Bug#908698: smarty3: CVE-2018-16831
Hi Salvatore, On Sa 07 Dez 2019 16:30:16 CET, Salvatore Bonaccorso wrote: Hi Mike, On Fri, Feb 15, 2019 at 10:50:32PM +, Mike Gabriel wrote: Hi Moritz, Salvatore, On Do 27 Dez 2018 21:44:33 CET, Salvatore Bonaccorso wrote: > Hi Mike, > > On Thu, Nov 22, 2018 at 08:00:07PM +0100, Moritz Mühlenhoff wrote: > > On Fri, Oct 26, 2018 at 04:46:39PM +, > > mike.gabr...@das-netzwerkteam.de wrote: > > > Hi, > > > > > > On Friday, 26 October 2018, Moritz Mühlenhoff wrote: > > > > On Tue, Sep 18, 2018 at 05:06:14PM +, Mike Gabriel wrote: > > > > > Hi, > > > > > > > > > > On Mo 17 Sep 2018 23:20:33 CEST, Moritz Mühlenhoff wrote: > > > > > > > > > > > On Mon, Sep 17, 2018 at 09:07:38PM +, Mike Gabriel wrote: > > > > > > > I have looked at the changes between 3.1.33 (just uploaded > > to unstable) and > > > > > > > 3.1.31 (in stable). They are awful. Read the below... > > > > > > > > > > > > > > 15:42 < sunweaver> Hi all, I have just looked into > > > > > > > https://security-tracker.debian.org/tracker/CVE-2018-16831 > > > > > > > 15:43 < sunweaver> even for stretch, it is pretty much > > impossible to > > > > > > > backport the patch series (at least for patches, all > > containing tons of > > > > > > > regexp with > > > > > > > multitudes of slashes and backslashes). > > > > > > > 15:43 < sunweaver> totall insane... > > > > > > > 15:44 < sunweaver> in fact, my recommendation for jessie > > and stretch would > > > > > > > be (with my maintainer hat _and_ LTS team hats on at > > once): bring the latest > > > > > > > upstream release to jessie/stretch. > > > > > > > 15:44 < sunweaver> In jessie, we need to upgrade > > smarty-lexer as well for > > > > > > > that. > > > > > > > 15:46 < sunweaver> the 4 patches we needed at least are these... > > > > > > > 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/8d21f38dc35c4cd6b31c2f23fc9b8e5adbc56dfe > > > > > > > 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8 > > > > > > > 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/2e081a51b1effddb23f87952959139ac62654d50 > > > > > > > 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/c9dbe1d08c081912d02bd851d1d1b6388f6133d1 > > > > > > > 15:48 < sunweaver> and these four sit on top of this... > > > > > > > 15:48 < sunweaver> https://github.com/smarty-php/smarty/commit/f7a53162058de410a35a9848e6d0795d7c252aaf > > > > > > > 15:48 < sunweaver> and 10+ other commits. > > > > > > > 15:48 < sunweaver> all tackling the same code passage. > > > > > > > 15:49 < sunweaver> @all: can we reach consensus that > > latest upstream release > > > > > > > would be best for jessie LTS and stretch (OT here). > > > > > > > > > > > > > > The pile of patches is so awful, I strongly advise getting latest > > > > > > > smarty-lexer and latest smarty3 from unstable into stable > > with thorough > > > > > > > testing of dependent application (gosa, FusionDirectory, > > slbackup-php, ...). > > > > > > > Most of them are maintained by me and I have running > > setups for testing this > > > > > > > (except 1 package in Debian IIRC). > > > > > > > > > > > > If you have reasonable test coverage of the reverse deps, we > > can do that. > > > > > > > > > > > > But let's wait for a few more days to spot eventual > > regressions reported > > > > > > in unstable first. Also, make sure to coordinate the release > > of the DLA with > > > > > > the DSA, otherwise we end up with a situation where > > oldstable has a higher > > > > > > version number than stable. > > > > > > > > > > > > Cheers, > > > > > > Moritz > > > > > > > > > > I will wait another week with this. I'd like to get this > > solved before my > > > > > VAC (6th Oct - 21st Oct). > > > > > > > > What's the status? > > > > > > > > Cheers, > > > > Moritz > > > > > > > > > > I am still waiting for upstream to verify / confirm my patch. Ping > > dropped Monday this week. > > > > Any feedback? > > Did you got any feedback on it? > No. However, this week I took some time and tested my patch more intensively. It throws PHP exceptions on certain code paths. Need to reinvestigate and update my