Hi,

In order to address these security issues in Smarty, I've prepared a NMU which 
I've uploaded to the DELAYED/10 queue. If you do not agree with it, you have 
10 days to respond before it reaches unstable.

Looking at what upstream has done to address 504328, it seems that upstream 
versions .22 - .26 have all been iterations to fully address the problem, and 
do not make very significant other changes. Therefore my take on the best 
approach was to just package the 2.6.26 upstream release. Attached is a patch 
of the relevant changes.

cheers,
Thijs
diff -Nru smarty-2.6.22/debian/changelog smarty-2.6.26/debian/changelog
--- smarty-2.6.22/debian/changelog	2009-10-24 12:50:52.000000000 +0200
+++ smarty-2.6.26/debian/changelog	2009-10-24 12:50:53.000000000 +0200
@@ -1,3 +1,14 @@
+smarty (2.6.26-0.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * New upstream release to address open security issues.
+    (CVE-2008-4810, CVE-2008-4811, CVE-2009-1669,
+    closes: #529810, #504328)
+  * Remove installation of smarty_icon.README and unit_test,
+    dropped upstream.
+
+ -- Thijs Kinkhorst <[email protected]>  Sat, 24 Oct 2009 12:40:12 +0200
+
 smarty (2.6.22-1) unstable; urgency=low
 
   * New upstream release
diff -Nru smarty-2.6.22/debian/Makefile smarty-2.6.26/debian/Makefile
--- smarty-2.6.22/debian/Makefile	2009-10-24 12:50:52.000000000 +0200
+++ smarty-2.6.26/debian/Makefile	2009-10-24 12:50:53.000000000 +0200
@@ -23,5 +23,3 @@
 	install -d $(DOCPATH)
 	install -o www-data -m 644 $(TOPFILES) $(DOCPATH)
 	cp -r demo $(DOCPATH)
-	cp misc/smarty_icon.README $(DOCPATH)
-	cp -r unit_test $(DOCPATH)
diff -Nru smarty-2.6.22/libs/Config_File.class.php smarty-2.6.26/libs/Config_File.class.php
--- smarty-2.6.22/libs/Config_File.class.php	2008-12-17 20:53:38.000000000 +0100
+++ smarty-2.6.26/libs/Config_File.class.php	2009-06-18 16:47:09.000000000 +0200
@@ -22,14 +22,14 @@
  * [email protected] 
  *
  * @link http://www.smarty.net/
- * @version 2.6.22
+ * @version 2.6.26
  * @copyright Copyright: 2001-2005 New Digital Group, Inc.
  * @author Andrei Zmievski <[email protected]>
  * @access public
  * @package Smarty
  */
 
-/* $Id: Config_File.class.php 2786 2008-09-18 21:04:38Z Uwe.Tews $ */
+/* $Id: Config_File.class.php 3149 2009-05-23 20:59:25Z monte.ohrt $ */
 
 /**
  * Config file reading class
diff -Nru smarty-2.6.22/libs/plugins/function.math.php smarty-2.6.26/libs/plugins/function.math.php
--- smarty-2.6.22/libs/plugins/function.math.php	2008-12-17 20:52:59.000000000 +0100
+++ smarty-2.6.26/libs/plugins/function.math.php	2009-06-18 16:46:27.000000000 +0200
@@ -27,7 +27,8 @@
         return;
     }
 
-    $equation = $params['equation'];
+    // strip out backticks, not necessary for math
+    $equation = str_replace('`','',$params['equation']);
 
     // make sure parenthesis are balanced
     if (substr_count($equation,"(") != substr_count($equation,")")) {
diff -Nru smarty-2.6.22/libs/Smarty.class.php smarty-2.6.26/libs/Smarty.class.php
--- smarty-2.6.22/libs/Smarty.class.php	2008-12-17 20:53:31.000000000 +0100
+++ smarty-2.6.26/libs/Smarty.class.php	2009-06-18 16:47:04.000000000 +0200
@@ -27,10 +27,10 @@
  * @author Monte Ohrt <monte at ohrt dot com>
  * @author Andrei Zmievski <[email protected]>
  * @package Smarty
- * @version 2.6.22
+ * @version 2.6.26
  */
 
-/* $Id: Smarty.class.php 2785 2008-09-18 21:04:12Z Uwe.Tews $ */
+/* $Id: Smarty.class.php 3163 2009-06-17 14:39:24Z monte.ohrt $ */
 
