Hi, In order to address these security issues in Smarty, I've prepared a NMU which I've uploaded to the DELAYED/10 queue. If you do not agree with it, you have 10 days to respond before it reaches unstable.
Looking at what upstream has done to address 504328, it seems that upstream versions .22 - .26 have all been iterations to fully address the problem, and do not make very significant other changes. Therefore my take on the best approach was to just package the 2.6.26 upstream release. Attached is a patch of the relevant changes. cheers, Thijs
diff -Nru smarty-2.6.22/debian/changelog smarty-2.6.26/debian/changelog --- smarty-2.6.22/debian/changelog 2009-10-24 12:50:52.000000000 +0200 +++ smarty-2.6.26/debian/changelog 2009-10-24 12:50:53.000000000 +0200 @@ -1,3 +1,14 @@ +smarty (2.6.26-0.1) unstable; urgency=low + + * Non-maintainer upload. + * New upstream release to address open security issues. + (CVE-2008-4810, CVE-2008-4811, CVE-2009-1669, + closes: #529810, #504328) + * Remove installation of smarty_icon.README and unit_test, + dropped upstream. + + -- Thijs Kinkhorst <[email protected]> Sat, 24 Oct 2009 12:40:12 +0200 + smarty (2.6.22-1) unstable; urgency=low * New upstream release diff -Nru smarty-2.6.22/debian/Makefile smarty-2.6.26/debian/Makefile --- smarty-2.6.22/debian/Makefile 2009-10-24 12:50:52.000000000 +0200 +++ smarty-2.6.26/debian/Makefile 2009-10-24 12:50:53.000000000 +0200 @@ -23,5 +23,3 @@ install -d $(DOCPATH) install -o www-data -m 644 $(TOPFILES) $(DOCPATH) cp -r demo $(DOCPATH) - cp misc/smarty_icon.README $(DOCPATH) - cp -r unit_test $(DOCPATH) diff -Nru smarty-2.6.22/libs/Config_File.class.php smarty-2.6.26/libs/Config_File.class.php --- smarty-2.6.22/libs/Config_File.class.php 2008-12-17 20:53:38.000000000 +0100 +++ smarty-2.6.26/libs/Config_File.class.php 2009-06-18 16:47:09.000000000 +0200 @@ -22,14 +22,14 @@ * [email protected] * * @link http://www.smarty.net/ - * @version 2.6.22 + * @version 2.6.26 * @copyright Copyright: 2001-2005 New Digital Group, Inc. * @author Andrei Zmievski <[email protected]> * @access public * @package Smarty */ -/* $Id: Config_File.class.php 2786 2008-09-18 21:04:38Z Uwe.Tews $ */ +/* $Id: Config_File.class.php 3149 2009-05-23 20:59:25Z monte.ohrt $ */ /** * Config file reading class diff -Nru smarty-2.6.22/libs/plugins/function.math.php smarty-2.6.26/libs/plugins/function.math.php --- smarty-2.6.22/libs/plugins/function.math.php 2008-12-17 20:52:59.000000000 +0100 +++ smarty-2.6.26/libs/plugins/function.math.php 2009-06-18 16:46:27.000000000 +0200 @@ -27,7 +27,8 @@ return; } - $equation = $params['equation']; + // strip out backticks, not necessary for math + $equation = str_replace('`','',$params['equation']); // make sure parenthesis are balanced if (substr_count($equation,"(") != substr_count($equation,")")) { diff -Nru smarty-2.6.22/libs/Smarty.class.php smarty-2.6.26/libs/Smarty.class.php --- smarty-2.6.22/libs/Smarty.class.php 2008-12-17 20:53:31.000000000 +0100 +++ smarty-2.6.26/libs/Smarty.class.php 2009-06-18 16:47:04.000000000 +0200 @@ -27,10 +27,10 @@ * @author Monte Ohrt <monte at ohrt dot com> * @author Andrei Zmievski <[email protected]> * @package Smarty - * @version 2.6.22 + * @version 2.6.26 */ -/* $Id: Smarty.class.php 2785 2008-09-18 