Package: release.debian.org Tags: squeeze User: [email protected] Usertags: pu
Hi, I'd like to upload smarty package to fix CVE-2012-4437. Security team suggest me to upload it to s-p-u. Please check attached debdiff. -- Regards, Hideki Yamane henrich @ debian.or.jp/org http://wiki.debian.org/HidekiYamane
diff -Nru smarty-2.6.26/debian/changelog smarty-2.6.26/debian/changelog --- smarty-2.6.26/debian/changelog 2013-03-20 16:52:17.000000000 +0900 +++ smarty-2.6.26/debian/changelog 2013-03-20 16:48:41.000000000 +0900 @@ -1,3 +1,12 @@ +smarty (2.6.26-1) stable-proposed-updates; urgency=high + + * QA upload. + * add debian/patches/avoid_possible_script_execution_from_2.6.27.patch + - CVE-2012-4437: cherry picked from upstream, prevent XSS (Closes: #702710) + Thanks to Yoshinari Takaoka <[email protected]> for the report. + + -- Hideki Yamane <[email protected]> Mon, 11 Mar 2013 01:18:46 +0900 + smarty (2.6.26-0.2) unstable; urgency=low * QA upload: diff -Nru smarty-2.6.26/debian/patches/avoid_possible_script_execution_from_2.6.27.patch smarty-2.6.26/debian/patches/avoid_possible_script_execution_from_2.6.27.patch --- smarty-2.6.26/debian/patches/avoid_possible_script_execution_from_2.6.27.patch 1970-01-01 09:00:00.000000000 +0900 +++ smarty-2.6.26/debian/patches/avoid_possible_script_execution_from_2.6.27.patch 2013-03-11 01:18:06.000000000 +0900 @@ -0,0 +1,22 @@ +Description: avoid possible XSS + As Yoshinari Takaoka <[email protected]> pointed out, upstream puts + a (possible) security fix in Smarty 2.6.27. + . + See upstream commit as https://code.google.com/p/smarty-php/source/detail?r=4660 + +--- +Origin: upstream +Last-Update: 2013-03-11 + +--- smarty-2.6.26.orig/libs/Smarty.class.php ++++ smarty-2.6.26/libs/Smarty.class.php +@@ -1090,7 +1090,8 @@ class Smarty + */ + function trigger_error($error_msg, $error_type = E_USER_WARNING) + { +- trigger_error("Smarty error: $error_msg", $error_type); ++ $msg = htmlentities($error_msg); ++ trigger_error("Smarty error: $msg", $error_type); + } + + diff -Nru smarty-2.6.26/debian/patches/series smarty-2.6.26/debian/patches/series --- smarty-2.6.26/debian/patches/series 1970-01-01 09:00:00.000000000 +0900 +++ smarty-2.6.26/debian/patches/series 2013-03-10 22:31:33.000000000 +0900 @@ -0,0 +1 @@ +avoid_possible_script_execution_from_2.6.27.patch diff -Nru smarty-2.6.26/debian/source/format smarty-2.6.26/debian/source/format --- smarty-2.6.26/debian/source/format 1970-01-01 09:00:00.000000000 +0900 +++ smarty-2.6.26/debian/source/format 2013-03-10 22:31:20.000000000 +0900 @@ -0,0 +1 @@ +3.0 (quilt)
