Hi, since there was no reaction by the maintainer for 10 days I am going to upload a 0-day NMU now. The attached patch fixes the issue. It will be also archived on: http://people.debian.org/~nion/nmu-diff/smarty-2.6.18-1_2.6.18-1.1.patch
Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u smarty-2.6.18/debian/changelog smarty-2.6.18/debian/changelog
--- smarty-2.6.18/debian/changelog
+++ smarty-2.6.18/debian/changelog
@@ -1,3 +1,13 @@
+smarty (2.6.18-1.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * A null character in a search string
+ allows an attacker to call arbitrary php functions via
+ templates. Add patch to return the string after the null
+ in a string (CVE-2008-1066; Closes: #469492).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Sat, 15 Mar 2008 15:10:58 +0100
+
smarty (2.6.18-1) unstable; urgency=low
* New upstream release
only in patch2:
unchanged:
--- smarty-2.6.18.orig/libs/plugins/modifier.regex_replace.php
+++ smarty-2.6.18/libs/plugins/modifier.regex_replace.php
@@ -22,6 +22,8 @@
*/
function smarty_modifier_regex_replace($string, $search, $replace)
{
+ if (($pos = strpos($search,"\0")) !== false)
+ $search = substr($search,0,$pos);
if (preg_match('!([a-zA-Z\s]+)$!s', $search, $match) && (strpos($match[1], 'e') !== false)) {
/* remove eval-modifier from $search */
$search = substr($search, 0, -strlen($match[1])) . preg_replace('![e\s]+!', '', $match[1]);
pgpXYGg1Sjunf.pgp
Description: PGP signature