21:04:12Z Uwe.Tews $ */ +/* $Id: Smarty.class.php 3163 2009-06-17 14:39:24Z monte.ohrt $ */ /** * DIR_SEP isn't used anymore, but third party apps might @@ -107,7 +107,7 @@ /** * When set, smarty does uses this value as error_reporting-level. * - * @var boolean + * @var integer */ var $error_reporting = null; @@ -236,7 +236,8 @@ 'INCLUDE_ANY' => false, 'PHP_TAGS' => false, 'MODIFIER_FUNCS' => array('count'), - 'ALLOW_CONSTANTS' => false + 'ALLOW_CONSTANTS' => false, + 'ALLOW_SUPER_GLOBALS' => true ); /** @@ -464,7 +465,7 @@ * * @var string */ - var $_version = '2.6.22'; + var $_version = '2.6.26'; /** * current template inclusion depth @@ -1548,7 +1549,7 @@ $params['source_content'] = $this->_read_file($_resource_name); } $params['resource_timestamp'] = filemtime($_resource_name); - $_return = is_file($_resource_name); + $_return = is_file($_resource_name) && is_readable($_resource_name); break; default: @@ -1711,7 +1712,7 @@ */ function _read_file($filename) { - if ( file_exists($filename) && ($fd = @fopen($filename, 'rb')) ) { + if ( file_exists($filename) && is_readable($filename) && ($fd = @fopen($filename, 'rb')) ) { $contents = ''; while (!feof($fd)) { $contents .= fread($fd, 8192); @@ -1950,7 +1951,7 @@ return $function; } } - + /*...@-*/ } diff -Nru smarty-2.6.22/libs/Smarty_Compiler.class.php smarty-2.6.26/libs/Smarty_Compiler.class.php --- smarty-2.6.22/libs/Smarty_Compiler.class.php 2008-12-17 20:53:47.000000000 +0100 +++ smarty-2.6.26/libs/Smarty_Compiler.class.php 2009-06-18 16:47:13.000000000 +0200 @@ -18,15 +18,15 @@ * License along with this library; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * - * @link http://www.smarty.net/ + * @link http://smarty.php.net/ * @author Monte Ohrt <monte at ohrt dot com> * @author Andrei Zmievski <[email protected]> - * @version 2.6.22 + * @version 2.6.26 * @copyright 2001-2005 New Digital Group, Inc. * @package Smarty */ -/* $Id: Smarty_Compiler.class.php 2966 2008-12-08 15:10:03Z monte.ohrt $ */ +/* $Id: Smarty_Compiler.class.php 3163 2009-06-17 14:39:24Z monte.ohrt $ */ /** * Template compiling class @@ -73,9 +73,6 @@ var $_strip_depth = 0; var $_additional_newline = "\n"; - - var $_phpversion = 0; - /*...@-*/ /** @@ -83,8 +80,6 @@ */ function Smarty_Compiler() { - $this->_phpversion = substr(phpversion(),0,1); - // matches double quoted strings: // "foobar" // "foo\"bar" @@ -157,20 +152,16 @@ // $foo->bar($foo->bar) // $foo->bar($foo->bar()) // $foo->bar($foo->bar($blah,$foo,44,"foo",$foo[0].bar)) - // $foo->getBar()->getFoo() - // $foo->getBar()->foo $this->_obj_ext_regexp = '\->(?:\$?' . $this->_dvar_guts_regexp . ')'; $this->_obj_restricted_param_regexp = '(?:' - . '(?:' . $this->_var_regexp . '|' . $this->_num_const_regexp . ')(?:' . $this->_obj_ext_regexp . '(?:\((?:(?:' . $this->_var_regexp . '|' . $this->_num_const_regexp . ')' - . '(?:\s*,\s*(?:' . $this->_var_regexp . '|' . $this->_num_const_regexp . '))*)?\))?)*)'; - - $this->_obj_single_param_regexp = '(?:\w+|' . $this->_obj_restricted_param_regexp . '(?:\s*,\s*(?:(?:\w+|' + . '(?:' . $this->_var_regexp . '|' . $this->_num_const_regexp . ')(?:' . $this->_obj_ext_regexp . '(?:\((?:(?:' . $this->_var_regexp . '|' . $this->_num_const_regexp . ')' + . '(?:\s*,\s*(?:' . $this->_var_regexp . '|' . $this->_num_const_regexp . '))*)?