[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#702710: smarty: Possible XSS bug in Smarty error messages.

Control: severity -1 important
Control: tags -1 +security

On Mon, 11 Mar 2013 01:03:42 +0900
Yoshinari Takaoka <mumumu@mumumu.org> wrote:
> In upstream version Smarty 2.6.27, possible security fix is applied with the following patch.
> But this fix does not seem to be applied in Debian stable package 2.6.26-0.2.
> 
> --- Smarty.class.php.orig       2009-06-18 23:47:04.000000000 +0900
> +++ Smarty.class.php    2013-03-11 00:32:14.000000000 +0900
> @@ -1090,7 +1090,8 @@
>       */
>      function trigger_error($error_msg, $error_type = E_USER_WARNING)
>      {
> -        trigger_error("Smarty error: $error_msg", $error_type);
> +        $msg = htmlentities($error_msg);
> +        trigger_error("Smarty error: $msg", $error_type);
>      }
> 
> https://code.google.com/p/smarty-php/source/detail?r=4660

 Good catch, thanks for your report :) 
 And I've made a debdiff as attached.
 
> security team
 I think it would be released as stable-proposed-updates since it has
 no CVEs, so I guess we probably say no DSAs for it.

 And I don't know QA upload can be done as such way, so please let me
 know appropriate manner for upload if you know it.


-- 
Regards,

 Hideki Yamane     henrich @ debian.or.jp/org
 http://wiki.debian.org/HidekiYamane

diff -Nru smarty-2.6.26/debian/changelog smarty-2.6.26/debian/changelog
--- smarty-2.6.26/debian/changelog	2013-03-11 01:23:05.000000000 +0900
+++ smarty-2.6.26/debian/changelog	2013-03-11 01:18:59.000000000 +0900
@@ -1,3 +1,11 @@
+smarty (2.6.26-1) stable-proposed-updates; urgency=low
+
+  * QA upload.
+  * add debian/patches/avoid_possible_script_execution_from_2.6.27.patch
+    - cherry picked from upstream: it should prevent XSS (Closes: #702710)
+
+ -- Hideki Yamane <henrich@debian.org>  Mon, 11 Mar 2013 01:18:46 +0900
+
 smarty (2.6.26-0.2) unstable; urgency=low
 
   * QA upload:
diff -Nru smarty-2.6.26/debian/patches/avoid_possible_script_execution_from_2.6.27.patch smarty-2.6.26/debian/patches/avoid_possible_script_execution_from_2.6.27.patch
--- smarty-2.6.26/debian/patches/avoid_possible_script_execution_from_2.6.27.patch	1970-01-01 09:00:00.000000000 +0900
+++ smarty-2.6.26/debian/patches/avoid_possible_script_execution_from_2.6.27.patch	2013-03-11 01:18:06.000000000 +0900
@@ -0,0 +1,22 @@
+Description: avoid possible XSS
+ As Yoshinari Takaoka <mumumu@mumumu.org> pointed out, upstream puts
+ a (possible) security fix in Smarty 2.6.27.
+ .
+ See upstream commit as https://code.google.com/p/smarty-php/source/detail?r=4660
+
+---
+Origin: upstream
+Last-Update: 2013-03-11
+
+--- smarty-2.6.26.orig/libs/Smarty.class.php
++++ smarty-2.6.26/libs/Smarty.class.php
+@@ -1090,7 +1090,8 @@ class Smarty
+      */
+     function trigger_error($error_msg, $error_type = E_USER_WARNING)
+     {
+-        trigger_error("Smarty error: $error_msg", $error_type);
++        $msg = htmlentities($error_msg);
++        trigger_error("Smarty error: $msg", $error_type);
+     }
+ 
+ 
diff -Nru smarty-2.6.26/debian/patches/series smarty-2.6.26/debian/patches/series
--- smarty-2.6.26/debian/patches/series	1970-01-01 09:00:00.000000000 +0900
+++ smarty-2.6.26/debian/patches/series	2013-03-10 22:31:33.000000000 +0900
@@ -0,0 +1 @@
+avoid_possible_script_execution_from_2.6.27.patch
diff -Nru smarty-2.6.26/debian/source/format smarty-2.6.26/debian/source/format
--- smarty-2.6.26/debian/source/format	1970-01-01 09:00:00.000000000 +0900
+++ smarty-2.6.26/debian/source/format	2013-03-10 22:31:20.000000000 +0900
@@ -0,0 +1 @@
+3.0 (quilt)
Reply to: