Hi Salvatore, On Sa 07 Dez 2019 16:30:16 CET, Salvatore Bonaccorso wrote:
Hi Mike, On Fri, Feb 15, 2019 at 10:50:32PM +0000, Mike Gabriel wrote:Hi Moritz, Salvatore, On Do 27 Dez 2018 21:44:33 CET, Salvatore Bonaccorso wrote: > Hi Mike, > > On Thu, Nov 22, 2018 at 08:00:07PM +0100, Moritz Mühlenhoff wrote: > > On Fri, Oct 26, 2018 at 04:46:39PM +0000, > > mike.gabr...@das-netzwerkteam.de wrote: > > > Hi, > > > > > > On Friday, 26 October 2018, Moritz Mühlenhoff wrote: > > > > On Tue, Sep 18, 2018 at 05:06:14PM +0000, Mike Gabriel wrote: > > > > > Hi, > > > > > > > > > > On Mo 17 Sep 2018 23:20:33 CEST, Moritz Mühlenhoff wrote: > > > > > > > > > > > On Mon, Sep 17, 2018 at 09:07:38PM +0000, Mike Gabriel wrote: > > > > > > > I have looked at the changes between 3.1.33 (just uploaded > > to unstable) and > > > > > > > 3.1.31 (in stable). They are awful. Read the below... > > > > > > > > > > > > > > 15:42 < sunweaver> Hi all, I have just looked into > > > > > > > https://security-tracker.debian.org/tracker/CVE-2018-16831 > > > > > > > 15:43 < sunweaver> even for stretch, it is pretty much > > impossible to > > > > > > > backport the patch series (at least for patches, all > > containing tons of > > > > > > > regexp with > > > > > > > multitudes of slashes and backslashes). > > > > > > > 15:43 < sunweaver> totall insane... > > > > > > > 15:44 < sunweaver> in fact, my recommendation for jessie > > and stretch would > > > > > > > be (with my maintainer hat _and_ LTS team hats on at > > once): bring the latest > > > > > > > upstream release to jessie/stretch. > > > > > > > 15:44 < sunweaver> In jessie, we need to upgrade > > smarty-lexer as well for > > > > > > > that.> > > > > > > 15:46 < sunweaver> the 4 patches we needed at least are these... > > > > > > > 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/8d21f38dc35c4cd6b31c2f23fc9b8e5adbc56dfe > > > > > > > 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8 > > > > > > > 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/2e081a51b1effddb23f87952959139ac62654d50 > > > > > > > 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/c9dbe1d08c081912d02bd851d1d1b6388f6133d1> > > > > > > 15:48 < sunweaver> and these four sit on top of this...> > > > > > > 15:48 < sunweaver> https://github.com/smarty-php/smarty/commit/f7a53162058de410a35a9848e6d0795d7c252aaf> > > > > > > 15:48 < sunweaver> and 10+ other commits. > > > > > > > 15:48 < sunweaver> all tackling the same code passage. > > > > > > > 15:49 < sunweaver> @all: can we reach consensus that > > latest upstream release > > > > > > > would be best for jessie LTS and stretch (OT here). > > > > > > >> > > > > > > The pile of patches is so awful, I strongly advise getting latest> > > > > > > smarty-lexer and latest smarty3 from unstable into stable > > with thorough > > > > > > > testing of dependent application (gosa, FusionDirectory, > > slbackup-php, ...). > > > > > > > Most of them are maintained by me and I have running > > setups for testing this > > > > > > > (except 1 package in Debian IIRC). > > > > > > > > > > > > If you have reasonable test coverage of the reverse deps, we > > can do that. > > > > > > > > > > > > But let's wait for a few more days to spot eventual > > regressions reported > > > > > > in unstable first. Also, make sure to coordinate the release > > of the DLA with > > > > > > the DSA, otherwise we end up with a situation where > > oldstable has a higher > > > > > > version number than stable. > > > > > > > > > > > > Cheers, > > > > > > Moritz > > > > > > > > > > I will wait another week with this. I'd like to get this > > solved before my > > > > > VAC (6th Oct - 21st Oct). > > > > > > > > What's the status? > > > > > > > > Cheers, > > > > Moritz > > > > > > > > > > I am still waiting for upstream to verify / confirm my patch. Ping > > dropped Monday this week. > > > > Any feedback? > > Did you got any feedback on it? > No. However, this week I took some time and tested my patch more intensively. It throws PHP exceptions on certain code paths. Need to reinvestigate and update my patch... It's on my list, so stay tuned. Sorry for the long delay on my side.We originally had smarty3 as DSA canidate, for CVE-2018-16831 and CVE-2018-16832. But from my understanding of the discussion it is too risky to try to backport. Should we go ahead and mark it no-dsa for stretch?
Sorry for the late reply. Replying slipped of the radar. Some months back, I have already spent 1-2-3 hours with backporting the fixing patch, but smarty3 is a fast moving target regarding code changes and backporting is not trivial. My backport introduced other issues (PHP errors IIRC). Neither have I ever received feedback nor input from upstream.
I will ask Raphael / Holger, if it is ok to revisit this on Debian LTS funding. The vulnerability is worth fixing, so... stretch LTS is approaching and I guess, we should get this solved finally.
Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de
pgpchkgeI0jEL.pgp
Description: Digitale PGP-Signatur
