Bug#702710: smarty: Possible XSS bug in Smarty error messages.

To: 702710@bugs.debian.org
Subject: Bug#702710: smarty: Possible XSS bug in Smarty error messages.
From: Jan Lieskovsky <jlieskov@redhat.com>
Date: Mon, 11 Mar 2013 09:16:31 -0400 (EDT)
Message-id: <[🔎] 1877563764.5006396.1363007791403.JavaMail.root@redhat.com>
Reply-to: Jan Lieskovsky <jlieskov@redhat.com>, 702710@bugs.debian.org

Hello,

>> https://code.google.com/p/smarty-php/source/detail?r=4660
>
>  Good catch, thanks for your report :) 
> And I've made a debdiff as attached.
> 
>> security team
> I think it would be released as stable-proposed-updates since it has
> no CVEs, so I guess we probably say no DSAs for it.

Just FYI the CVE identifier of CVE-2012-4437 has been previously
assigned to this issue:
  http://www.openwall.com/lists/oss-security/2012/09/20/3
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4437

>
> And I don't know QA upload can be done as such way, so please let me
> know appropriate manner for upload if you know it.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

>
>
> -- 
> Regards,
>
> Hideki Yamane     henrich @ debian.or.jp/org
> http://wiki.debian.org/HidekiYamane

Reply to:

Follow-Ups:
- Bug#702710: smarty: Possible XSS bug in Smarty error messages.
  - From: Hideki Yamane <henrich@debian.or.jp>

Prev by Date: Bug#702784: Use of nested functions in configure check
Next by Date: Processing of phoronix-test-suite_4.4.0-1_amd64.changes
Previous by thread: Bug#702710: marked as done (smarty: CVE-2012-4437: Possible XSS bug in Smarty error messages)
Next by thread: Bug#702710: smarty: Possible XSS bug in Smarty error messages.
Index(es):
- Date
- Thread