Bug#703482: pu: package smarty/2.6.26-1

Wed, 20 Mar 2013 16:48:16 -0700 

On Wed, 20 Mar 2013 19:38:05 +0000
"Adam D. Barratt" <a...@adam-barratt.org.uk> wrote:

> 2.6.26-0.2+squeeze1 would be more conventional.

> diff -Nru smarty-2.6.26/debian/source/format 
> smarty-2.6.26/debian/source/format
> --- smarty-2.6.26/debian/source/format  1970-01-01 09:00:00.000000000 +0900
> +++ smarty-2.6.26/debian/source/format  2013-03-10 22:31:20.000000000 +0900
> @@ -0,0 +1 @@
> +3.0 (quilt)
> 
> Definitely not in a stable update.

 Okay, then as below. I'll upload it today if it's okay.


diff -u smarty-2.6.26/debian/changelog smarty-2.6.26/debian/changelog
--- smarty-2.6.26/debian/changelog
+++ smarty-2.6.26/debian/changelog
@@ -1,3 +1,12 @@
+smarty (2.6.26-0.2+squeeze1) stable-proposed-updates; urgency=high
+
+  * QA upload.
+  * add debian/patches/avoid_possible_script_execution_from_2.6.27.patch
+    - CVE-2012-4437: cherry picked from upstream, prevent XSS (Closes: #702710)
+      Thanks to Yoshinari Takaoka <mum...@mumumu.org> for the report.
+
+ -- Hideki Yamane <henr...@debian.org>  Mon, 11 Mar 2013 01:18:46 +0900
+
 smarty (2.6.26-0.2) unstable; urgency=low
 
   * QA upload:
diff -u smarty-2.6.26/debian/rules smarty-2.6.26/debian/rules
--- smarty-2.6.26/debian/rules
+++ smarty-2.6.26/debian/rules
@@ -9,6 +9,7 @@
        dh_clean
 
 build:
+       patch -p1 < 
debian/patches/avoid_possible_script_execution_from_2.6.27.patch
 
 install:
        dh_testdir
only in patch2:
unchanged:
--- 
smarty-2.6.26.orig/debian/patches/avoid_possible_script_execution_from_2.6.27.patch
+++ 
smarty-2.6.26/debian/patches/avoid_possible_script_execution_from_2.6.27.patch
@@ -0,0 +1,22 @@
+Description: avoid possible XSS
+ As Yoshinari Takaoka <mum...@mumumu.org> pointed out, upstream puts
+ a (possible) security fix in Smarty 2.6.27.
+ .
+ See upstream commit as 
https://code.google.com/p/smarty-php/source/detail?r=4660
+
+---
+Origin: upstream
+Last-Update: 2013-03-11
+
+--- smarty-2.6.26.orig/libs/Smarty.class.php
++++ smarty-2.6.26/libs/Smarty.class.php
+@@ -1090,7 +1090,8 @@ class Smarty
+      */
+     function trigger_error($error_msg, $error_type = E_USER_WARNING)
+     {
+-        trigger_error("Smarty error: $error_msg", $error_type);
++        $msg = htmlentities($error_msg);
++        trigger_error("Smarty error: $msg", $error_type);
+     }
+ 
+ 


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/20130321084524.12f67ddba075eeb21c487...@debian.or.jp

Reply via email to