Version in base suite: 4.3.0-1+deb12u1

Base version: smarty4_4.3.0-1+deb12u1
Target version: smarty4_4.3.0-1+deb12u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/smarty4/smarty4_4.3.0-1+deb12u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/s/smarty4/smarty4_4.3.0-1+deb12u2.dsc

 changelog                    |    6 +
 patches/CVE-2024-35226.patch |  148 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 
 3 files changed, 155 insertions(+)

diff -Nru smarty4-4.3.0/debian/changelog smarty4-4.3.0/debian/changelog
--- smarty4-4.3.0/debian/changelog	2023-07-06 04:04:52.000000000 +0000
+++ smarty4-4.3.0/debian/changelog	2024-12-10 19:04:55.000000000 +0000
@@ -1,3 +1,9 @@
+smarty4 (4.3.0-1+deb12u2) bookworm-security; urgency=medium
+
+  * CVE-2024-35226 (Closes: #1072529)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Tue, 10 Dec 2024 20:04:55 +0100
+
 smarty4 (4.3.0-1+deb12u1) bookworm; urgency=medium
 
   * debian/patches:
diff -Nru smarty4-4.3.0/debian/patches/CVE-2024-35226.patch smarty4-4.3.0/debian/patches/CVE-2024-35226.patch
--- smarty4-4.3.0/debian/patches/CVE-2024-35226.patch	1970-01-01 00:00:00.000000000 +0000
+++ smarty4-4.3.0/debian/patches/CVE-2024-35226.patch	2024-12-10 19:04:24.000000000 +0000
@@ -0,0 +1,148 @@
+From 76881c8d33d80648f70c9b0339f770f5f69a87a2 Mon Sep 17 00:00:00 2001
+From: Simon Wisselink <wisskid@users.noreply.github.com>
+Date: Tue, 28 May 2024 22:44:30 +0200
+Subject: [PATCH] Merge pull request from GHSA-4rmg-292m-wg3w
+
+* Fixed a code injection vulnerability in extends-tag
+
+* update tests for smarty v4
+---
+ changelog/GHSA-4rmg-292m-wg3w.md              |  1 +
+ .../smarty_internal_compile_extends.php       | 66 +------------------
+ .../smarty_internal_templatecompilerbase.php  | 24 +++++--
+ .../BockExtend/CompileBlockExtendsTest.php    | 36 +++++++++-
+ .../BockExtend/templates/escaping.tpl         |  1 +
+ .../BockExtend/templates/escaping2.tpl        |  1 +
+ .../BockExtend/templates/escaping3.tpl        |  1 +
+ .../TagTests/Include/CompileIncludeTest.php   | 12 ++++
+ .../templates/test_include_security.tpl       |  1 +
+ .../_Issues/419/ExtendsIssue419Test.php       |  7 ++
+
+diff --git a/libs/sysplugins/smarty_internal_compile_extends.php b/libs/sysplugins/smarty_internal_compile_extends.php
+index d72d2b76f..69a7b5521 100644
+--- a/libs/sysplugins/smarty_internal_compile_extends.php
++++ b/libs/sysplugins/smarty_internal_compile_extends.php
+@@ -30,7 +30,7 @@ class Smarty_Internal_Compile_Extends extends Smarty_Internal_Compile_Shared_Inh
+      *
+      * @var array
+      */
+-    public $optional_attributes = array('extends_resource');
++    public $optional_attributes = array();
+ 
+     /**
+      * Attribute definition: Overwrites base class.
+@@ -62,29 +62,7 @@ public function compile($args, Smarty_Internal_TemplateCompilerBase $compiler)
+         }
+         // add code to initialize inheritance
+         $this->registerInit($compiler, true);
+-        $file = trim($_attr[ 'file' ], '\'"');
+-        if (strlen($file) > 8 && substr($file, 0, 8) === 'extends:') {
+-            // generate code for each template
+-            $files = array_reverse(explode('|', substr($file, 8)));
+-            $i = 0;
+-            foreach ($files as $file) {
+-                if ($file[ 0 ] === '"') {
+-                    $file = trim($file, '".');
+-                } else {
+-                    $file = "'{$file}'";
+-                }
+-                $i++;
+-                if ($i === count($files) && isset($_attr[ 'extends_resource' ])) {
+-                    $this->compileEndChild($compiler);
+-                }
+-                $this->compileInclude($compiler, $file);
+-            }
+-            if (!isset($_attr[ 'extends_resource' ])) {
+-                $this->compileEndChild($compiler);
+-            }
+-        } else {
+-            $this->compileEndChild($compiler, $_attr[ 'file' ]);
+-        }
++        $this->compileEndChild($compiler, $_attr[ 'file' ]);