 /**
  * DIR_SEP isn't used anymore, but third party apps might
@@ -107,7 +107,7 @@
     /**
      * When set, smarty does uses this value as error_reporting-level.
      *
-     * @var boolean
+     * @var integer
      */
     var $error_reporting  =  null;
 
@@ -236,7 +236,8 @@
                                     'INCLUDE_ANY'     => false,
                                     'PHP_TAGS'        => false,
                                     'MODIFIER_FUNCS'  => array('count'),
-                                    'ALLOW_CONSTANTS'  => false
+                                    'ALLOW_CONSTANTS'  => false,
+                                    'ALLOW_SUPER_GLOBALS' => true
                                    );
 
     /**
@@ -464,7 +465,7 @@
      *
      * @var string
      */
-    var $_version              = '2.6.22';
+    var $_version              = '2.6.26';
 
     /**
      * current template inclusion depth
@@ -1548,7 +1549,7 @@
                         $params['source_content'] = $this->_read_file($_resource_name);
                     }
                     $params['resource_timestamp'] = filemtime($_resource_name);
-                    $_return = is_file($_resource_name);
+                    $_return = is_file($_resource_name) && is_readable($_resource_name);
                     break;
 
                 default:
@@ -1711,7 +1712,7 @@
      */
     function _read_file($filename)
     {
-        if ( file_exists($filename) && ($fd = @fopen($filename, 'rb')) ) {
+        if ( file_exists($filename) && is_readable($filename) && ($fd = @fopen($filename, 'rb')) ) {
             $contents = '';
             while (!feof($fd)) {
                 $contents .= fread($fd, 8192);
@@ -1950,7 +1951,7 @@
 			return $function;
 		}
 	}
-    
+  
     /*...@-*/
 
 }
diff -Nru smarty-2.6.22/libs/Smarty_Compiler.class.php smarty-2.6.26/libs/Smarty_Compiler.class.php
--- smarty-2.6.22/libs/Smarty_Compiler.class.php	2008-12-17 20:53:47.000000000 +0100
+++ smarty-2.6.26/libs/Smarty_Compiler.class.php	2009-06-18 16:47:13.000000000 +0200
@@ -18,15 +18,15 @@
  * License along with this library; if not, write to the Free Software
  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  *
- * @link http://www.smarty.net/
+ * @link http://smarty.php.net/
  * @author Monte Ohrt <monte at ohrt dot com>
  * @author Andrei Zmievski <[email protected]>
- * @version 2.6.22
+ * @version 2.6.26
  * @copyright 2001-2005 New Digital Group, Inc.
  * @package Smarty
  */
 
-/* $Id: Smarty_Compiler.class.php 2966 2008-12-08 15:10:03Z monte.ohrt $ */
+/* $Id: Smarty_Compiler.class.php 3163 2009-06-17 14:39:24Z monte.ohrt $ */
 
 /**
  * Template compiling class
@@ -73,9 +73,6 @@
 
     var $_strip_depth           =   0;
     var $_additional_newline    =   "\n";
-    
-    var $_phpversion            =   0;
-
 