patch... It's on my list, so stay tuned. Sorry for the long delay on my side. We originally had smarty3 as DSA canidate, for CVE-2018-16831 and CVE-2018-16832. But from my understanding of the discussion it is too risky to try to backport. Should we go ahead and mark it no-dsa for stretch? Sorry for the late reply. Replying slipped of the radar. Some months back, I have already spent 1-2-3 hours with backporting the fixing patch, but smarty3 is a fast moving target regarding code changes and backporting is not trivial. My backport introduced other issues (PHP errors IIRC). Neither have I ever received feedback nor input from upstream. I will ask Raphael / Holger, if it is ok to revisit this on Debian LTS funding. The
Bug#908698: smarty3: CVE-2018-16831
Hi Moritz, Salvatore, On Do 27 Dez 2018 21:44:33 CET, Salvatore Bonaccorso wrote: Hi Mike, On Thu, Nov 22, 2018 at 08:00:07PM +0100, Moritz Mühlenhoff wrote: On Fri, Oct 26, 2018 at 04:46:39PM +, mike.gabr...@das-netzwerkteam.de wrote: > Hi, > > On Friday, 26 October 2018, Moritz Mühlenhoff wrote: > > On Tue, Sep 18, 2018 at 05:06:14PM +, Mike Gabriel wrote: > > > Hi, > > > > > > On Mo 17 Sep 2018 23:20:33 CEST, Moritz Mühlenhoff wrote: > > > > > > > On Mon, Sep 17, 2018 at 09:07:38PM +, Mike Gabriel wrote: > > > > > I have looked at the changes between 3.1.33 (just uploaded to unstable) and > > > > > 3.1.31 (in stable). They are awful. Read the below... > > > > > > > > > > 15:42 < sunweaver> Hi all, I have just looked into > > > > > https://security-tracker.debian.org/tracker/CVE-2018-16831 > > > > > 15:43 < sunweaver> even for stretch, it is pretty much impossible to > > > > > backport the patch series (at least for patches, all containing tons of > > > > > regexp with > > > > > multitudes of slashes and backslashes). > > > > > 15:43 < sunweaver> totall insane... > > > > > 15:44 < sunweaver> in fact, my recommendation for jessie and stretch would > > > > > be (with my maintainer hat _and_ LTS team hats on at once): bring the latest > > > > > upstream release to jessie/stretch. > > > > > 15:44 < sunweaver> In jessie, we need to upgrade smarty-lexer as well for > > > > > that. > > > > > 15:46 < sunweaver> the 4 patches we needed at least are these... > > > > > 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/8d21f38dc35c4cd6b31c2f23fc9b8e5adbc56dfe > > > > > 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8 > > > > > 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/2e081a51b1effddb23f87952959139ac62654d50 > > > > > 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/c9dbe1d08c081912d02bd851d1d1b6388f6133d1 > > > > > 15:48 < sunweaver> and these four sit on top of this... > > > > > 15:48 < sunweaver> https://github.com/smarty-php/smarty/commit/f7a53162058de410a35a9848e6d0795d7c252aaf > > > > > 15:48 < sunweaver> and 10+ other commits. > > > > > 15:48 < sunweaver> all tackling the same code passage. > > > > > 15:49 < sunweaver> @all: can we reach consensus that latest upstream release > > > > > would be best for jessie LTS and stretch (OT here). > > > > > > > > > > The pile of patches is so awful, I strongly advise getting latest > > > > > smarty-lexer and latest smarty3 from unstable into stable with thorough > > > > > testing of dependent application (gosa, FusionDirectory, slbackup-php, ...). > > > > > Most of them are maintained by me and I have running setups for testing this > > > > > (except 1 package in Debian IIRC). > > > > > > > > If you have reasonable test coverage of the reverse deps, we can do that. > > > > > > > > But let's wait for a few more days to spot eventual regressions reported > > > > in unstable first. Also, make sure to coordinate the release of the DLA with > > > > the DSA, otherwise we end up with a situation where oldstable has a higher > > > > version number than stable. > > > > > > > > Cheers, > > > > Moritz > > > > > > I will wait another week with this. I'd like to get this solved before my > > > VAC (6th Oct - 21st Oct). > > > > What's the status? > > > > Cheers, > > Moritz > > > > I am still waiting for upstream to verify / confirm my patch. Ping dropped Monday this week. Any feedback? Did you got any feedback on it? No. However, this week I took some time and tested my patch more intensively. It throws PHP exceptions on certain code paths. Need to reinvestigate and update my patch... It's on my list, so stay tuned. Sorry for the long delay on my side. Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpeKIqfA56xv.pgp Description: Digitale PGP-Signatur
Bug#908698: smarty3: CVE-2018-16831
On Thu, Dec 27, 2018 at 09:44:33PM +0100, Salvatore Bonaccorso wrote: > Hi Mike, > > On Thu, Nov 22, 2018 at 08:00:07PM +0100, Moritz Mühlenhoff wrote: > > On Fri, Oct 26, 2018 at 04:46:39PM +, mike.gabr...@das-netzwerkteam.de > > wrote: > > > Hi, > > > > > > On Friday, 26 October 2018, Moritz Mühlenhoff wrote: > > > > On Tue, Sep 18, 2018 at 05:06:14PM +, Mike Gabriel wrote: > > > > > Hi, > > > > > > > > > > On Mo 17 Sep 2018 23:20:33 CEST, Moritz Mühlenhoff wrote: > > > > > > > > > > > On Mon, Sep 17, 2018 at 09:07:38PM +, Mike Gabriel wrote: > > > > > > > I have looked at the changes between 3.1.33 (just uploaded to > > > > > > > unstable) and > > > > > > > 3.1.31 (in stable). They are awful. Read the below... > > > > > > > > > > > > > > 15:42 < sunweaver> Hi all, I have just looked into > > > > > > > https://security-tracker.debian.org/tracker/CVE-2018-16831 > > > > > > > 15:43 < sunweaver> even for stretch, it is pretty much impossible > > > > > > > to > > > > > > > backport the patch series (at least for patches, all containing > > > > > > > tons of > > > > > > > regexp with > > > > > > > multitudes of slashes and backslashes). > > > > > > > 15:43 < sunweaver> totall insane... > > > > > > > 15:44 < sunweaver> in fact, my recommendation for jessie and > > > > > > > stretch would > > > > > > > be (with my maintainer hat _and_ LTS team hats on at once): bring > > > > > > > the latest > > > > > > > upstream release to jessie/stretch. > > > > > > > 15:44 < sunweaver> In jessie, we need to upgrade smarty-lexer as > > > > > > > well for > > > > > > > that. > > > > > > > 15:46 < sunweaver> the 4 patches we needed at least are these... > > > > > > > 15:47 < sunweaver> > > > > > > > https://github.com/smarty-php/smarty/commit/8d21f38dc35c4cd6b31c2f23fc9b8e5adbc56dfe > > > > > > > 15:47 < sunweaver> > > > > > > > https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8 > > > > > > > 15:47 < sunweaver> > > > > > > > https://github.com/smarty-php/smarty/commit/2e081a51b1effddb23f87952959139ac62654d50 > > > > > > > 15:47 < sunweaver> > > > > > > > https://github.com/smarty-php/smarty/commit/c9dbe1d08c081912d02bd851d1d1b6388f6133d1 > > > > > > > 15:48 < sunweaver> and these four sit on top of this... > > > > > > > 15:48 < sunweaver> > > > > > > > https://github.com/smarty-php/smarty/commit/f7a53162058de410a35a9848e6d0795d7c252aaf > > > > > > > 15:48 < sunweaver> and 10+ other commits. > > > > > > > 15:48 < sunweaver> all tackling the same code passage. > > > > > > > 15:49 < sunweaver> @all: can we reach consensus that latest > > > > > > > upstream release > > > > > > > would be best for jessie LTS and stretch (OT here). > > > > > > > > > > > > > > The pile of patches is so awful, I strongly advise getting latest > > > > > > > smarty-lexer and latest smarty3 from unstable into stable with > > > > > > > thorough > > > > > > > testing of dependent application (gosa, FusionDirectory, > > > > > > > slbackup-php, ...). > > > > > > > Most of them are maintained by me and I have running setups for > > > > > > > testing this > > > > > > > (except 1 package in Debian IIRC). > > > > > > > > > > > > If you have reasonable test coverage of the reverse deps, we can do > > > > > > that. > > > > > > > > > > > > But let's wait for a few more days to spot eventual regressions > > > > > > reported > > > > > > in unstable first. Also, make sure to coordinate the release of the > > > > > > DLA with > > > > > > the DSA, otherwise we end up with a situation where oldstable has a > > > > > > higher > > > > > > version number than stable. > > > > > > > > > > > > Cheers, > > > > > > Moritz > > > > > > > > > > I will wait another week with this. I'd like to get this solved > > > > > before my > > > > > VAC (6th Oct - 21st Oct). > > > > > > > > What's the status? > > > > > > > > Cheers, > > > > Moritz > > > > > > > > > > I am still waiting for upstream to verify / confirm my patch. Ping > > > dropped Monday this week. > > > > Any feedback? > > Did you got any feedback on it? *ping* Cheers, Moritz
