[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of smarty3?



Hi Chris,

On  Do 18 Jan 2018 23:05:23 CET, Chris Lamb wrote:

Hi Mike,

> Hey, how are you getting on? :)  Can we help?

Thanks for the reminder. Next item on my list now.

Friendly ping on this? :)

Regards,

Upload to unstable done, stretch-security upload done, too, but nothing heard back.

Patch submitted to security team for jessie-security version (3.1.21, I attach the .debdiff here). Still in process. In need of a test application that triggers the flawed code path.

Once the jessie-security patch has been ack'ed, I will go one more step back in time and provide a patch for wheezy-security (smarty3 3.1.10).

Maybe you want to review the j-security patch and see if it applies to the wheezy version? Plus, investigate if there is an application based on smarty3 that is exploitable?

Looking forward to getting feedback on the derived patch for 3.1.21.
Mike
--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

diff -Nru smarty3-3.1.21/debian/changelog smarty3-3.1.21/debian/changelog
--- smarty3-3.1.21/debian/changelog	2014-10-20 00:06:58.000000000 +0200
+++ smarty3-3.1.21/debian/changelog	2018-01-15 11:49:37.000000000 +0100
@@ -1,3 +1,11 @@
+smarty3 (3.1.21-1+deb8u1) jessie-security; urgency=medium
+
+  * debian/patches:
+    + Add 0001_CVE-2017-1000480.patch. Fixes CVE-2017-1000480. (Closes:
+      #886460).
+
+ -- Mike Gabriel <sunweaver@debian.org>  Mon, 15 Jan 2018 11:49:37 +0100
+
 smarty3 (3.1.21-1) unstable; urgency=medium
 
   * New upstream release. (Closes: #765920).
diff -Nru smarty3-3.1.21/debian/patches/0001_CVE-2017-1000480.patch smarty3-3.1.21/debian/patches/0001_CVE-2017-1000480.patch
--- smarty3-3.1.21/debian/patches/0001_CVE-2017-1000480.patch	1970-01-01 01:00:00.000000000 +0100
+++ smarty3-3.1.21/debian/patches/0001_CVE-2017-1000480.patch	2018-01-15 11:48:46.000000000 +0100
@@ -0,0 +1,41 @@
+From 614ad1f8b9b00086efc123e49b7bb8efbfa81b61 Mon Sep 17 00:00:00 2001
+From: Uwe Tews <uwe.tews@googlemail.com>
+Date: Fri, 21 Jul 2017 05:13:54 +0200
+Subject: [PATCH] - security possible PHP code injection on custom resources at
+ display() or fetch()     calls if the resource does not sanitize the template
+ name
+ .
+ v2: Patch rebased against smarty3 3.1.21 by Mike Gabriel <sunweaver@debian.org> 
+
+--- a/libs/sysplugins/smarty_resource_custom.php
++++ b/libs/sysplugins/smarty_resource_custom.php
+@@ -47,7 +47,7 @@
+      */
+     public function populate(Smarty_Template_Source $source, Smarty_Internal_Template $_template = null)
+     {
+-        $source->filepath = $source->type . ':' . $source->name;
++        $source->filepath = $source->type . ':' . substr(preg_replace('/[^A-Za-z0-9.]/','',$source->name),0,25);
+         $source->uid = sha1($source->type . ':' . $source->name);
+ 
+         $mtime = $this->fetchTimestamp($source->name);
+@@ -90,6 +90,6 @@
+      */
+     protected function getBasename(Smarty_Template_Source $source)
+     {
+-        return basename($source->name);
++        return basename(substr(preg_replace('/[^A-Za-z0-9.]/','',$source->name),0,25));
+     }
+ }
+--- a/libs/sysplugins/smarty_internal_templatecompilerbase.php
++++ b/libs/sysplugins/smarty_internal_templatecompilerbase.php
+@@ -241,8 +241,8 @@
+         // template header code
+         $template_header = '';
+         if (!$this->suppressHeader) {
+-            $template_header .= "<?php /* Smarty version " . Smarty::SMARTY_VERSION . ", created on " . strftime("%Y-%m-%d %H:%M:%S") . "\n";
+-            $template_header .= "         compiled from \"" . $this->template->source->filepath . "\" */ ?>\n";
++            $template_header .= "<?php /* Smarty version {Smarty::SMARTY_VERSION}, created on " . strftime("%Y-%m-%d %H:%M:%S") . "\n";
++            $template_header .= "         compiled from \"" . str_replace('*/','* /',$_template->source->filepath) . "\" */ ?>\n";
+         }
+ 
+         if (empty($this->template->source->components)) {
diff -Nru smarty3-3.1.21/debian/patches/series smarty3-3.1.21/debian/patches/series
--- smarty3-3.1.21/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ smarty3-3.1.21/debian/patches/series	2018-01-15 11:24:42.000000000 +0100
@@ -0,0 +1 @@
+0001_CVE-2017-1000480.patch

Attachment: pgpGNbbmllumb.pgp
Description: Digitale PGP-Signatur


Reply to: