Bug#702710: marked as done (smarty: CVE-2012-4437: Possible XSS bug in Smarty error messages)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 23 Mar 2013 22:32:04 +0000
with message-id <E1UJWyq-0002M4-PB@franck.debian.org>
and subject line Bug#702710: fixed in smarty 2.6.26-0.2+squeeze1
has caused the Debian Bug report #702710,
regarding smarty: CVE-2012-4437: Possible XSS bug in Smarty error messages
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
702710: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702710
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: smarty: Possible XSS bug in Smarty error messages.
• From: Yoshinari Takaoka <mumumu@mumumu.org>
• Date: Mon, 11 Mar 2013 01:03:42 +0900
• Message-id: <[🔎] 20130310160342.2677.89583.reportbug@debian-stable-test.mumumu.org>

Package: smarty
Version: 2.6.26-0.2
Severity: normal


In upstream version Smarty 2.6.27, possible security fix is applied with the following patch.
But this fix does not seem to be applied in Debian stable package 2.6.26-0.2.

--- Smarty.class.php.orig       2009-06-18 23:47:04.000000000 +0900
+++ Smarty.class.php    2013-03-11 00:32:14.000000000 +0900
@@ -1090,7 +1090,8 @@
      */
     function trigger_error($error_msg, $error_type = E_USER_WARNING)
     {
-        trigger_error("Smarty error: $error_msg", $error_type);
+        $msg = htmlentities($error_msg);
+        trigger_error("Smarty error: $msg", $error_type);
     }

https://code.google.com/p/smarty-php/source/detail?r=4660

-- System Information:
Debian Release: 6.0.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages smarty depends on:
ii  php5-cli               5.3.3-7+squeeze15 command-line interpreter for the p

smarty recommends no packages.

smarty suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

• To: 702710-close@bugs.debian.org
• Subject: Bug#702710: fixed in smarty 2.6.26-0.2+squeeze1
• From: Hideki Yamane <henrich@debian.org>
• Date: Sat, 23 Mar 2013 22:32:04 +0000
• Message-id: <E1UJWyq-0002M4-PB@franck.debian.org>

Source: smarty
Source-Version: 2.6.26-0.2+squeeze1

We believe that the bug you reported is fixed in the latest version of
smarty, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 702710@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hideki Yamane <henrich@debian.org> (supplier of updated smarty package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 11 Mar 2013 01:18:46 +0900
Source: smarty
Binary: smarty
Architecture: source all
Version: 2.6.26-0.2+squeeze1
Distribution: stable-proposed-updates
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Hideki Yamane <henrich@debian.org>
Description: 
 smarty     - Template engine for PHP
Closes: 702710
Changes: 
 smarty (2.6.26-0.2+squeeze1) stable-proposed-updates; urgency=high
 .
   * QA upload.
   * add debian/patches/avoid_possible_script_execution_from_2.6.27.patch
     - CVE-2012-4437: cherry picked from upstream, prevent XSS (Closes: #702710)
       Thanks to Yoshinari Takaoka <mumumu@mumumu.org> for the report.
Checksums-Sha1: 
 13ee265bfad68e9e118e273a74211a2237cca2cd 1705 smarty_2.6.26-0.2+squeeze1.dsc
 6269784317b16a7ac81052d92c23368909dbae6d 5120 smarty_2.6.26-0.2+squeeze1.diff.gz
 84f36ac92e5c19f93ae3fbb04207a55fab15f411 198216 smarty_2.6.26-0.2+squeeze1_all.deb
Checksums-Sha256: 
 f4de6998be9fac7c7c49b4198ffddcd28da31852a9fd784cf24c49e547991131 1705 smarty_2.6.26-0.2+squeeze1.dsc
 8937d8c53c5053a9b52e5c8c5a5d3cc880dc43a9572768306ba27f098bb8c3ab 5120 smarty_2.6.26-0.2+squeeze1.diff.gz
 6050fa93c3f206fc671b8e0ceec030f81ea33c1e463014e47171ae2822284141 198216 smarty_2.6.26-0.2+squeeze1_all.deb
Files: 
 15eb93e3925e7bfb66866b4be5637120 1705 web optional smarty_2.6.26-0.2+squeeze1.dsc
 982ba5c3e510b3f98167082b9e7cce14 5120 web optional smarty_2.6.26-0.2+squeeze1.diff.gz
 f7398c2e539551a7083a79ca1f161339 198216 web optional smarty_2.6.26-0.2+squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJRTUKkAAoJEF0yjQgqqrFAtI8P+wSR7srowLs7runk7bYdxfEH
8FRA7cKfCxf9WCQkC2rNKThJubtk38uhvsyK4EdEHk5mUJJLrH/uUi81HByBIRJY
5W2WNO823IEDI5DQl6ytKprjm2Ixa78t5AeiP2CpFT//rEDor1AIGaXVqNvA1EBF
nL3iUhO7iJjIM/alPlXCLeNgRyfYw0dVeRraKOJo1NAPBJ0JOSJY2VnOwTsgU7Td
Mt4wPi58zvBJPqN+3Hl60vDcf0llE+ys1sMPL5yFBAyXnzNO4Top4qk6XgXYRusy
HkgUM6mEgLZLL+bcDglCXw7/gaWWZ9LULDXTqrSp6IPoEHo00t4HRy3wSIbP60wp
g9RaCVPIDoX7fjCSSxGbfqaDJxHnrkCDfZeSrA8V2XxvytwQ6prkGJX4VgyEbkfJ
TlU2kGAjBhJFrPIW07brmdRxnaU4eS57TE2dW+jaOsXDwHQuA5QkRe/Lk+BSchWN
vvevi/Mao1yrHxnSkTb1sAAjzeHLUaj6UGcqBEKJiLSWYIhulZ3Lk49h5AyEQh9L
2M63K/jliHEZUzwvVlXImFqL+o+9NvNdh5V+hipwi6O1AnRt00FLWx+hALzoKuSO
r1FVkwrmuc6OvIhxlUugXdJ+go2LrFFy2gtO1lPcuyx5j+nmD3k1Z4hhkGT/EK3D
RyVueUPUsLUINAfUtl5s
=8ZvX
-----END PGP SIGNATURE-----

--- End Message ---