Bug#908698: smarty3: CVE-2018-16831
On Tue, Sep 18, 2018 at 05:06:14PM +, Mike Gabriel wrote: > > But let's wait for a few more days to spot eventual regressions reported > > in unstable first. Also, make sure to coordinate the release of the DLA with > > the DSA, otherwise we end up with a situation where oldstable has a higher > > version number than stable. > > I will wait another week with this. I'd like to get this solved before my > VAC (6th Oct - 21st Oct). Sounds good. Cheers, Moritz
Bug#908698: smarty3: CVE-2018-16831
Hi, On Mo 17 Sep 2018 23:20:33 CEST, Moritz Mühlenhoff wrote: On Mon, Sep 17, 2018 at 09:07:38PM +, Mike Gabriel wrote: I have looked at the changes between 3.1.33 (just uploaded to unstable) and 3.1.31 (in stable). They are awful. Read the below... 15:42 < sunweaver> Hi all, I have just looked into https://security-tracker.debian.org/tracker/CVE-2018-16831 15:43 < sunweaver> even for stretch, it is pretty much impossible to backport the patch series (at least for patches, all containing tons of regexp with multitudes of slashes and backslashes). 15:43 < sunweaver> totall insane... 15:44 < sunweaver> in fact, my recommendation for jessie and stretch would be (with my maintainer hat _and_ LTS team hats on at once): bring the latest upstream release to jessie/stretch. 15:44 < sunweaver> In jessie, we need to upgrade smarty-lexer as well for that. 15:46 < sunweaver> the 4 patches we needed at least are these... 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/8d21f38dc35c4cd6b31c2f23fc9b8e5adbc56dfe 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/2e081a51b1effddb23f87952959139ac62654d50 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/c9dbe1d08c081912d02bd851d1d1b6388f6133d1 15:48 < sunweaver> and these four sit on top of this... 15:48 < sunweaver> https://github.com/smarty-php/smarty/commit/f7a53162058de410a35a9848e6d0795d7c252aaf 15:48 < sunweaver> and 10+ other commits. 15:48 < sunweaver> all tackling the same code passage. 15:49 < sunweaver> @all: can we reach consensus that latest upstream release would be best for jessie LTS and stretch (OT here). The pile of patches is so awful, I strongly advise getting latest smarty-lexer and latest smarty3 from unstable into stable with thorough testing of dependent application (gosa, FusionDirectory, slbackup-php, ...). Most of them are maintained by me and I have running setups for testing this (except 1 package in Debian IIRC). If you have reasonable test coverage of the reverse deps, we can do that. But let's wait for a few more days to spot eventual regressions reported in unstable first. Also, make sure to coordinate the release of the DLA with the DSA, otherwise we end up with a situation where oldstable has a higher version number than stable. Cheers, Moritz I will wait another week with this. I'd like to get this solved before my VAC (6th Oct - 21st Oct). Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgppgybGGuXoz.pgp Description: Digitale PGP-Signatur
Bug#908698: smarty3: CVE-2018-16831
On Mon, Sep 17, 2018 at 09:07:38PM +, Mike Gabriel wrote: > I have looked at the changes between 3.1.33 (just uploaded to unstable) and > 3.1.31 (in stable). They are awful. Read the below... > > 15:42 < sunweaver> Hi all, I have just looked into > https://security-tracker.debian.org/tracker/CVE-2018-16831 > 15:43 < sunweaver> even for stretch, it is pretty much impossible to > backport the patch series (at least for patches, all containing tons of > regexp with > multitudes of slashes and backslashes). > 15:43 < sunweaver> totall insane... > 15:44 < sunweaver> in fact, my recommendation for jessie and stretch would > be (with my maintainer hat _and_ LTS team hats on at once): bring