Bug#703482: pu: package smarty/2.6.26-1

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: 703482@bugs.debian.org
Subject: Bug#703482: pu: package smarty/2.6.26-1
From: Hideki Yamane <henrich@debian.or.jp>
Date: Thu, 21 Mar 2013 08:45:24 +0900
Message-id: <[🔎] 20130321084524.12f67ddba075eeb21c4879bb@debian.or.jp>
Reply-to: Hideki Yamane <henrich@debian.or.jp>, 703482@bugs.debian.org
In-reply-to: <[🔎] 1363808285.5873.5.camel@jacala.jungle.funky-badger.org>
References: <[🔎] 20130320170622.369716f76d6318743e8d2b6f@debian.or.jp> <[🔎] 1363808285.5873.5.camel@jacala.jungle.funky-badger.org>

On Wed, 20 Mar 2013 19:38:05 +0000
"Adam D. Barratt" <adam@adam-barratt.org.uk> wrote:

> 2.6.26-0.2+squeeze1 would be more conventional.

> diff -Nru smarty-2.6.26/debian/source/format smarty-2.6.26/debian/source/format
> --- smarty-2.6.26/debian/source/format  1970-01-01 09:00:00.000000000 +0900
> +++ smarty-2.6.26/debian/source/format  2013-03-10 22:31:20.000000000 +0900
> @@ -0,0 +1 @@
> +3.0 (quilt)
> 
> Definitely not in a stable update.

 Okay, then as below. I'll upload it today if it's okay.


diff -u smarty-2.6.26/debian/changelog smarty-2.6.26/debian/changelog
--- smarty-2.6.26/debian/changelog
+++ smarty-2.6.26/debian/changelog
@@ -1,3 +1,12 @@
+smarty (2.6.26-0.2+squeeze1) stable-proposed-updates; urgency=high
+
+  * QA upload.
+  * add debian/patches/avoid_possible_script_execution_from_2.6.27.patch
+    - CVE-2012-4437: cherry picked from upstream, prevent XSS (Closes: #702710)
+      Thanks to Yoshinari Takaoka <mumumu@mumumu.org> for the report.
+
+ -- Hideki Yamane <henrich@debian.org>  Mon, 11 Mar 2013 01:18:46 +0900
+
 smarty (2.6.26-0.2) unstable; urgency=low
 
   * QA upload:
diff -u smarty-2.6.26/debian/rules smarty-2.6.26/debian/rules
--- smarty-2.6.26/debian/rules
+++ smarty-2.6.26/debian/rules
@@ -9,6 +9,7 @@
 	dh_clean
 
 build:
+	patch -p1 < debian/patches/avoid_possible_script_execution_from_2.6.27.patch
 
 install:
 	dh_testdir
only in patch2:
unchanged:
--- smarty-2.6.26.orig/debian/patches/avoid_possible_script_execution_from_2.6.27.patch
+++ smarty-2.6.26/debian/patches/avoid_possible_script_execution_from_2.6.27.patch
@@ -0,0 +1,22 @@
+Description: avoid possible XSS
+ As Yoshinari Takaoka <mumumu@mumumu.org> pointed out, upstream puts
+ a (possible) security fix in Smarty 2.6.27.
+ .
+ See upstream commit as https://code.google.com/p/smarty-php/source/detail?r=4660
+
+---
+Origin: upstream
+Last-Update: 2013-03-11
+
+--- smarty-2.6.26.orig/libs/Smarty.class.php
++++ smarty-2.6.26/libs/Smarty.class.php
+@@ -1090,7 +1090,8 @@ class Smarty
+      */
+     function trigger_error($error_msg, $error_type = E_USER_WARNING)
+     {
+-        trigger_error("Smarty error: $error_msg", $error_type);
++        $msg = htmlentities($error_msg);
++        trigger_error("Smarty error: $msg", $error_type);
+     }
+ 
+

Reply to:

Follow-Ups:
- Bug#703482: pu: package smarty/2.6.26-1
  - From: Julien Cristau <jcristau@debian.org>

References:
- Bug#703482: pu: package smarty/2.6.26-1
  - From: Hideki Yamane <henrich@debian.or.jp>
- Bug#703482: pu: package smarty/2.6.26-1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: file-rc: File-rc doesn't restore rcX.d dirs at remove, breaks sysv-rc installation.
Next by Date: Bug#703573: unblock: roundcube/0.7.2-7
Previous by thread: Bug#703482: pu: package smarty/2.6.26-1
Next by thread: Bug#703482: pu: package smarty/2.6.26-1
Index(es):
- Date
- Thread