Bug#908698: smarty3: CVE-2018-16831

Mon, 17 Sep 2018 14:25:45 -0700 

On Mon, Sep 17, 2018 at 09:07:38PM +0000, Mike Gabriel wrote:
> I have looked at the changes between 3.1.33 (just uploaded to unstable) and
> 3.1.31 (in stable). They are awful. Read the below...
> 
> 15:42 < sunweaver> Hi all, I have just looked into
> https://security-tracker.debian.org/tracker/CVE-2018-16831
> 15:43 < sunweaver> even for stretch, it is pretty much impossible to
> backport the patch series (at least for patches, all containing tons of
> regexp with
>                     multitudes of slashes and backslashes).
> 15:43 < sunweaver> totall insane...
> 15:44 < sunweaver> in fact, my recommendation for jessie and stretch would
> be (with my maintainer hat _and_ LTS team hats on at once): bring the latest
>                     upstream release to jessie/stretch.
> 15:44 < sunweaver> In jessie, we need to upgrade smarty-lexer as well for
> that.
> 15:46 < sunweaver> the 4 patches we needed at least are these...
> 15:47 < sunweaver> 
> https://github.com/smarty-php/smarty/commit/8d21f38dc35c4cd6b31c2f23fc9b8e5adbc56dfe
> 15:47 < sunweaver> 
> https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8
> 15:47 < sunweaver> 
> https://github.com/smarty-php/smarty/commit/2e081a51b1effddb23f87952959139ac62654d50
> 15:47 < sunweaver> 
> https://github.com/smarty-php/smarty/commit/c9dbe1d08c081912d02bd851d1d1b6388f6133d1
> 15:48 < sunweaver> and these four sit on top of this...
> 15:48 < sunweaver> 
> https://github.com/smarty-php/smarty/commit/f7a53162058de410a35a9848e6d0795d7c252aaf
> 15:48 < sunweaver> and 10+ other commits.
> 15:48 < sunweaver> all tackling the same code passage.
> 15:49 < sunweaver> @all: can we reach consensus that latest upstream release
> would be best for jessie LTS and stretch (OT here).
> 
> The pile of patches is so awful, I strongly advise getting latest
> smarty-lexer and latest smarty3 from unstable into stable with thorough
> testing of dependent application (gosa, FusionDirectory, slbackup-php, ...).
> Most of them are maintained by me and I have running setups for testing this
> (except 1 package in Debian IIRC).

If you have reasonable test coverage of the reverse deps, we can do that.

But let's wait for a few more days to spot eventual regressions reported
in unstable first. Also, make sure to coordinate the release of the DLA with
the DSA, otherwise we end up with a situation where oldstable has a higher
version number than stable.

Cheers,
        Moritz

Reply via email to