the latest > upstream release to jessie/stretch. > 15:44 < sunweaver> In jessie, we need to upgrade smarty-lexer as well for > that. > 15:46 < sunweaver> the 4 patches we needed at least are these... > 15:47 < sunweaver> > https://github.com/smarty-php/smarty/commit/8d21f38dc35c4cd6b31c2f23fc9b8e5adbc56dfe > 15:47 < sunweaver> > https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8 > 15:47 < sunweaver> > https://github.com/smarty-php/smarty/commit/2e081a51b1effddb23f87952959139ac62654d50 > 15:47 < sunweaver> > https://github.com/smarty-php/smarty/commit/c9dbe1d08c081912d02bd851d1d1b6388f6133d1 > 15:48 < sunweaver> and these four sit on top of this... > 15:48 < sunweaver> > https://github.com/smarty-php/smarty/commit/f7a53162058de410a35a9848e6d0795d7c252aaf > 15:48 < sunweaver> and 10+ other commits. > 15:48 < sunweaver> all tackling the same code passage. > 15:49 < sunweaver> @all: can we reach consensus that latest upstream release > would be best for jessie LTS and stretch (OT here). > > The pile of patches is so awful, I strongly advise getting latest > smarty-lexer and latest smarty3 from unstable into stable with thorough > testing of dependent application (gosa, FusionDirectory, slbackup-php, ...). > Most of them are maintained by me and I have running setups for testing this > (except 1 package in Debian IIRC). If you have reasonable test coverage of the reverse deps, we can do that. But let's wait for a few more days to spot eventual regressions reported in unstable first. Also, make sure to coordinate the release of the DLA with the DSA, otherwise we end up with a situation where oldstable has a higher version number than stable. Cheers, Moritz
Bug#908698: smarty3: CVE-2018-16831
(Re-sending, with security@d.o in Cc: now). Hi Salvatore, On Mi 12 Sep 2018 21:37:18 CEST, Salvatore Bonaccorso wrote: Source: smarty3 Version: 3.1.32+20180424.1.ac9d4b58+selfpack1-1 Severity: important Tags: security upstream Forwarded: https://github.com/smarty-php/smarty/issues/486 Hi, The following vulnerability was published for smarty3. CVE-2018-16831[0]: | Smarty before 3.1.33-dev-4 allows attackers to bypass the trusted_dir | protection mechanism via a file:./../ substring in an include | statement. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-16831 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16831 [1] https://github.com/smarty-php/smarty/issues/486 Please adjust the affected versions in the BTS as needed. Regards, Salvatore I have looked at the changes between 3.1.33 (just uploaded to unstable) and 3.1.31 (in stable). They are awful. Read the below... 15:42 < sunweaver> Hi all, I have just looked into https://security-tracker.debian.org/tracker/CVE-2018-16831 15:43 < sunweaver> even for stretch, it is pretty much impossible to backport the patch series (at least for patches, all containing tons of regexp with multitudes of slashes and backslashes). 15:43 < sunweaver> totall insane... 15:44 < sunweaver> in fact, my recommendation for jessie and stretch would be (with my maintainer hat _and_ LTS team hats on at once): bring the latest upstream release to jessie/stretch. 15:44 < sunweaver> In jessie, we need to upgrade smarty-lexer as well for that. 15:46 < sunweaver> the 4 patches we needed at least are these... 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/8d21f38dc35c4cd6b31c2f23fc9b8e5adbc56dfe 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/2e081a51b1effddb23f87952959139ac62654d50 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/c9dbe1d08c081912d02bd851d1d1b6388f6133d1 15:48 < sunweaver> and these four sit on top of this... 15:48 < sunweaver> https://github.com/smarty-php/smarty/commit/f7a53162058de410a35a9848e6d0795d7c252aaf 15:48 < sunweaver> and 10+ other commits. 15:48 < sunweaver> all tackling the same code passage. 15:49 < sunweaver> @all: can we reach consensus that latest upstream release would be best for jessie LTS and stretch (OT here). The pile of patches is so awful, I strongly advise getting latest smarty-lexer and latest smarty3 from unstable into stable with thorough testing of dependent application (gosa, FusionDirectory, slbackup-php, ...). Most of them are maintained by me and I have running setups for testing this (except 1 package in Debian IIRC). Comments? Feedbacks? Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp010BQdgN01.pgp Description: Digitale PGP-Signatur
