Version in base suite: 3.1.39-1 Base version: smarty3_3.1.39-1 Target version: smarty3_3.1.39-2+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/smarty3/smarty3_3.1.39-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/s/smarty3/smarty3_3.1.39-2+deb11u1.dsc changelog | 19 +++++ patches/CVE-2021-21408.patch | 40 +++++++++++ patches/CVE-2021-29454.patch | 88 ++++++++++++++++++++++++ patches/CVE-2022-29221.patch | 154 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 3 watch | 2 6 files changed, 305 insertions(+), 1 deletion(-) diff -Nru smarty3-3.1.39/debian/changelog smarty3-3.1.39/debian/changelog --- smarty3-3.1.39/debian/changelog 2021-02-23 10:41:59.000000000 +0000 +++ smarty3-3.1.39/debian/changelog 2022-05-28 21:55:24.000000000 +0000 @@ -1,3 +1,22 @@ +smarty3 (3.1.39-2+deb11u1) bullseye-security; urgency=high + + * Non-maintainer upload. + * Fix the following CVE: + - CVE-2021-21408: template authors could run restricted static php methods + - CVE-2021-29454: template authors could run arbitrary PHP code by crafting + a malicious math string + - CVE-2022-29221: template authors could inject php code by choosing a + malicious {block} name or {include} file name + + -- Markus Koschany Sat, 28 May 2022 23:55:24 +0200 + +smarty3 (3.1.39-2) unstable; urgency=medium + + * debian/watch: + + Fix Github watch URL. + + -- Mike Gabriel Thu, 29 Apr 2021 14:40:03 +0200 + smarty3 (3.1.39-1) unstable; urgency=medium * New upstream release. diff -Nru smarty3-3.1.39/debian/patches/CVE-2021-21408.patch smarty3-3.1.39/debian/patches/CVE-2021-21408.patch --- smarty3-3.1.39/debian/patches/CVE-2021-21408.patch 1970-01-01 00:00:00.000000000 +0000 +++ smarty3-3.1.39/debian/patches/CVE-2021-21408.patch 2022-05-28 21:55:24.000000000 +0000 @@ -0,0 +1,40 @@ +From: Markus Koschany +Date: Sat, 28 May 2022 14:41:06 +0200 +Subject: CVE-2021-21408 + +Bug-Debian: https://bugs.debian.org/1010375 +Origin: https://github.com/smarty-php/smarty/commit/28519ca00fe6890ef2d464f8400a16188c4b6f36 +--- + lexer/smarty_internal_templateparser.y | 3 +++ + libs/sysplugins/smarty_internal_templateparser.php | 4 ++++ + 2 files changed, 7 insertions(+) + +diff --git a/lexer/smarty_internal_templateparser.y b/lexer/smarty_internal_templateparser.y +index c689064..8f81202 100644 +--- a/lexer/smarty_internal_templateparser.y ++++ b/lexer/smarty_internal_templateparser.y +@@ -758,6 +758,9 @@ value(res) ::= doublequoted_with_quotes(s). { + + + value(res) ::= varindexed(vi) DOUBLECOLON static_class_access(r). { ++ if ($this->security && $this->security->static_classes !== array()) { ++ $this->compiler->trigger_template_error('dynamic static class not allowed by security setting'); ++ } + $prefixVar = $this->compiler->getNewPrefixVariable(); + if (vi['var'] === '\'smarty\'') { + $this->compiler->appendPrefixCode("compiler->compileTag('private_special_variable',array(),vi['smarty_internal_index']).';?>'); +diff --git a/libs/sysplugins/smarty_internal_templateparser.php b/libs/sysplugins/smarty_internal_templateparser.php +index aaeae63..7c8735c 100644 +--- a/libs/sysplugins/smarty_internal_templateparser.php ++++ b/libs/sysplugins/smarty_internal_templateparser.php +@@ -2837,6 +2837,10 @@ class Smarty_Internal_Templateparser + // line 765 "../smarty/lexer/smarty_internal_templateparser.y" + public function yy_r95() + { ++ if ($this->security && $this->security->static_classes !