     /*...@-*/
     /**
@@ -83,8 +80,6 @@
      */
     function Smarty_Compiler()
     {
-        $this->_phpversion = substr(phpversion(),0,1);
-
         // matches double quoted strings:
         // "foobar"
         // "foo\"bar"
@@ -157,20 +152,16 @@
         // $foo->bar($foo->bar)
         // $foo->bar($foo->bar())
         // $foo->bar($foo->bar($blah,$foo,44,"foo",$foo[0].bar))
-        // $foo->getBar()->getFoo()
-        // $foo->getBar()->foo
         $this->_obj_ext_regexp = '\->(?:\$?' . $this->_dvar_guts_regexp . ')';
         $this->_obj_restricted_param_regexp = '(?:'
-             . '(?:' . $this->_var_regexp . '|' . $this->_num_const_regexp . ')(?:' . $this->_obj_ext_regexp . '(?:\((?:(?:' . $this->_var_regexp . '|' . $this->_num_const_regexp . ')'
-             . '(?:\s*,\s*(?:' . $this->_var_regexp . '|' . $this->_num_const_regexp . '))*)?\))?)*)';
-
-       $this->_obj_single_param_regexp = '(?:\w+|' . $this->_obj_restricted_param_regexp . '(?:\s*,\s*(?:(?:\w+|'
+                . '(?:' . $this->_var_regexp . '|' . $this->_num_const_regexp . ')(?:' . $this->_obj_ext_regexp . '(?:\((?:(?:' . $this->_var_regexp . '|' . $this->_num_const_regexp . ')'
+                . '(?:\s*,\s*(?:' . $this->_var_regexp . '|' . $this->_num_const_regexp . '))*)?\))?)*)';
+        $this->_obj_single_param_regexp = '(?:\w+|' . $this->_obj_restricted_param_regexp . '(?:\s*,\s*(?:(?:\w+|'
                 . $this->_var_regexp . $this->_obj_restricted_param_regexp . ')))*)';
-
-       $this->_obj_params_regexp = '\((?:' . $this->_obj_single_param_regexp
+        $this->_obj_params_regexp = '\((?:' . $this->_obj_single_param_regexp
                 . '(?:\s*,\s*' . $this->_obj_single_param_regexp . ')*)?\)';
-       $this->_obj_start_regexp = '(?:' . $this->_dvar_regexp . '(?:' . $this->_obj_ext_regexp . ')+)';
-       $this->_obj_call_regexp = '(?:' . $this->_obj_start_regexp . '(?:' . $this->_obj_params_regexp . ')?(?:' . $this->_dvar_math_regexp . '(?:' . $this->_num_const_regexp . '|' . $this->_dvar_math_var_regexp . ')*)?)';
+        $this->_obj_start_regexp = '(?:' . $this->_dvar_regexp . '(?:' . $this->_obj_ext_regexp . ')+)';
+        $this->_obj_call_regexp = '(?:' . $this->_obj_start_regexp . '(?:' . $this->_obj_params_regexp . ')?(?:' . $this->_dvar_math_regexp . '(?:' . $this->_num_const_regexp . '|' . $this->_dvar_math_var_regexp . ')*)?)';
         
         // matches valid modifier syntax:
         // |foo
@@ -1705,8 +1696,6 @@
         }
         // replace double quoted literal string with single quotes
         $_return = preg_replace('~^"([\s\w]+)"$~',"'\\1'",$_return);
-        // escape dollar sign if not printing a var
-        $_return = preg_replace('~\$(\W)~',"\\\\\$\\1",$_return);
         return $_return;
     }
 
@@ -1720,7 +1709,6 @@
     function _parse_var($var_expr)
     {
         $_has_math = false;
-        $_has_php4_method_chaining = false;
         $_math_vars = preg_split('~('.$this->_dvar_math_regexp.'|'.$this->_qstr_regexp.')~', $var_expr, -1, PREG_SPLIT_DELIM_CAPTURE);
 
         if(count($_math_vars) > 1) {
@@ -1833,10 +1821,6 @@
                             $_output .= '->{(($_var=$this->_tpl_vars[\''.substr($_index,3).'\']) && substr($_var,0,2)!=\'__\') ? $_var : $this->trigger_error("cannot access property \\"$_var\\"")}';
                         }
                     } else {
-                       if ($this->_phpversion < 5) {
-                         $_has_php4_method_chaining = true;
-                         $_output .= "; \$_foo = \$_foo";
-                       }
                         $_output .= $_index;
                     }
                 } elseif (substr($_index, 0, 1) == '(') {
@@ -1848,12 +1832,7 @@
             }
         }
 
-        if ($_has_php4_method_chaining) {
-           $_tmp = str_replace("'","\'",'$_foo = '.$_output.'; return $_foo;');
-           return "eval('".$_tmp."')";
-        } else {
-           return $_output; 
-        }
+        return $_output;
     }
 
     /**
@@ -2068,27 +2047,57 @@
                 break;
 
             case 'get':
-                $compiled_ref = ($this->request_use_auto_globals) ? '$_GET' : "\$GLOBALS['HTTP_GET_VARS']";
+                if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) {
+                    $this->_syntax_error("(secure mode) super global access not permitted",
+                                         E_USER_WARNING, __FILE__, __LINE__);
+                    return;
+                }
+                $compiled_ref = "\$_GET";
                 break;
 
             case 'post':
-                $compiled_ref = ($this->request_use_auto_globals) ? '$_POST' : "\$GLOBALS['HTTP_POST_VARS']";
+                if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) {
+                    $this->_syntax_error("(secure mode) super global access not permitted",
+                                         E_USER_WARNING, __FILE__, __LINE__);
+                    return;
+                }
+                $compiled_ref = "\$_POST";
                 break;
 
