Package: smarty Version: 2.6.26-0.2 Severity: normal
In upstream version Smarty 2.6.27, possible security fix is applied with the following patch. But this fix does not seem to be applied in Debian stable package 2.6.26-0.2. --- Smarty.class.php.orig 2009-06-18 23:47:04.000000000 +0900 +++ Smarty.class.php 2013-03-11 00:32:14.000000000 +0900 @@ -1090,7 +1090,8 @@ */ function trigger_error($error_msg, $error_type = E_USER_WARNING) { - trigger_error("Smarty error: $error_msg", $error_type); + $msg = htmlentities($error_msg); + trigger_error("Smarty error: $msg", $error_type); } https://code.google.com/p/smarty-php/source/detail?r=4660 -- System Information: Debian Release: 6.0.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core) Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages smarty depends on: ii php5-cli 5.3.3-7+squeeze15 command-line interpreter for the p smarty recommends no packages. smarty suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org