== array()) { ++ $this->compiler->trigger_template_error('dynamic static class not allowed by security setting'); ++ } ++ + $prefixVar = $this->compiler->getNewPrefixVariable(); + if ($this->yystack[ $this->yyidx + -2 ]->minor[ 'var' ] === '\'smarty\'') { + $this->compiler->appendPrefixCode(" +Date: Sat, 28 May 2022 14:44:03 +0200 +Subject: CVE-2021-29454 + +Bug-Debian: https://bugs.debian.org/1010375 +Origin: https://github.com/smarty-php/smarty/commit/7ad97ad030b4289711e30819c928b8bc33c62b23 +--- + libs/plugins/function.math.php | 32 +++++++++++++++++++++++++++++++- + 1 file changed, 31 insertions(+), 1 deletion(-) + +diff --git a/libs/plugins/function.math.php b/libs/plugins/function.math.php +index 7348d96..5691829 100644 +--- a/libs/plugins/function.math.php ++++ b/libs/plugins/function.math.php +@@ -28,7 +28,12 @@ function smarty_function_math($params, $template) + 'int' => true, + 'abs' => true, + 'ceil' => true, ++ 'acos' => true, ++ 'acosh' => true, + 'cos' => true, ++ 'cosh' => true, ++ 'deg2rad' => true, ++ 'rad2deg' => true, + 'exp' => true, + 'floor' => true, + 'log' => true, +@@ -39,27 +44,51 @@ function smarty_function_math($params, $template) + 'pow' => true, + 'rand' => true, + 'round' => true, ++ 'asin' => true, ++ 'asinh' => true, + 'sin' => true, ++ 'sinh' => true, + 'sqrt' => true, + 'srand' => true, +- 'tan' => true ++ 'atan' => true, ++ 'atanh' => true, ++ 'tan' => true, ++ 'tanh' => true + ); ++ + // be sure equation parameter is present + if (empty($params[ 'equation' ])) { + trigger_error("math: missing equation parameter", E_USER_WARNING); + return; + } + $equation = $params[ 'equation' ]; ++ ++ // Remove whitespaces ++ $equation = preg_replace('/\s+/', '', $equation); ++ ++ // Adapted from https://www.php.net/manual/en/function.eval.php#107377 ++ $number = '(?:\d+(?:[,.]\d+)?|pi|π)'; // What is a number ++ $functionsOrVars = '((?:0x[a-fA-F0-9]+)|([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*))'; ++ $operators = '[+\/*\^%-]'; // Allowed math operators ++ $regexp = '/^(('.$number.'|'.$functionsOrVars.'|('.$functionsOrVars.'\s*\((?1)+\)|\((?1)+\)))(?:'.$operators.'(?2))?)+$/'; ++ ++ if (!preg_match($regexp, $equation)) { ++ trigger_error("math: illegal characters", E_USER_WARNING); ++ return; ++ } ++ + // make sure parenthesis are balanced + if (substr_count($equation, '(') !== substr_count($equation, ')')) { + trigger_error("math: unbalanced parenthesis", E_USER_WARNING); + return; + } ++ + // disallow backticks + if (strpos($equation, '`') !== false) { + trigger_error("math: backtick character not allowed in equation", E_USER_WARNING); + return; + } ++ + // also disallow dollar signs + if (strpos($equation, '$') !== false) { + trigger_error("math: dollar signs not allowed in equation", E_USER_WARNING); +@@ -96,6 +125,7 @@ function smarty_function_math($params, $template) + } + $smarty_math_result = null; + eval("\$smarty_math_result = " . $equation . ";"); ++ + if (empty($params[ 'format' ])) { + if (empty($params[ 'assign' ])) { + return $smarty_math_result; diff -Nru smarty3-3.1.39/debian/patches/CVE-2022-29221.patch smarty3-3.1.39/debian/patches/CVE-2022-29221.patch --- smarty3-3.1.39/debian/patches/CVE-2022-29221.patch 1970-01-01 00:00:00.000000000 +0000 +++ smarty3-3.1.39/debian/patches/CVE-2022-29221.patch 2022-05-28 21:55:24.000000000 +0000 @@ -0,0 +1,154 @@ +From: Markus Koschany +Date: Sat, 28 May 2022 14:46:05 +0200 +Subject: CVE-2022-29221 + +Bug-Debian: https://bugs.debian.org/1011757 +Origin: https://github.com/smarty-php/smarty/commit/3606c4717ed6348e114a610ff1e446048dcd0345 +--- + libs/sysplugins/smarty_internal_compile_block.php | 4 ++-- + libs/sysplugins/smarty_internal_compile_function.php | 8 ++++---- + libs/sysplugins/smarty_internal_compile_include.php | 4 ++-- + libs/sysplugins/smarty_internal_config_file_compiler.php | 10 ++++++---- + libs/sysplugins/smarty_internal_runtime_codeframe.php | 9 ++++++--- + libs/sysplugins/smarty_internal_templatecompilerbase.php | 4 ++++ + 6 files changed, 24 insertions(+), 15 deletions(-) + +diff --git a/libs/sysplugins/smarty_internal_compile_block.php b/libs/sysplugins/smarty_internal_compile_block.php +index 8ff15d8..cbaccd2 100644 +--- a/libs/sysplugins/smarty_internal_compile_block.php ++++ b/libs/sysplugins/smarty_internal_compile_block.php +@@ -125,7 +125,7 @@ class Smarty_Internal_Compile_Blockclose extends Smarty_Internal_Compile_Shared_ + // setup buffer for template function code + $compiler->parser->current_buffer = new Smarty_Internal_ParseTree_Template(); + $output = "cStyleComment(" {block {$_name}} ") . "\n"; + $output .= "class {$_className} extends Smarty_Internal_Block\n"; + $output .= "{\n"; + foreach ($_block as $property => $value) { +@@ -155,7 +155,7 @@ class Smarty_Internal_Compile_Blockclose extends Smarty_Internal_Compile_Shared_ + } + $output .= "}\n"; + $output .= "}\n"; +- $output .= "/* {/block {$_name}} */\n\n"; ++ $output .= $compiler->cStyleComment(" {/block {$_name}} ") . "\n\n"; + $output .= "?>\n"; + $compiler->parser->current_buffer->append_subtree( + $compiler->parser, +diff --git a/libs/sysplugins/smarty_internal_compile_function.php b/libs/sysplugins/smarty_internal_compile_function.php +index d0f2b0f..1b73a6b 100644 +--- a/libs/sysplugins/smarty_internal_compile_function.php ++++ b/libs/sysplugins/smarty_internal_compile_function.php +@@ -134,7 +134,7 @@ class Smarty_Internal_Compile_Functionclose extends Smarty_Internal_CompileBase + if ($compiler->template->compiled->has_nocache_code) { + $compiler->parent_compiler->tpl_function[ $_name ][ 'call_name_caching' ] = $_funcNameCaching; + $output = "cStyleComment(" {$_funcNameCaching} ") . "\n"; + $output .= "if (!function_exists('{$_funcNameCaching}')) {\n"; + $output .= "function {$_funcNameCaching} (Smarty_Internal_Template \$_smarty_tpl,\$params) {\n"; + $output .= "ob_start();\n"; +@@ -159,7 +159,7 @@ class Smarty_Internal_Compile_Functionclose extends Smarty_Internal_CompileBase + $output .= "/*/%%SmartyNocache:{$compiler->template->compiled->nocache_hash}%%*/\";\n?>"; + $output .= "template->compiled->nocache_hash}', \$_smarty_tpl->compiled->nocache_hash, ob_get_clean());\n"; + $output .= "}\n}\n"; +- $output .= "/*/ {$_funcName}_nocache */\n\n"; ++ $output .= $compiler->cStyleComment("/ {$_funcName}_nocache ") . "\n\n"; + $output .= "?>\n"; + $compiler->parser->current_buffer->append_subtree( + $compiler->parser, +@@ -179,7 +179,7 @@ class Smarty_Internal_Compile_Functionclose extends Smarty_Internal_CompileBase + } + $compiler->parent_compiler->tpl_function[ $_name ][ 'call_name' ] = $_funcName; + $output = "cStyleComment(" {$_funcName} ") . "\n"; + $output .= "if (!function_exists('{$_funcName}')) {\n"; + $output .= "function {$_funcName}(Smarty_Internal_Template \$_smarty_tpl,\$params) {\n"; + $output .= $_paramsCode; +@@ -196,7 +196,7 @@ class Smarty_Internal_Compile_Functionclose extends Smarty_Internal_CompileBase + ); + $compiler->parser->current_buffer->append_subtree($compiler->parser, $_functionCode); + $output = "cStyleComment("/ {$_funcName} ") . "\n\n"; + $output .= "?>\n"; + $compiler->parser->current_buffer->append_subtree( + $compiler->parser, +diff --git a/libs/sysplugins/smarty_internal_compile_include.php b/libs/sysplugins/smarty_internal_compile_include.php +index 716c91d..bf62461 100644 +--- a/libs/sysplugins/smarty_internal_compile_include.php ++++ b/libs/sysplugins/smarty_internal_compile_include.php +@@ -318,14 +318,14 @@ class Smarty_Internal_Compile_Include extends Smarty_Internal_CompileBase + } + // get compiled code + $compiled_code = "cStyleComment(" Start inline template \"{$sourceInfo}\" =============================") . "\n"; + $compiled_code .