+         $compiler->has_code = false;
+         return '';
+     }
+@@ -115,44 +93,4 @@ private function compileEndChild(Smarty_Internal_TemplateCompilerBase $compiler,
+                 '') . ");\n?>"
+         );
+     }
+-
+-    /**
+-     * Add code for including subtemplate to end of template
+-     *
+-     * @param \Smarty_Internal_TemplateCompilerBase $compiler
+-     * @param string                                $template subtemplate name
+-     *
+-     * @throws \SmartyCompilerException
+-     * @throws \SmartyException
+-     */
+-    private function compileInclude(Smarty_Internal_TemplateCompilerBase $compiler, $template)
+-    {
+-        $compiler->parser->template_postfix[] = new Smarty_Internal_ParseTree_Tag(
+-            $compiler->parser,
+-            $compiler->compileTag(
+-                'include',
+-                array(
+-                    $template,
+-                    array('scope' => 'parent')
+-                )
+-            )
+-        );
+-    }
+-
+-    /**
+-     * Create source code for {extends} from source components array
+-     *
+-     * @param \Smarty_Internal_Template $template
+-     *
+-     * @return string
+-     */
+-    public static function extendsSourceArrayCode(Smarty_Internal_Template $template)
+-    {
+-        $resources = array();
+-        foreach ($template->source->components as $source) {
+-            $resources[] = $source->resource;
+-        }
+-        return $template->smarty->left_delimiter . 'extends file=\'extends:' . join('|', $resources) .
+-               '\' extends_resource=true' . $template->smarty->right_delimiter;
+-    }
+ }
+diff --git a/libs/sysplugins/smarty_internal_templatecompilerbase.php b/libs/sysplugins/smarty_internal_templatecompilerbase.php
+index f5d2c4389..8ff3e0521 100644
+--- a/libs/sysplugins/smarty_internal_templatecompilerbase.php
++++ b/libs/sysplugins/smarty_internal_templatecompilerbase.php
+@@ -455,15 +455,29 @@ public function compileTemplateSource(
+             $this->smarty->_current_file = $this->template->source->filepath;
+             // get template source
+             if (!empty($this->template->source->components)) {
+-                // we have array of inheritance templates by extends: resource
+-                // generate corresponding source code sequence
+-                $_content =
+-                    Smarty_Internal_Compile_Extends::extendsSourceArrayCode($this->template);
++				$_compiled_code = '<?php $_smarty_tpl->_loadInheritance(); $_smarty_tpl->inheritance->init($_smarty_tpl, true); ?>';
++
++				$i = 0;
++				$reversed_components = array_reverse($this->template->getSource()->components);
++				foreach ($reversed_components as $source) {
++					$i++;
++					if ($i === count($reversed_components)) {
++						$_compiled_code .= '<?php $_smarty_tpl->inheritance->endChild($_smarty_tpl); ?>';
++					}
++					$_compiled_code .= $this->compileTag(
++						'include',
++						[
++							var_export($source->resource, true),
++							['scope' => 'parent'],
++						]
++					);
++				}
++				$_compiled_code = $this->postFilter($_compiled_code, $this->template);
+             } else {
+                 // get template source
+                 $_content = $this->template->source->getContent();
++				$_compiled_code = $this->postFilter($this->doCompile($this->preFilter($_content), true));
+             }
+-            $_compiled_code = $this->postFilter($this->doCompile($this->preFilter($_content), true));
+             if (!empty($this->required_plugins[ 'compiled' ]) || !empty($this->required_plugins[ 'nocache' ])) {
+                 $_compiled_code = '<?php ' . $this->compileRequiredPlugins() . "?>\n" . $_compiled_code;
+             }
diff -Nru smarty4-4.3.0/debian/patches/series smarty4-4.3.0/debian/patches/series
--- smarty4-4.3.0/debian/patches/series	2023-07-06 04:00:13.000000000 +0000
+++ smarty4-4.3.0/debian/patches/series	2024-12-10 19:04:45.000000000 +0000
@@ -1 +1,2 @@
 CVE-2023-28447.patch
+CVE-2024-35226.patch