Bug#703482: pu: package smarty/2.6.26-1

To: Hideki Yamane <henrich@debian.or.jp>, 703482@bugs.debian.org
Subject: Bug#703482: pu: package smarty/2.6.26-1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Wed, 20 Mar 2013 19:38:05 +0000
Message-id: <[🔎] 1363808285.5873.5.camel@jacala.jungle.funky-badger.org>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 703482@bugs.debian.org
In-reply-to: <[🔎] 20130320170622.369716f76d6318743e8d2b6f@debian.or.jp>
References: <[🔎] 20130320170622.369716f76d6318743e8d2b6f@debian.or.jp>

On Wed, 2013-03-20 at 17:06 +0900, Hideki Yamane wrote:
>  I'd like to upload smarty package to fix CVE-2012-4437.
>  Security team suggest me to upload it to s-p-u.
>  Please check attached debdiff.

+smarty (2.6.26-1) stable-proposed-updates; urgency=high

2.6.26-0.2+squeeze1 would be more conventional.

+  * QA upload.
+  * add debian/patches/avoid_possible_script_execution_from_2.6.27.patch
+    - CVE-2012-4437: cherry picked from upstream, prevent XSS (Closes: #702710)
+      Thanks to Yoshinari Takaoka <mumumu@mumumu.org> for the report.

The fix for the XSS looks fine, but:

diff -Nru smarty-2.6.26/debian/source/format smarty-2.6.26/debian/source/format
--- smarty-2.6.26/debian/source/format  1970-01-01 09:00:00.000000000 +0900
+++ smarty-2.6.26/debian/source/format  2013-03-10 22:31:20.000000000 +0900
@@ -0,0 +1 @@
+3.0 (quilt)

Definitely not in a stable update.

Regards,

Adam

Reply to:

Follow-Ups:
- Bug#703482: pu: package smarty/2.6.26-1
  - From: Hideki Yamane <henrich@debian.or.jp>

References:
- Bug#703482: pu: package smarty/2.6.26-1
  - From: Hideki Yamane <henrich@debian.or.jp>

Prev by Date: Re: Fixing "lucky 13" CVE-2013-0169 in gnutls28
Next by Date: #703146 release critical?
Previous by thread: Bug#703482: pu: package smarty/2.6.26-1
Next by thread: Bug#703482: pu: package smarty/2.6.26-1
Index(es):
- Date
- Thread