= "function {$tpl->compiled->unifunc} (Smarty_Internal_Template \$_smarty_tpl) {\n"; + $compiled_code .= "?>\n" . $tpl->compiler->compileTemplateSource($tpl, null, $compiler->parent_compiler); + $compiled_code .= "\n"; + $compiled_code .= $tpl->compiler->postFilter($tpl->compiler->blockOrFunctionCode); + $compiled_code .= "cStyleComment(" End inline template \"{$sourceInfo}\" =============================") . "\n"; + $compiled_code .= '?>'; + unset($tpl->compiler); + if ($tpl->compiled->has_nocache_code) { +diff --git a/libs/sysplugins/smarty_internal_config_file_compiler.php b/libs/sysplugins/smarty_internal_config_file_compiler.php +index 90c5dce..469b966 100644 +--- a/libs/sysplugins/smarty_internal_config_file_compiler.php ++++ b/libs/sysplugins/smarty_internal_config_file_compiler.php +@@ -157,10 +157,12 @@ class Smarty_Internal_Config_File_Compiler + $this->smarty->_debug->end_compile($this->template); + } + // template header code +- $template_header = +- "template->source->filepath}' */ ?>\n"; ++ $template_header = sprintf( ++ "\n", ++ Smarty::SMARTY_VERSION, ++ date("Y-m-d H:i:s"), ++ str_replace('*/', '* /' , $this->template->source->filepath) ++ ); + $code = 'smarty->ext->configLoad->_loadConfigVars($_smarty_tpl, ' . + var_export($this->config_data, true) . '); ?>'; + return $template_header . $this->template->smarty->ext->_codeFrame->create($this->template, $code); +diff --git a/libs/sysplugins/smarty_internal_runtime_codeframe.php b/libs/sysplugins/smarty_internal_runtime_codeframe.php +index 983ca61..4a7781c 100644 +--- a/libs/sysplugins/smarty_internal_runtime_codeframe.php ++++ b/libs/sysplugins/smarty_internal_runtime_codeframe.php +@@ -44,9 +44,12 @@ class Smarty_Internal_Runtime_CodeFrame + $properties[ 'file_dependency' ] = $_template->cached->file_dependency; + $properties[ 'cache_lifetime' ] = $_template->cache_lifetime; + } +- $output = "source->filepath) . "' */\n\n"; ++ $output = sprintf( ++ "source->filepath) ++ ); + $output .= "/* @var Smarty_Internal_Template \$_smarty_tpl */\n"; + $dec = "\$_smarty_tpl->_decodeProperties(\$_smarty_tpl, " . var_export($properties, true) . ',' . + ($cache ? 'true' : 'false') . ')'; +diff --git a/libs/sysplugins/smarty_internal_templatecompilerbase.php b/libs/sysplugins/smarty_internal_templatecompilerbase.php +index 3cc957d..b4e270c 100644 +--- a/libs/sysplugins/smarty_internal_templatecompilerbase.php ++++ b/libs/sysplugins/smarty_internal_templatecompilerbase.php +@@ -1455,6 +1455,10 @@ abstract class Smarty_Internal_TemplateCompilerBase + */ + abstract protected function doCompile($_content, $isTemplateSource = false); + ++ public function cStyleComment($string) { ++ return '/*' . str_replace('*/', '* /' , $string) . '*/'; ++ } ++ + /** + * Compile Tag + * diff -Nru smarty3-3.1.39/debian/patches/series smarty3-3.1.39/debian/patches/series --- smarty3-3.1.39/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ smarty3-3.1.39/debian/patches/series 2022-05-28 21:55:24.000000000 +0000 @@ -0,0 +1,3 @@ +CVE-2021-21408.patch +CVE-2021-29454.patch +CVE-2022-29221.patch diff -Nru smarty3-3.1.39/debian/watch smarty3-3.1.39/debian/watch --- smarty3-3.1.39/debian/watch 2021-01-06 21:52:49.000000000 +0000 +++ smarty3-3.1.39/debian/watch 2022-05-28 21:55:24.000000000 +0000 @@ -1,3 +1,3 @@ version=4 opts=filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/smarty-$1.tar.gz/ \ -https://github.com/smarty-php/smarty/tags .*/archive/v?([\d\.]+).tar.gz +https://github.com/smarty-php/smarty/tags .*/archive/refs/tags/v?([\d\.]+).tar.gz