\))?)*)'; + $this->_obj_single_param_regexp = '(?:\w+|' . $this->_obj_restricted_param_regexp . '(?:\s*,\s*(?:(?:\w+|' . $this->_var_regexp . $this->_obj_restricted_param_regexp . ')))*)'; - - $this->_obj_params_regexp = '\((?:' . $this->_obj_single_param_regexp + $this->_obj_params_regexp = '\((?:' . $this->_obj_single_param_regexp . '(?:\s*,\s*' . $this->_obj_single_param_regexp . ')*)?\)'; - $this->_obj_start_regexp = '(?:' . $this->_dvar_regexp . '(?:' . $this->_obj_ext_regexp . ')+)'; - $this->_obj_call_regexp = '(?:' . $this->_obj_start_regexp . '(?:' . $this->_obj_params_regexp . ')?(?:' . $this->_dvar_math_regexp . '(?:' . $this->_num_const_regexp . '|' . $this->_dvar_math_var_regexp . ')*)?)'; + $this->_obj_start_regexp = '(?:' . $this->_dvar_regexp . '(?:' . $this->_obj_ext_regexp . ')+)'; + $this->_obj_call_regexp = '(?:' . $this->_obj_start_regexp . '(?:' . $this->_obj_params_regexp . ')?(?:' . $this->_dvar_math_regexp . '(?:' . $this->_num_const_regexp . '|' . $this->_dvar_math_var_regexp . ')*)?)'; // matches valid modifier syntax: // |foo @@ -1705,8 +1696,6 @@ } // replace double quoted literal string with single quotes $_return = preg_replace('~^"([\s\w]+)"$~',"'\\1'",$_return); - // escape dollar sign if not printing a var - $_return = preg_replace('~\$(\W)~',"\\\\\$\\1",$_return); return $_return; } @@ -1720,7 +1709,6 @@ function _parse_var($var_expr) { $_has_math = false; - $_has_php4_method_chaining = false; $_math_vars = preg_split('~('.$this->_dvar_math_regexp.'|'.$this->_qstr_regexp.')~', $var_expr, -1, PREG_SPLIT_DELIM_CAPTURE); if(count($_math_vars) > 1) { @@ -1833,10 +1821,6 @@ $_output .= '->{(($_var=$this->_tpl_vars[\''.substr($_index,3).'\']) && substr($_var,0,2)!=\'__\') ? $_var : $this->trigger_error("cannot access property \\"$_var\\"")}'; } } else { - if ($this->_phpversion < 5) { - $_has_php4_method_chaining = true; - $_output .= "; \$_foo = \$_foo"; - } $_output .= $_index; } } elseif (substr($_index, 0, 1) == '(') { @@ -1848,12 +1832,7 @@ } } - if ($_has_php4_method_chaining) { - $_tmp = str_replace("'","\'",'$_foo = '.$_output.'; return $_foo;'); - return "eval('".$_tmp."')"; - } else { - return $_output; - } + return $_output; } /** @@ -2068,27 +2047,57 @@ break; case 'get': - $compiled_ref = ($this->request_use_auto_globals) ? '$_GET' : "\$GLOBALS['HTTP_GET_VARS']"; + if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) { + $this->_syntax_error("(secure mode) super global access not permitted", + E_USER_WARNING, __FILE__, __LINE__); + return; + } + $compiled_ref = "\$_GET"; break; case 'post': - $compiled_ref = ($this->request_use_auto_globals) ? '$_POST' : "\$GLOBALS['HTTP_POST_VARS']"; + if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) { + $this->_syntax_error("(secure mode) super global access not permitted", + E_USER_WARNING, __FILE__, __LINE__); + return; + } + $compiled_ref = "\$_POST"; break; case 'cookies': - $compiled_ref = ($this->request_use_auto_globals) ? '$_COOKIE' : "\$GLOBALS['HTTP_COOKIE_VARS']"; + if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) { + $this->_syntax_error("(secure mode) super global access not permitted", + E_USER_WARNING, __FILE__, __LINE__); + return; + } + $compiled_ref = "\$_COOKIE"; break; case 