Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: smar...@packages.debian.org Control: affects -1 + src:smarty4
[ Reason ] Resolve CVE-2023-28447 for smarty4 in bookworm. [ Impact ] Closure of vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. [ Tests ] Smoketest on system running GOsa² (smarty4 consumer). [ Risks ] Breakage of web packages in Debian that use smarty4. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] + * debian/patches: + + Add CVE-2023-28447.patch. Prohibit execution of arbitrary JavaScript code + in the context of the user's browser session. (Closes: #1033965, + CVE-2023-28447). [ Other info ] None.
diff -Nru smarty4-4.3.0/debian/changelog smarty4-4.3.0/debian/changelog --- smarty4-4.3.0/debian/changelog 2023-01-14 23:22:18.000000000 +0100 +++ smarty4-4.3.0/debian/changelog 2023-07-06 06:04:52.000000000 +0200 @@ -1,3 +1,12 @@ +smarty4 (4.3.0-1+deb12u1) bookworm; urgency=medium + + * debian/patches: + + Add CVE-2023-28447.patch. Prohibit execution of arbitrary JavaScript code + in the context of the user's browser session. (Closes: #1033965, + CVE-2023-28447). + + -- Mike Gabriel <sunwea...@debian.org> Thu, 06 Jul 2023 06:04:52 +0200 + smarty4 (4.3.0-1) unstable; urgency=medium * New upstream release. diff -Nru smarty4-4.3.0/debian/patches/CVE-2023-28447.patch smarty4-4.3.0/debian/patches/CVE-2023-28447.patch --- smarty4-4.3.0/debian/patches/CVE-2023-28447.patch 1970-01-01 01:00:00.000000000 +0100 +++ smarty4-4.3.0/debian/patches/CVE-2023-28447.patch 2023-07-06 06:01:34.000000000 +0200 @@ -0,0 +1,81 @@ +From e75165565e9e5956a73365c24d650ba40570ae72 Mon Sep 17 00:00:00 2001 +From: Simon Wisselink <s.wissel...@iwink.nl> +Date: Fri, 24 Mar 2023 12:19:34 +0100 +Subject: [PATCH] Implement fix and tests + +--- + libs/plugins/modifier.escape.php | 4 +++- + libs/plugins/modifiercompiler.escape.php | 4 +++- +# .../PluginModifierEscapeTest.php | 21 +++++++++++++++++++ + .../Operators/templates_c/.gitignore | 2 ++ + 4 files changed, 29 insertions(+), 2 deletions(-) + create mode 100644 tests/UnitTests/TemplateSource/ValueTests/Operators/templates_c/.gitignore + +diff --git a/libs/plugins/modifier.escape.php b/libs/plugins/modifier.escape.php +index 11e44682e..e168679c3 100644 +--- a/libs/plugins/modifier.escape.php ++++ b/libs/plugins/modifier.escape.php +@@ -115,7 +115,9 @@ function smarty_modifier_escape($string, $esc_type = 'html', $char_set = null, $ + // see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements + '<!--' => '<\!--', + '<s' => '<\s', +- '<S' => '<\S' ++ '<S' => '<\S', ++ "`" => "\\\\`", ++ "\${" => "\\\\\\$\\{" + ) + ); + case 'mail': +diff --git a/libs/plugins/modifiercompiler.escape.php b/libs/plugins/modifiercompiler.escape.php +index 602c3dbfc..21b1b4c2a 100644 +--- a/libs/plugins/modifiercompiler.escape.php ++++ b/libs/plugins/modifiercompiler.escape.php +@@ -64,7 +64,9 @@ function smarty_modifiercompiler_escape($params, Smarty_Internal_TemplateCompile + // see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements + return 'strtr((string)' . + $params[ 0 ] . +- ', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r", "\\n" => "\\\n", "</" => "<\/", "<!--" => "<\!--", "<s" => "<\s", "<S" => "<\S" ))'; ++ ', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r", ++ "\\n" => "\\\n", "</" => "<\/", "<!--" => "<\!--", "<s" => "<\s", "<S" => "<\S", ++ "`" => "\\\\`", "\${" => "\\\\\\$\\{"))'; + } + } catch (SmartyException $e) { + // pass through to regular plugin fallback +#diff --git a/tests/UnitTests/TemplateSource/TagTests/PluginModifier/PluginModifierEscapeTest.php b/tests/UnitTests/TemplateSource/TagTests/PluginModifier/PluginModifierEscapeTest.php +#index 309a71ab8..073f9fcfa 100644 +#--- a/tests/UnitTests/TemplateSource/TagTests/PluginModifier/PluginModifierEscapeTest.php +#+++ b/tests/UnitTests/TemplateSource/TagTests/PluginModifier/PluginModifierEscapeTest.php +#@@ -237,4 +237,25 @@ public function testNonstdWithoutMbstring() +# $this->assertEquals("sma'rty@»example«.com", $this->smarty->fetch($tpl)); +# Smarty::$_MBSTRING = true; +# } +#+ +#+ public function testTemplateLiteralBackticks() +#+ { +#+ $tpl = $this->smarty->createTemplate('string:{"`Hello, World!`"|escape:"javascript"}'); +#+ $this->assertEquals("\\`Hello, World!\\`", $this->smarty->fetch($tpl)); +#+ } +#+ +#+ public function testTemplateLiteralInterpolation() +#+ { +#+ $tpl = $this->smarty->createTemplate('string:{$vector|escape:"javascript"}'); +#+ $this->smarty->assign('vector', "`Hello, \${name}!`"); +#+ $this->assertEquals("\\`Hello, \\\$\\{name}!\\`", $this->smarty->fetch($tpl)); +#+ } +#+ +#+ public function testTemplateLiteralBackticksAndInterpolation() +#+ { +#+ $this->smarty->assign('vector', '`${alert(`Hello, ${name}!`)}${`\n`}`'); +#+ $tpl = $this->smarty->createTemplate('string:{$vector|escape:"javascript"}'); +#+ $this->assertEquals("\\`\\\$\\{alert(\\`Hello, \\\$\\{name}!\\`)}\\\$\\{\\`\\\\n\\`}\\`", $this->smarty->fetch($tpl)); +#+ } +#+ +# } +#diff --git a/tests/UnitTests/TemplateSource/ValueTests/Operators/templates_c/.gitignore b/tests/UnitTests/TemplateSource/ValueTests/Operators/templates_c/.gitignore +#new file mode 100644 +#index 000000000..d88cc1446 +#--- /dev/null +#+++ b/tests/UnitTests/TemplateSource/ValueTests/Operators/templates_c/.gitignore +#@@ -0,0 +1,2 @@ +#+# Ignore anything in here, but keep this directory +#+* diff -Nru smarty4-4.3.0/debian/patches/series smarty4-4.3.0/debian/patches/series --- smarty4-4.3.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ smarty4-4.3.0/debian/patches/series 2023-07-06 06:00:13.000000000 +0200 @@ -0,0 +1 @@ +CVE-2023-28447.patch