Hi Salvatore, On Mi 12 Sep 2018 21:37:18 CEST, Salvatore Bonaccorso wrote:
Source: smarty3 Version: 3.1.32+20180424.1.ac9d4b58+selfpack1-1 Severity: important Tags: security upstream Forwarded: https://github.com/smarty-php/smarty/issues/486 Hi, The following vulnerability was published for smarty3. CVE-2018-16831[0]: | Smarty before 3.1.33-dev-4 allows attackers to bypass the trusted_dir | protection mechanism via a file:./../ substring in an include | statement. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-16831 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16831 [1] https://github.com/smarty-php/smarty/issues/486 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
I have looked at the changes between 3.1.33 (just uploaded to unstable) and 3.1.32 (in stable). They are awful. Read the below...
15:42 < sunweaver> Hi all, I have just looked into https://security-tracker.debian.org/tracker/CVE-2018-16831 15:43 < sunweaver> even for stretch, it is pretty much impossible to backport the patch series (at least for patches, all containing tons of regexp with
multitudes of slashes and backslashes).
15:43 < sunweaver> totall insane...
15:44 < sunweaver> in fact, my recommendation for jessie and stretch
would be (with my maintainer hat _and_ LTS team hats on at once):
bring the latest
upstream release to jessie/stretch.
15:44 < sunweaver> In jessie, we need to upgrade smarty-lexer as well
for that.
15:46 < sunweaver> the 4 patches we needed at least are these...15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/8d21f38dc35c4cd6b31c2f23fc9b8e5adbc56dfe 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/2e081a51b1effddb23f87952959139ac62654d50 15:47 < sunweaver> https://github.com/smarty-php/smarty/commit/c9dbe1d08c081912d02bd851d1d1b6388f6133d1
15:48 < sunweaver> and these four sit on top of this...15:48 < sunweaver> https://github.com/smarty-php/smarty/commit/f7a53162058de410a35a9848e6d0795d7c252aaf
15:48 < sunweaver> and 10+ other commits. 15:48 < sunweaver> all tackling the same code passage.15:49 < sunweaver> @all: can we reach consensus that latest upstream release would be best for jessie LTS and stretch (OT here).
The pile of patches is so awful, I strongly advise getting latest smarty-lexer and latest smarty3 from unstable into stable with thorough testing of dependent application (gosa, FusionDirectory, slbackup-php, ...). Most of them are maintained by me and I have running setups for testing this (except 1 package in Debian IIRC).
Comments? Feedbacks? Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de
pgpJpfpzXaDNm.pgp
Description: Digitale PGP-Signatur