'env': - $compiled_ref = ($this->request_use_auto_globals) ? '$_ENV' : "\$GLOBALS['HTTP_ENV_VARS']"; + if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) { + $this->_syntax_error("(secure mode) super global access not permitted", + E_USER_WARNING, __FILE__, __LINE__); + return; + } + $compiled_ref = "\$_ENV"; break; case 'server': - $compiled_ref = ($this->request_use_auto_globals) ? '$_SERVER' : "\$GLOBALS['HTTP_SERVER_VARS']"; + if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) { + $this->_syntax_error("(secure mode) super global access not permitted", + E_USER_WARNING, __FILE__, __LINE__); + return; + } + $compiled_ref = "\$_SERVER"; break; case 'session': - $compiled_ref = ($this->request_use_auto_globals) ? '$_SESSION' : "\$GLOBALS['HTTP_SESSION_VARS']"; + if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) { + $this->_syntax_error("(secure mode) super global access not permitted", + E_USER_WARNING, __FILE__, __LINE__); + return; + } + $compiled_ref = "\$_SESSION"; break; /* @@ -2096,8 +2105,13 @@ * compiler. */ case 'request': + if ($this->security && !$this->security_settings['ALLOW_SUPER_GLOBALS']) { + $this->_syntax_error("(secure mode) super global access not permitted", + E_USER_WARNING, __FILE__, __LINE__); + return; + } if ($this->request_use_auto_globals) { - $compiled_ref = '$_REQUEST'; + $compiled_ref = "\$_REQUEST"; break; } else { $this->_init_smarty_vars = true; Binary files /tmp/wicXw2f2aF/smarty-2.6.22/misc/smarty_icon.gif and /tmp/zuK0dXRHHH/smarty-2.6.26/misc/smarty_icon.gif differ diff -Nru smarty-2.6.22/misc/smarty_icon.README smarty-2.6.26/misc/smarty_icon.README --- smarty-2.6.22/misc/smarty_icon.README 2008-12-17 20:52:59.000000000 +0100 +++ smarty-2.6.26/misc/smarty_icon.README 1970-01-01 01:00:00.000000000 +0100 @@ -1,6 +0,0 @@ -Feel free to put the smarty icon on your site. -You can cut-and-paste the following code, be sure -to adjust the path to the image: - -<a href="http://smarty.php.net/"> -<img src="smarty_icon.gif" border="0" height="31" width="88" /></a> diff -Nru smarty-2.6.22/NEWS smarty-2.6.26/NEWS --- smarty-2.6.22/NEWS 2008-12-17 20:53:15.000000000 +0100 +++ smarty-2.6.26/NEWS 2009-06-18 16:46:45.000000000 +0200 @@ -1,3 +1,22 @@ +Version 2.6.26 (June 18th, 2009) +------------------------------- +- revert super global access changes, and instead rely on + USE_SUPER_GLOBALS for security + +Version 2.6.25 (May 19th, 2009) +------------------------------- +- fix E_NOTICE when sessions are disabled (mohrt) + +Version 2.6.24 (May 16th, 2009) +------------------------------- +- fix problem introduced with super global changes (mohrt) + +Version 2.6.23 (May 13th, 2009) +------------------------------- +- strip backticks from {math} equations (mohrt) +- make PHP super globals read-only from template (mohrt) +- throw error when template exists but not readable (mohrt) + Version 2.6.22 (Dec 17th, 2008) ------------------------------- diff -Nru smarty-2.6.22/README smarty-2.6.26/README --- smarty-2.6.22/README 2008-12-17 20:53:21.000000000 +0100 +++ smarty-2.6.26/README 2009-06-18 16:46:53.000000000 +0200 @@ -3,7 +3,7 @@ Smarty - the PHP compiling template engine -VERSION: 2.6.22 +VERSION: 2.6.26 AUTHORS:
signature.asc
Description: This is a digitally signed message part.

