Version in base suite: 2.6.9-1
Version in overlay suite: 2.6.9-1sarge1

Base version: smarty_2.6.9-1
Target version: smarty_2.6.9-1sarge1
Base file: /org/ftp.debian.org/ftp/pool/main/s/smarty/smarty_2.6.9-1.dsc
Target file: /org/ftp.debian.org/ftp/pool/main/s/smarty/smarty_2.6.9-1sarge1.dsc

diff -u smarty-2.6.9/debian/changelog smarty-2.6.9/debian/changelog
--- smarty-2.6.9/debian/changelog
+++ smarty-2.6.9/debian/changelog
@@ -1,3 +1,12 @@
+smarty (2.6.9-1sarge1) oldstable-security; urgency=high
+
+  * Non-maintainer upload by the security team.
+  * A \0 character in a search string could be abused to
+    call arbitrary PHP functions via templates.
+    CVE-2008-1066, closes: #469492
+
+ -- Thijs Kinkhorst <thijs@debian.org>  Sun, 16 Mar 2008 12:05:07 +0100
+
 smarty (2.6.9-1) unstable; urgency=high
 
   * New upstream release
only in patch2:
unchanged:
--- smarty-2.6.9.orig/libs/plugins/modifier.regex_replace.php
+++ smarty-2.6.9/libs/plugins/modifier.regex_replace.php
@@ -21,6 +21,8 @@
  */
 function smarty_modifier_regex_replace($string, $search, $replace)
 {
+    if (($pos = strpos($search,"\0")) !== false)
+        $search = substr($search,0,$pos);
     if (preg_match('!\W(\w+)$!s', $search, $match) && (strpos($match[1], 'e') !== false)) {
         /* remove eval-modifier from $search */
         $search = substr($search, 0, -strlen($match[1])) . str_replace('e', '', $match[1]);