             case 'cookies':
-                $compiled_ref = ($this->request_use_auto_globals) ? '$_COOKIE' : "\$GLOBALS['HTTP_COOKIE_VARS']";
+                if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) {
+                    $this->_syntax_error("(secure mode) super global access not permitted",
+                                         E_USER_WARNING, __FILE__, __LINE__);
+                    return;
+                }
+                $compiled_ref = "\$_COOKIE";
                 break;
 
             case 'env':
-                $compiled_ref = ($this->request_use_auto_globals) ? '$_ENV' : "\$GLOBALS['HTTP_ENV_VARS']";
+                if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) {
+                    $this->_syntax_error("(secure mode) super global access not permitted",
+                                         E_USER_WARNING, __FILE__, __LINE__);
+                    return;
+                }
+                $compiled_ref = "\$_ENV";
                 break;
 
             case 'server':
-                $compiled_ref = ($this->request_use_auto_globals) ? '$_SERVER' : "\$GLOBALS['HTTP_SERVER_VARS']";
+                if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) {
+                    $this->_syntax_error("(secure mode) super global access not permitted",
+                                         E_USER_WARNING, __FILE__, __LINE__);
+                    return;
+                }
+                $compiled_ref = "\$_SERVER";
                 break;
 
             case 'session':
-                $compiled_ref = ($this->request_use_auto_globals) ? '$_SESSION' : "\$GLOBALS['HTTP_SESSION_VARS']";
+                if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) {
+                    $this->_syntax_error("(secure mode) super global access not permitted",
+                                         E_USER_WARNING, __FILE__, __LINE__);
+                    return;
+                }
+                $compiled_ref = "\$_SESSION";
                 break;
 
             /*
@@ -2096,8 +2105,13 @@
              * compiler.
              */
             case 'request':
+                if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) {
+                    $this->_syntax_error("(secure mode) super global access not permitted",
+                                         E_USER_WARNING, __FILE__, __LINE__);
+                    return;
+                }
                 if ($this->request_use_auto_globals) {
-                    $compiled_ref = '$_REQUEST';
+                    $compiled_ref = "\$_REQUEST";
                     break;
                 } else {
                     $this->_init_smarty_vars = true;
Binary files /tmp/wicXw2f2aF/smarty-2.6.22/misc/smarty_icon.gif and /tmp/zuK0dXRHHH/smarty-2.6.26/misc/smarty_icon.gif differ
diff -Nru smarty-2.6.22/misc/smarty_icon.README smarty-2.6.26/misc/smarty_icon.README
--- smarty-2.6.22/misc/smarty_icon.README	2008-12-17 20:52:59.000000000 +0100
+++ smarty-2.6.26/misc/smarty_icon.README	1970-01-01 01:00:00.000000000 +0100
@@ -1,6 +0,0 @@
-Feel free to put the smarty icon on your site.
-You can cut-and-paste the following code, be sure
-to adjust the path to the image:
-
-<a href="http://smarty.php.net/";>
-<img src="smarty_icon.gif" border="0" height="31" width="88" /></a>
diff -Nru smarty-2.6.22/NEWS smarty-2.6.26/NEWS
--- smarty-2.6.22/NEWS	2008-12-17 20:53:15.000000000 +0100
+++ smarty-2.6.26/NEWS	2009-06-18 16:46:45.000000000 +0200
@@ -1,3 +1,22 @@
+Version 2.6.26 (June 18th, 2009)
+-------------------------------
+- revert super global access changes, and instead rely on
+  USE_SUPER_GLOBALS for security
+
+Version 2.6.25 (May 19th, 2009)
+-------------------------------
+- fix E_NOTICE when sessions are disabled (mohrt)
+
+Version 2.6.24 (May 16th, 2009)
+-------------------------------
+- fix problem introduced with super global changes (mohrt)
+
+Version 2.6.23 (May 13th, 2009)
+-------------------------------
+- strip backticks from {math} equations (mohrt)
+- make PHP super globals read-only from template (mohrt)
+- throw error when template exists but not readable (mohrt)
+
 Version 2.6.22 (Dec 17th, 2008)
 -------------------------------
 
diff -Nru smarty-2.6.22/README smarty-2.6.26/README
--- smarty-2.6.22/README	2008-12-17 20:53:21.000000000 +0100
+++ smarty-2.6.26/README	2009-06-18 16:46:53.000000000 +0200
@@ -3,7 +3,7 @@
 
     Smarty - the PHP compiling template engine
 
-VERSION: 2.6.22
+VERSION: 2.6.26
 
 AUTHORS:
     

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to