Hi,
since there was no reaction by the maintainer for 10 days I am going to 
upload a 0-day NMU now.
The attached patch fixes the issue.
It will be also archived on:
http://people.debian.org/~nion/nmu-diff/smarty-2.6.18-1_2.6.18-1.1.patch

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
diff -u smarty-2.6.18/debian/changelog smarty-2.6.18/debian/changelog
--- smarty-2.6.18/debian/changelog
+++ smarty-2.6.18/debian/changelog
@@ -1,3 +1,13 @@
+smarty (2.6.18-1.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * A null character in a search string
+    allows an attacker to call arbitrary php functions via
+    templates. Add patch to return the string after the null
+    in a string (CVE-2008-1066; Closes: #469492).
+
+ -- Nico Golde <[EMAIL PROTECTED]>  Sat, 15 Mar 2008 15:10:58 +0100
+
 smarty (2.6.18-1) unstable; urgency=low
 
   * New upstream release
only in patch2:
unchanged:
--- smarty-2.6.18.orig/libs/plugins/modifier.regex_replace.php
+++ smarty-2.6.18/libs/plugins/modifier.regex_replace.php
@@ -22,6 +22,8 @@
  */
 function smarty_modifier_regex_replace($string, $search, $replace)
 {
+    if (($pos = strpos($search,"\0")) !== false)
+        $search = substr($search,0,$pos);
     if (preg_match('!([a-zA-Z\s]+)$!s', $search, $match) && (strpos($match[1], 'e') !== false)) {
         /* remove eval-modifier from $search */
         $search = substr($search, 0, -strlen($match[1])) . preg_replace('![e\s]+!', '', $match[1]);

Attachment: pgpXYGg1Sjunf.pgp
Description: PGP signature

Reply via email to