawed code path.
Once the jessie-security patch has been ack'ed, I will go one more step back in time and provide a patch for wheezy-security (smarty3 3.1.10).
Maybe you want to review the j-security patch and see if it applies to the wheezy version? Plus, investigate if there is an application based on smarty3 that is exploitable?
Looking forward to getting feedback on the derived patch for 3.1.21. Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
diff -Nru smarty3-3.1.21/debian/changelog smarty3-3.1.21/debian/changelog --- smarty3-3.1.21/debian/changelog 2014-10-20 00:06:58.000000000 +0200 +++ smarty3-3.1.21/debian/changelog 2018-01-15 11:49:37.000000000 +0100 @@ -1,3 +1,11 @@ +smarty3 (3.1.21-1+deb8u1) jessie-security; urgency=medium + + * debian/patches: + + Add 0001_CVE-2017-1000480.patch. Fixes CVE-2017-1000480. (Closes: + #886460). + + -- Mike Gabriel <sunweaver@debian.org> Mon, 15 Jan 2018 11:49:37 +0100 + smarty3 (3.1.21-1) unstable; urgency=medium * New upstream release. (Closes: #765920). diff -Nru smarty3-3.1.21/debian/patches/0001_CVE-2017-1000480.patch smarty3-3.1.21/debian/patches/0001_CVE-2017-1000480.patch --- smarty3-3.1.21/debian/patches/0001_CVE-2017-1000480.patch 1970-01-01 01:00:00.000000000 +0100 +++ smarty3-3.1.21/debian/patches/0001_CVE-2017-1000480.patch 2018-01-15 11:48:46.000000000 +0100 @@ -0,0 +1,41 @@ +From 614ad1f8b9b00086efc123e49b7bb8efbfa81b61 Mon Sep 17 00:00:00 2001 +From: Uwe Tews <uwe.tews@googlemail.com> +Date: Fri, 21 Jul 2017 05:13:54 +0200 +Subject: [PATCH] - security possible PHP code injection on custom resources at + display() or fetch() calls if the resource does not sanitize the template + name + . + v2: Patch rebased against smarty3 3.1.21 by Mike Gabriel <sunweaver@debian.org> + +--- a/libs/sysplugins/smarty_resource_custom.php ++++ b/libs/sysplugins/smarty_resource_custom.php +@@ -47,7 +47,7 @@ + */ + public function populate(Smarty_Template_Source $source, Smarty_Internal_Template $_template = null) + { +- $source->filepath = $source->type . ':' . $source->name; ++ $source->filepath = $source->type . ':' . substr(preg_replace('/[^A-Za-z0-9.]/','',$source->name),0,25); + $source->uid = sha1($source->type . ':' . $source->name); + + $mtime = $this->fetchTimestamp($source->name); +@@ -90,6 +90,6 @@ + */ + protected function getBasename(Smarty_Template_Source $source) + { +- return basename($source->name); ++ return basename(substr(preg_replace('/[^A-Za-z0-9.]/','',$source->name),0,25)); + } + } +--- a/libs/sysplugins/smarty_internal_templatecompilerbase.php ++++ b/libs/sysplugins/smarty_internal_templatecompilerbase.php +@@ -241,8 +241,8 @@ + // template header code + $template_header = ''; + if (!$this->suppressHeader) { +- $template_header .= "<?php /* Smarty version " . Smarty::SMARTY_VERSION . ", created on " . strftime("%Y-%m-%d %H:%M:%S") . "\n"; +- $template_header .= " compiled from \"" . $this->template->source->filepath . "\" */ ?>\n"; ++ $template_header .= "<?php /* Smarty version {Smarty::SMARTY_VERSION}, created on " . strftime("%Y-%m-%d %H:%M:%S") . "\n"; ++ $template_header .= " compiled from \"" . str_replace('*/','* /',$_template->source->filepath) . "\" */ ?>\n"; + } + + if (empty($this->template->source->components)) { diff -Nru smarty3-3.1.21/debian/patches/series smarty3-3.1.21/debian/patches/series --- smarty3-3.1.21/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ smarty3-3.1.21/debian/patches/series 2018-01-15 11:24:42.000000000 +0100 @@ -0,0 +1 @@ +0001_CVE-2017-1000480.patch
Attachment:
pgpGNbbmllumb.pgp
Description: Digitale PGP-Signatur