Bug#908698: smarty3: CVE-2018-16831
Hi again, On Mi 12 Sep 2018 21:37:18 CEST, Salvatore Bonaccorso wrote: Source: smarty3 Version: 3.1.32+20180424.1.ac9d4b58+selfpack1-1 Severity: important Tags: security upstream Forwarded: https://github.com/smarty-php/smarty/issues/486 ... I just noticed, 3.1.31 is in stable... But alas, it doesn't change a thing... Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpbyiyLUerun.pgp Description: Digitale PGP-Signatur
Bug#908698: smarty3: CVE-2018-16831
Hi Salvatore, On Mi 12 Sep 2018 21:37:18 CEST, Salvatore Bonaccorso wrote: Source: smarty3 Version: 3.1.32+20180424.1.ac9d4b58+selfpack1-1 Severity: important Tags: security upstream Forwarded: https://github.com/smarty-php/smarty/issues/486 Hi, The following vulnerability was published for smarty3. CVE-2018-16831[0]: | Smarty before 3.1.33-dev-4 allows attackers to bypass the trusted_dir | protection mechanism via a file:./../ substring in an include | statement. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-16831 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16831 [1] https://github.com/smarty-php/smarty/issues/486 Please adjust the affected versions in the BTS as needed. Regards, Salvatore I have looked at the changes between 3.1.33 (just uploaded to unstable) and 3.1.32 (in stable). They are awful. Read the below... 15:42 < sunweaver> Hi all, I have just looked into https://security-tracker.debian.org/tracker/CVE-2018-16831 15:43 < sunweaver> even for stretch, it is pretty much impossible to backport the patch series (at least for patches, all containing tons of regexp with multitudes of slashes and backslashes). 15:43 < sunweaver> totall insane... 15:44 < sunweaver> in fact, my recommendation for jessie and stretch would be (with my maintainer hat _and_ LTS team hats on at once): bring the latest upstream release to jessie/stretch. 15:44 < sunweaver> In jessie, we need to upgrade smarty-lexer as well for that. 15:46 < sunweaver> the 4 patches we needed at least are these... 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/8d21f38dc35c4cd6b31c2f23fc9b8e5adbc56dfe 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/2e081a51b1effddb23f87952959139ac62654d50 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/c9dbe1d08c081912d02bd851d1d1b6388f6133d1 15:48 < sunweaver> and these four sit on top of this... 15:48 < sunweaver> https://github.com/smarty-php/smarty/commit/f7a53162058de410a35a9848e6d0795d7c252aaf 15:48 < sunweaver> and 10+ other commits. 15:48 < sunweaver> all tackling the same code passage. 15:49 < sunweaver> @all: can we reach consensus that latest upstream release would be best for jessie LTS and stretch (OT here). The pile of patches is so awful, I strongly advise getting latest smarty-lexer and latest smarty3 from unstable into stable with thorough testing of dependent application (gosa, FusionDirectory, slbackup-php, ...). Most of them are maintained by me and I have running setups for testing this (except 1 package in Debian IIRC). Comments? Feedbacks? Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpJpfpzXaDNm.pgp Description: Digitale PGP-Signatur
Bug#908698: smarty3: CVE-2018-16831
Source: smarty3 Version: 3.1.32+20180424.1.ac9d4b58+selfpack1-1 Severity: important Tags: security upstream Forwarded: https://github.com/smarty-php/smarty/issues/486 Hi, The following vulnerability was published for smarty3. CVE-2018-16831[0]: | Smarty before 3.1.33-dev-4 allows attackers to bypass the trusted_dir | protection mechanism via a file:./../ substring in an include | statement. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-16831 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16831 [1] https://github.com/smarty-php/smarty/issues/486 Please adjust the affected versions in the BTS as needed. Regards, Salvatore